Home > Products > Windows Passwords > Windows Password Recovery > Screenshots > Forensic tools > LSA Secrets Dumper
Windows LSA Secrets Dumper
19.10.2017
New blog post
Farewell to Syskey!
11.10.2017
Wireless Password Recovery 4.2.5
Support for NVidia Volta
04.10.2017
Office password recovery tools
Support for new GPU devices, some improvements
22.09.2017
Reset Windows Password v8.0
Support for domain cached credentials, new bootable environment

Articles and video

You may find it helpful to read our articles on Windows security and password recovery examples. Video section contains a number of movies about our programs in action

Windows Password Recovery - LSA secrets dumper


LSA secrets is a special protected storage for important data used by the Local Security Authority (LSA) in Windows. LSA is designed for managing a system's local security policy, auditing, authenticating, logging users on to the system, storing private data. Users' and system's sensitive data is stored in secrets. Access to all secret data is available to system only. However, as shown below, some programs, in particular Windows Password Recovery, allow to override this restriction.

Windows Password Recovery plugin for handling LSA secrets is a small tool for viewing, analyzing and editing LSA secrets. The plugin's wizard-driven user interface is quite simple and contains of just three steps:

1. First, select the type of secrets you are going to deal with. These can be secrets of the local system, where the application is running, or secrets of an external PC.

Lsa secrets type



2. When selecting secrets of an external PC, you need to specify path to two registry files: SYSTEM and SECURITY. The SECURITY file contains encrypted secrets, and SYSTEM is necessary for decrypting those. You can find out more on encrypting secrets in our article. Please note that encrypting secrets involves SYSKEY. By default, SYSKEY is configured the way that it can be extracted from the registry (that is what SYSTEM is for).

SYSKEY

In some cases, it can be configured otherwise: to be either stored on a boot disk or to be derived from user password when the OS starts. One way or the other, the plugin supports all types of SYSKEY encryption.

Data stored in secrets is crucial for the operation of the entire system. Therefore, LSA secrets are stored in two copies: current (active) and previous (former). Modifying a secret places its current copy to the former one and replaces it with the new, modified secret. The plugin has an option for showing both active and former secrets.

LSA secrets of an external PC


3. The last step of the Wizard decrypts secrets and shows them as a list. To show the value of a secret, just click on its name. Enter the edit more by double-clicking on one of the characters in the Hex or Ascii field (this marks it in yellow), and enter the new value. In the edit mode, use the cursor keys to move to the next character. Modified values are marked in red. To save changes, right-click on the Hex/Ascii field and then select the save item on the menu that appears.

Editing LSA secrets
 

Keep in mind that certain secrets contain critical data, and modifying them may cause system instability or even impossibility of booting!


The plugin also allows adding and deleting secrets (secrets of current operating system only). Deleting a secret, whether old or new, automatically deletes both its copies.

You can share your secrets with developers (Share Names button). This e-mails only the secret names, without the actual data. Analyzing the secret names will help us make the program more efficient.