Sign in to follow this  
Followers 0
Proph

Encrypted AutoLogon

11 posts in this topic

I want to be able to use an encrypted password in the Windows AutoLogon feature.

I did some research and found a way to do it. But the code is not autoit code. :) I think its in C++.

Here is the code if someone could take a crack at it. I think others would benefit from this one as well. :)

http://msdn.microsoft.com/en-us/library/aa378826(VS.85).aspx

#include <windows.h>
#include <stdio.h>

DWORD UpdateDefaultPassword(WCHAR * pwszSecret)
{

    LSA_OBJECT_ATTRIBUTES ObjectAttributes;
    LSA_HANDLE LsaPolicyHandle = NULL;

    LSA_UNICODE_STRING lusSecretName;
    LSA_UNICODE_STRING lusSecretData;
    USHORT SecretNameLength;
    USHORT SecretDataLength;

    NTSTATUS ntsResult = STATUS_SUCCESS;
    DWORD dwRetCode = ERROR_SUCCESS;

    //  Object attributes are reserved, so initialize to zeros.
    ZeroMemory(&ObjectAttributes, sizeof(ObjectAttributes));

    //  Get a handle to the Policy object.
    ntsResult = LsaOpenPolicy(
        NULL,    // local machine
        &ObjectAttributes, 
        POLICY_CREATE_SECRET,
        &LsaPolicyHandle);

    if( STATUS_SUCCESS != ntsResult )
    {
        //  An error occurred. Display it as a win32 error code.
        dwRetCode = LsaNtStatusToWinError(ntsResult);
        wprintf(L"Failed call to LsaOpenPolicy %lu\n", dwRetCode);
        return dwRetCode;
    } 

    //  Initialize an LSA_UNICODE_STRING for the name of the
    //  private data ("DefaultPassword").
    SecretNameLength = (USHORT)wcslen(L"DefaultPassword");
    lusSecretName.Buffer = L"DefaultPassword";
    lusSecretName.Length = SecretNameLength * sizeof(WCHAR);
    lusSecretName.MaximumLength =
        (SecretNameLength+1) * sizeof(WCHAR);

    //  If the pwszSecret parameter is NULL, then clear the secret.
    if( NULL == pwszSecret )
    {
        wprintf(L"Clearing the secret...\n");
        ntsResult = LsaStorePrivateData(
            LsaPolicyHandle,
            &lusSecretName,
            NULL);
        dwRetCode = LsaNtStatusToWinError(ntsResult);
    }
    else
    {
        wprintf(L"Setting the secret...\n");
        //  Initialize an LSA_UNICODE_STRING for the value
        //  of the private data. 
        SecretDataLength = (USHORT)wcslen(pwszSecret);
        lusSecretData.Buffer = pwszSecret;
        lusSecretData.Length = SecretDataLength * sizeof(WCHAR);
        lusSecretData.MaximumLength =
            (SecretDataLength+1) * sizeof(WCHAR);
        ntsResult = LsaStorePrivateData(
            LsaPolicyHandle,
            &lusSecretName,
            &lusSecretData);
        dwRetCode = LsaNtStatusToWinError(ntsResult);
    }

    LsaClose(LsaPolicyHandle);

    if (dwRetCode != ERROR_SUCCESS)
        wprintf(L"Failed call to LsaStorePrivateData %lu\n",
            dwRetCode);
    
    return dwRetCode;

}

Thanks!

Share this post


Link to post
Share on other sites



hi im not sure quite what you want to do

ive just been using encyrption

for a program im making

i saved my user name and password to a file then encrypted them then

when i need to input them i load the file and unencyptrp them

hers my codes it might help you

encrypt them

#include <String.au3>
#include <File.au3>
$file = FileOpen("C:\test.txt", 0)
$line = FileReadLine($file)
$username = $line
$line = FileReadLine($file)
$password = $line
FileClose($file)
 $Encrypt = _StringEncrypt(1, $username, "password", 1);Encrypt $password with Encryption password at level 1
$file = FileOpen("C:\test.txt", 0)
_FileWriteToLine("C:\test.txtt", 1, $Encrypt, 1)
$Encrypt = _StringEncrypt(1, $password, "password", 1);Encrypt $password with Encryption password at level 1
_FileWriteToLine("C:\test.txt", 2, $Encrypt, 1)
FileClose($file)

unencrypt them put in variables

#include <String.au3>
#include <File.au3>
$file = FileOpen("C:\test,txt", 0)
$line = FileReadLine($file)
$username = $line
$line = FileReadLine($file)
$password = $line
FileClose($file)
 $Encrypt = _StringEncrypt(0, $username, "password", 1);Encrypt $password with Encryption password at level 1
$username = $Encrypt
$Encrypt = _StringEncrypt(0, $password, "password", 1);Encrypt $password with Encryption password at level 1
$password = $Encrypt

Share this post


Link to post
Share on other sites

#3 ·  Posted (edited)

I believe he's looking for a way to store an encrypted password in the registry to allow autologin instead of a cleartext password.

edit: Sorry, I'm not a C++ guy or I'd give it a shot myself.

Edited by spudw2k

Share this post


Link to post
Share on other sites

I believe he's looking for a way to store an encrypted password in the registry to allow autologin instead of a cleartext password.

edit: Sorry, I'm not a C++ guy or I'd give it a shot myself.

Yeah that is what I am trying to do. I allready encrypt the info myself... but using this method would utalize a feature built into windows that would actually have it encrypted fully. Because the normal autologon method just puts the password in plain text into the registry. Which would allow a user to check the registry in that area and gain access to the password.

Share this post


Link to post
Share on other sites

I know this is cold thread, but ran across it this morning while looking for something similar and it didn't look like there was a resolution. Anyway, sysinternals (cough microsoft) provides a free tool to do this: http://technet.microsoft.com/en-us/sysinternals/bb963905.aspx

Possibly you can incorporate it into whatever script you're creating.

Share this post


Link to post
Share on other sites

Just take the password - for example "test" use _stringencrypt on it or one of the other

encryption/hash functions/udfs available and write the result in the registry.

Then for the autologin read the registry , decrypt and login. It is not very secure , but better then

having it as plaintext in the registry.

Share this post


Link to post
Share on other sites

I agree with cmacrun. It is most secure to simply use the sysinternals tool. Definatelty stronger than _StringEncrypt and more secure than an autologin service of some sort.

Share this post


Link to post
Share on other sites

I agree with cmacrun. It is most secure to simply use the sysinternals tool. Definatelty stronger than _StringEncrypt and more secure than an autologin service of some sort.

What about RDP? If I have rdp enabled on the pc, on which I would use this autologon tool, would anyone trying to connect with remote desktop to that pc be able to autologin?

Share this post


Link to post
Share on other sites

I don't believe there is any sort of AutoLogin function for RDP. The best you can do is save an RDP connection profile with an embedded password, but as far as I know you will always be prompted to login when attempting an RDP connection. VNC however is a different story. ;)

Share this post


Link to post
Share on other sites

I don't believe there is any sort of AutoLogin function for RDP. The best you can do is save an RDP connection profile with an embedded password, but as far as I know you will always be prompted to login when attempting an RDP connection. VNC however is a different story. :)

Sorry, probably my question was poorly formulated. I know, that you can save a shortcut to rdp session and save credentials, so you'll be able to auto login to rdp session, I use it all the time.

What I meant to ask is, if Autologon logs in the remote user connecting via rdp. I mean, that would be totally unsafe. So to elaborate, can I have my server set to allow remote connections by rdp and have autologon on the same server, but be safe at the same time from users automagically login in, without knowing login/psw of the server? If I setup autologon, will it auto login me only when I turn on / restart the pc "locally/physically" or is it unsafe/will login whenever need be (even on incoming rdp sessions).

I hope it's possible to understand my rambling now ;)

Share this post


Link to post
Share on other sites

Yes. Like I said, every time you connect via RDP, even if it's the user who was AutoLogged-In, they will be prompted for credentials. I hope I am understanding the scenario.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0