Home > Products > Windows Passwords > Windows Password Recovery > Screenshots > Forensic tools > LSA Secrets Dumper
Windows LSA Secrets Dumper
01.03.2024
New blog post
Dumping the history of users' IP addresses in Windows
20.02.2024
Reset Windows Password v14.1
IP addresses history viewer, fast disk search, local security editor and some more
02.01.2024
Wireless Password Recovery v6.9.0
A revision of the GPU health monitor along with some minor updates
23.12.2023
HAPPY NEW YEAR!
Happy New Year greetings and holidays discount

Articles and video

You may find it helpful to read our articles on Windows security and password recovery examples. Video section contains a number of movies about our programs in action

Windows Password Recovery - LSA secrets dumper


LSA secrets is a special protected storage for important data used by the Local Security Authority (LSA) in Windows. LSA is designed for managing a system's local security policy, auditing, authenticating, logging users on to the system, storing private data. Users' and system's sensitive data is stored in secrets. Access to all secret data is available to the system only. However, as shown below, some programs, in particular, Windows Password Recovery, allow overriding this restriction.

Windows Password Recovery plugin for handling LSA secrets is a small tool for viewing, analyzing and editing LSA secrets. The plugin's wizard-driven user interface is quite simple and contains of just three steps:

1. First, select the type of secrets you are going to deal with. These can be secrets of the local system, where the application is running, or the secrets of an external PC.

Lsa secrets type



2. When selecting secrets of an external PC, you need to specify the path to two registry files: SYSTEM and SECURITY. The SECURITY file contains encrypted secrets, and SYSTEM is necessary for decrypting those. You can find out more about encrypting secrets in our article. Please note that encrypting secrets involves SYSKEY. By default, SYSKEY is configured the way that it can be extracted from the registry (that is what SYSTEM is for).

SYSKEY

In some cases, it can be configured otherwise: to be either stored on a boot disk or to be derived from user password when the OS starts. One way or the other, the plugin supports all types of SYSKEY encryption.

Data stored in secrets is crucial for the operation of the entire system. Therefore, LSA secrets are stored in two copies: current (active) and previous (former). Once a secret is modified, the system places its current copy to the previous and replaces it with the new, modified secret. The plugin has an option for showing both active and former secrets.

LSA secrets of an external PC


3. The last step of the Wizard decrypts secrets and shows them as a list. To show the value of a secret, just click on its name. Enter the edit mode by double-clicking on one of the characters in the Hex or Ascii field (this marks it in yellow), and enter the new value. In the edit mode, use the cursor keys to move to the next character. Modified values are marked in red. To save changes, right-click on the Hex/Ascii field and then select the save item on the menu that appears.

Editing LSA secrets
 

Keep in mind that certain secrets contain critical data, and modifying them may cause system instability or even impossibility of booting!


The plugin also allows adding and deleting secrets (secrets of the current operating system only). Deleting a secret, whether old or new, automatically deletes both its copies.

You can share your secrets with developers (Share Names button). This e-mails only the secret names, without the actual data. Analyzing the secret names will help us make the program more efficient.