Windows LSA secrets
What are LSA secrets? What are LSA secrets?LSA secrets is a special protected storage for important data used by the Local Security Authority (LSA) in Windows. LSA is designed for managing a system's local security policy, auditing, authenticating, logging users on to the system, storing private data. Users' and system's sensitive data is stored in secrets. Access to all secret data is available to system only. However, as shown below, some programs, in particular Windows Password Recovery, allow to override this restriction. What is stored in LSA secrets?Originally, the secrets contained cached domain records. Later, Windows developers expanded the application area for the storage. At this moment, they can store PC users' text passwords, service account passwords (for example, those that must be run by a certain user to perform certain tasks), Internet Explorer passwords, RAS connection passwords, SQL and CISCO passwords, SYSTEM account passwords, private user data like EFS encryption keys, and a lot more. For example, the NL$KM secret contains the cached domain password encryption key. L$RTMTIMEBOMB stores the amount of time left until the expiration of an inactivated copy of Windows. L$HYDRAENCKEY stores the public RSA2 key used in the Remote Desktop Protocol. Incidentally, even despite the fact that the automatic login is not set, in certain versions of Windows 7 secrets can contain the text of the administrator account password, thus compromising the entire target system. Where are LSA secrets stored?LSA secrets are stored in an encrypted form in the Windows registry, in the HKEY_LOCAL_MACHINE/Security/Policy/Secrets key. The parent key, HKEY_LOCAL_MACHINE/Security/Policy, contains the additional data, necessary for accessing and decrypting the secrets. Here are the descriptions of some values of this key. Key: HKEY_LOCAL_MACHINE/Security/Policy/SecDesc Value name: Data type: REG_BINARY Description: security descriptor for accessing the registry branch with secrets. Key: HKEY_LOCAL_MACHINE/Security/Policy/PolState Value name: Data type: REG_BINARY Description: current state of the secrets subsystem. Key: HKEY_LOCAL_MACHINE/Security/Policy/PolRevesion Value name: Data type: REG_BINARY Description: contains the version of the subsystem. Key: HKEY_LOCAL_MACHINE/Security/Policy/PolPrDmS Value name: Data type: REG_BINARY Description: domain SID. Key: HKEY_LOCAL_MACHINE/Security/Policy/PolPrDmN Value name: Data type: REG_BINARY Description: domain name. Key: HKEY_LOCAL_MACHINE/Security/Policy/PolEKList Value name: Data type: REG_BINARY Description: contains the list of encryption keys for LSA secrets. The value 1.1 in PolRevesion matches the NT operation system, 1.5 – Windows 2000, 1.7 – Windows XP and Win2K3, 1.9 – Windows Vista, 1.10 – Windows 7. Before Windows Vista, only one encryption key was stored in the registry, in the PolSecretEncryptionKey value. Beginning with Windows Vista, PolEKList can contain several encryption keys. LSA Secrets in detailOn the physical level, secrets are stored in a binary registry file SECURITY with the secret name for the key. For example, SecurityPolicySecrets$MACHINE.ACC. Each secret in the registry is represented by five values:
If the system is unable to read/decrypt one of the secrets, it writes the sixth value in it, PolMod, which indicates that the secret is damaged. For example, if a transaction to the LSA database was not completed due to a power outage or registry file damage. CurrVal and OldVal data structureBeginning with version 1.9, the structure of secrets has changed dramatically; therefore, we are not going to cover the old format. Instead of a single encryption key, now you can bind each secret to any value on the encryption key list (PolEKList). There is also an option to select an encryption algorithm! So, the first 4 bytes in the data structure is the version of the data; then there follows a 16-byte encryption key identifier for locating the necessary key on the list. That is followed by a DWORD with an identifier for a list of encryption algorithms the secret is encrypted with. For example, the value 3 matches a bundle of the SHA-256 hashing algorithm and the AES-256 block encryption algorithm. The algorithm identifier is followed by a 4-byte value with different flags used during the decryption. And, finally, there goes the encrypted data. See the figure. Encrypting LSA secrets in Windows 2000, XP, 2003Up to Windows Vista, the decryption of the secrets looked rather trivial. First, one needed to decrypt the secrets encryption key. Here is what it looked like: BOOL CSecrets::DecryptPrimaryKey() Where m_pSyskey - 16-byte SYSKEY value Encrypting secrets in Windows Vista, Windows 7Beginning with Windows Vista, the encryption algorithm, as it was mentioned, has become much more sophisticated. First, one still needs to decrypt the list of the encryption keys (yes, now multiple keys are allowed), stored in HKEY_LOCAL_MACHINE/Security/Policy/PolEKList. Then proceed to the actual secrets. Each secret now stores a key identifier, encryption algorithm identifier and the actual encrypted data. A working algorithm for decrypting the key looks like:
Thus, secrets in the LSA database can now be not only encrypted with different algorithms, but also have different original context. For example, use SYSKEY from other PC. Reading and editing secretsThere is a set of API for handling secrets available to software developers. Thus, any Windows application can create and read its own secrets, but only within the boundaries of current user context. See application 1 with the source code for reading secrets. If you require viewing or editing LSA secrets, for instance, to delete your account's text password, you can take advantage of Windows Password Recover, which has a convenient plugin for handling LSA secrets. By the way, this plugin works with both current operating system's secrets and with external registry files. Appendix1. Source code of the program for reading LSA Secrets. Note that not all secrets can be read under user context. Besides, the Administrator privileges are required. The executable of the program can be downloaded at the following link. // LsaSecretReader.cpp : Defines the entry point for the console application. Example of the output C:>LsaSecretReader.exe DPAPI_SYSTEM 0000: 01 00 00 00 73 4F 19 CF 6B B7 6C 8A BC 6D 35 EF 0010: 19 9C A6 3E 9A 80 A7 0C 9D D4 FD B1 20 C6 B1 A5 0020: 7A 87 5F 2B 51 3E 1D E0 45 9B 99 B2 |