Accessing a service credentials on Windows 10

I worked on some Windows app that registers a Windows service with a C++ code like this:

SC_HANDLE hService = ::CreateService(
    hSCM, m_szServiceName, _T(SERVICE_NAME),
    SERVICE_ALL_ACCESS, SERVICE_WIN32_OWN_PROCESS,
    SERVICE_AUTO_START, SERVICE_ERROR_NORMAL,
    szFilePath, NULL, NULL, _T("RPCSS\0"), user_name, password);

where user_name and password are strings that are provided by the app user during the app install. Assuming the service name is MyService this creates a registry key HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets\_SC_MyService that is hidden by default and even administrator does not have a permission to read it and regedit does not show the content of HKEY_LOCAL_MACHINE\SECURITY key by default. But fortunately the access can be allowed by right clicking on HKEY_LOCAL_MACHINE\SECURITY and selecting Permissions or alternatively by running

Enable-TSDuplicateToken

in PowerShell. To list the content of the key I used the following command:

dir HKLM:\SECURITY\Policy\Secrets\_SC_MyService
    Hive: HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets\_SC_MyService

Name                           Property
----                           --------
CupdTime                       (default) : {238, 109, 73, 59...}
CurrVal                        (default) : {0, 0, 0, 1...}
OldVal                         (default) : {}
OupdTime                       (default) : {102, 70, 66, 59...}
SecDesc                        (default) : {1, 0, 4, 128...}

Then I started PowerShell in 32-bit mode (from 64-bit PowerShell):

Start-Process $Env:WINDIR\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

checked if it really is 32-bit:

[Environment]::Is64BitProcess

Then I disabled real-time monitoring of Windows Defender and run Get-TSLSASecret script along with Enable-TSDuplicateToken script:

Set-MpPreference -DisableRealtimeMonitoring $true
Enable-TSDuplicateToken
Get-TSLSASecret

It reported various errors but shown me a line like:

_SC_MyService   virtual.domain1\administrator        TCLIENT

where TCLIENT is the virtual machine name. Secret column was empty and the script does not show the passwords.

Links:

Leave a Reply

Your email address will not be published.