DeveloperNote.com

I worked on some Windows app that registers a Windows service with a C++ code like this:

SC_HANDLE hService = ::CreateService(
    hSCM, m_szServiceName, _T(SERVICE_NAME),
    SERVICE_ALL_ACCESS, SERVICE_WIN32_OWN_PROCESS,
    SERVICE_AUTO_START, SERVICE_ERROR_NORMAL,
    szFilePath, NULL, NULL, _T("RPCSS\0"), user_name, password);

where user_name and password are strings that are provided by the app user during the app install. Assuming the service name is MyService this creates a registry key HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets\_SC_MyService that is hidden by default and even administrator does not have a permission to read it and regedit does not show the content of HKEY_LOCAL_MACHINE\SECURITY key by default. But fortunately the access can be allowed by right clicking on HKEY_LOCAL_MACHINE\SECURITY and selecting Permissions or alternatively by running

Enable-TSDuplicateToken

in PowerShell. To list the content of the key I used the following command:

dir HKLM:\SECURITY\Policy\Secrets\_SC_MyService

    Hive: HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets\_SC_MyService

Name                           Property
----                           --------
CupdTime                       (default) : {238, 109, 73, 59...}
CurrVal                        (default) : {0, 0, 0, 1...}
OldVal                         (default) : {}
OupdTime                       (default) : {102, 70, 66, 59...}
SecDesc                        (default) : {1, 0, 4, 128...}

Then I started PowerShell in 32-bit mode (from 64-bit PowerShell):

Start-Process $Env:WINDIR\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

checked if it really is 32-bit:

[Environment]::Is64BitProcess

Then I disabled real-time monitoring of Windows Defender and run Get-TSLSASecret script along with Enable-TSDuplicateToken script:

Set-MpPreference -DisableRealtimeMonitoring $true
Enable-TSDuplicateToken
Get-TSLSASecret

It reported various errors but shown me a line like:

_SC_MyService   virtual.domain1\administrator        TCLIENT

where TCLIENT is the virtual machine name. Secret column was empty and the script does not show the passwords.

Links:

• Use PowerShell to Decrypt LSA Secrets from the Registry
• LsaRetrievePrivateData function
• Is it possible to access the credentials a Windows service was created with?
• Where and how is the password stored for the account associated with a Windows service?
• CreateServiceA function
• Enable-TSDuplicateToken
• How Do I run Powershell x86 from Powershell?
• Determine if current PowerShell Process is 32-bit or 64-bit?
• Is it possible to extract password from HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets\<SomeKey>?
• Dumping Clear-Text Credentials
• I disabled real-time monitoring of Windows Defender, but a PowerShell script is still blocked
• Password Recovery Software (C++ code with LsaRetrievePrivateData).
• SysKey and the SAM ( It takes the form of a registry hive, and is stored in %WINDIR%\system32\config).
• The Cached credentials are stored in the registry at the following registry location: HKEY_LOCAL_MACHINE\SECURITY\Cache (In Windows 2000 and in later versions of Windows, the username and password are not cached. Instead, the system stores an encrypted verifier of the password. This verifier is a salted MD4 hash that is computed two times).
• SAM file where local users are stored.
• ntds.dit file with the domain accounts.