Passwords from Windows

by Big Bird

Windows stores user information in all sorts of places.

Some of them you know (cookies, temporary Internet files, configuration files) but there are other locations where information is stored that can be much more interesting.  I'll show you how to gather information about users and settings they keep.

Please note, I will be describing utilities found inside of Windows and from a software developer named Nir Sofer.

Although the programs created by Nir Sofer are free today, they may not be tomorrow.

Nir Sofer's website is www.nirsoft.net (NirSoft), Microsoft's website is www.microsoft.com.

This article discusses details about the "Protected Storage Manager" in Windows.

One caveat however: you will need to be logged in as the user you intend to gather this information from.  If you do not have access to the user's account, you may need to go though the process of getting into the Administrator account (by resetting the password).

Also, on Windows XP home computers, the Administrator account has an empty password (when booting into Safe Mode) and there you can change the user's password.

There are other ways to get in by copying profiles and such, but this is a little larger than the scope of this article.

Getting Various Passwords

The Protected Storage Manager is a simply a location in the Windows Registry.

The Protected Storage is a feature of Windows that stores most, if not all, of the user's information in an encrypted location.

By default the "Protected Storage" service in Windows XP is required to save any passwords the user uses in email, messaging or Internet Explorer.

It is on by default in Windows XP.  In the registry, you can find the Protect Storage location by running REGEDIT and locating the following key (and subkeys):

HKEY_CURRENT_USER\Software\Microsoft\Protected Storage System Provider

Often this location in the registry is either hidden or encrypted or both - so you won't likely find much if you go snooping around.

There are utilities to get access to this information but most of them require Perl or installation on the local computer.  Some other utilities of this nature are Protected Storage Explorer (www.forensicideas.com), Cain & Abel (www.oxid.it), and SecretExplorer (lastbit.com/wse/default.asp).  But Protected Storage PassView is the best and easiest to use.

In this area you'll find usernames and passwords that have been saved by Internet Explorer as well as a URL to the location where the password had been saved.

Believe it or not, I have often seen bank URLs with the username (bank card number) and passwords saved.  If you get only a username for the one location, you may find user/password pairs for other sites.

Often people don't vary usernames and passwords enough to keep you from guessing them.  The function of saving usernames and passwords is (for the most part) seamless to the user.

The first utility (by Nir Sofer) that I'll direct you to use is the Protected Storage PassView.  This utility exposes all of what is in the Protected Storage of Windows.

The Protected Storage PassView utility shows recently typed in entries and search terms from Internet Explorer.

This Internet Explorer technology (named AutoComplete) is great for gathering information about the user's interests, address, phone number, and even in rare cases passwords.

Other information you can gather from the Protected Storage location:

Nir Sofer also made a small utility to gather usernames and passwords for common instant messaging applications.

The utility, MessenPass, supports the following applications:

You would be surprised how useful this program is at gathering information about messenger applications installed on the computer and/or passwords for various accounts.

Email Passwords

Almost a redundant utility (when Protected Storage PassView can show email passwords), Nir Sofer created a utility to gather specific username, hostname, and password information from these specific email applications.

This utility, Mail PassView, shows usernames and passwords from the following programs:

Scenarios

In one scenario you may be looking for the user's Hotmail username and password.

Since Hotmail is accessed through a web browser, there is a really good chance the user might have saved this while he/she was using Internet Explorer.

Run the Protected Storage PassView application and find the corresponding URL and username/password values.

In other cases, the user may save their MSN Messenger passwords when they use Messenger since the Messenger username is often the user's Hotmail email address, and the password is often the user's Hotmail password.

Run the MessenPass utility and you'll have gotten what you needed this way.

Another way of getting the Hotmail password is if the user has set up his/her Hotmail email access through Outlook or Outlook Express (and saved the password of course).  In this case you may get this information from the Protected Storage PassView program or even Mail PassView.

In a real world scenario, I took over IT services from another company who used to poorly support my new client.

While looking through the machines using the above utilities, I came across one machine that (apparently) one of the senior technicians in the old support company had been using.

What I found in the Protected Storage PassView utility was the URL, username, and password of the senior technician's email account on that company's server.

A little more investigation and I found usernames and passwords for their customers, credit card numbers, and all sorts of other information about that company's business.

None of that information was used for bad reasons as that defeats the purpose.

As web-based applications become more and more rich, the things you might find in the Windows Protected Storage become more and more interesting, just as users seem to be becoming more and more stupid.

Make use of these utilities and protect yourself!
Return to $2600 Index