{
	"id": "c0aaeb2b-1315-43ac-94ee-40dda8b8d165",
	"created_at": "2026-04-06T00:11:29.599109Z",
	"updated_at": "2026-04-10T03:20:37.407673Z",
	"deleted_at": null,
	"sha1_hash": "ac3300216171dc152f7dd1e8693159bededf0019",
	"title": "LSA Secrets in Windows",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 117195,
	"plain_text": "LSA Secrets in Windows\r\nArchived: 2026-04-05 21:16:29 UTC\r\nWhat are LSA secrets?\r\nWhat is stored in LSA secrets?\r\nWhere are LSA secrets stored?\r\nLSA Secrets in detail\r\nCurrVal and OldVal data structure\r\nEncrypting LSA secrets in Windows 2000, XP, 2003\r\nEncrypting secrets in Windows Vista, Windows 7\r\nReading and editing secrets\r\nAppendix\r\n \r\nWhat are LSA secrets?\r\nLSA secrets is a special protected storage for important data used by the Local Security Authority (LSA) in\r\nWindows. LSA is designed for managing a system's local security policy, auditing, authenticating, logging users\r\non to the system, storing private data. Users' and system's sensitive data is stored in secrets. Access to all secret\r\ndata is available to system only. However, as shown below, some programs, in particular Windows Password\r\nRecovery, allow to override this restriction.\r\nWhat is stored in LSA secrets?\r\nOriginally, the secrets contained cached domain records. Later, Windows developers expanded the application area\r\nfor the storage. At this moment, they can store PC users' text passwords, service account passwords (for example,\r\nthose that must be run by a certain user to perform certain tasks), Internet Explorer passwords, RAS connection\r\npasswords, SQL and CISCO passwords, SYSTEM account passwords, private user data like EFS encryption keys,\r\nand a lot more. For example, the NL$KM secret contains the cached domain password encryption key.\r\nL$RTMTIMEBOMB stores the amount of time left until the expiration of an inactivated copy of Windows.\r\nL$HYDRAENCKEY stores the public RSA2 key used in the Remote Desktop Protocol. Incidentally, even despite\r\nthe fact that the automatic login is not set, in certain versions of Windows 7 secrets can contain the text of the\r\nadministrator account password, thus compromising the entire target system.\r\nWhere are LSA secrets stored?\r\nLSA secrets are stored in an encrypted form in the Windows registry, in the\r\nHKEY_LOCAL_MACHINE/Security/Policy/Secrets key. The parent key,\r\nHKEY_LOCAL_MACHINE/Security/Policy, contains the additional data, necessary for accessing and\r\ndecrypting the secrets. Here are the descriptions of some values of this key.\r\nhttps://www.passcape.com/index.php?section=docsys\u0026cmd=details\u0026id=23\r\nPage 1 of 7\n\nKey: HKEY_LOCAL_MACHINE/Security/Policy/SecDesc\r\nValue name:\r\nData type: REG_BINARY\r\nDescription: security descriptor for accessing the registry branch with secrets.\r\nKey: HKEY_LOCAL_MACHINE/Security/Policy/PolState\r\nValue name:\r\nData type: REG_BINARY\r\nDescription: current state of the secrets subsystem.\r\nKey: HKEY_LOCAL_MACHINE/Security/Policy/PolRevesion\r\nValue name:\r\nData type: REG_BINARY\r\nDescription: contains the version of the subsystem.\r\nKey: HKEY_LOCAL_MACHINE/Security/Policy/PolPrDmS\r\nValue name:\r\nData type: REG_BINARY\r\nDescription: domain SID.\r\nKey: HKEY_LOCAL_MACHINE/Security/Policy/PolPrDmN\r\nValue name:\r\nData type: REG_BINARY\r\nDescription: domain name.\r\nKey: HKEY_LOCAL_MACHINE/Security/Policy/PolEKList\r\nValue name:\r\nData type: REG_BINARY\r\nDescription: contains the list of encryption keys for LSA secrets.\r\nThe value 1.1 in PolRevesion matches the NT operation system, 1.5 – Windows 2000, 1.7 – Windows XP and\r\nWin2K3, 1.9 – Windows Vista, 1.10 – Windows 7. Before Windows Vista, only one encryption key was stored in\r\nthe registry, in the PolSecretEncryptionKey value. Beginning with Windows Vista, PolEKList can contain several\r\nencryption keys.\r\nLSA Secrets in detail\r\nOn the physical level, secrets are stored in a binary registry file SECURITY with the secret name for the key. For\r\nexample, SecurityPolicySecrets$MACHINE.ACC. Each secret in the registry is represented by five values:\r\n1. CurrVal - current encrypted value of the secret.\r\n2. CupdTime - last update time, as an 8-byte FILETIME structure.\r\nhttps://www.passcape.com/index.php?section=docsys\u0026cmd=details\u0026id=23\r\nPage 2 of 7\n\n3. OldVal - previous value of the secret.\r\n4. OupdTime - previous update time.\r\n5. SecDesc - – security descriptor, i.e. which users can access the secret, and which are banned from\r\naccessing it.\r\nIf the system is unable to read/decrypt one of the secrets, it writes the sixth value in it, PolMod, which indicates\r\nthat the secret is damaged. For example, if a transaction to the LSA database was not completed due to a power\r\noutage or registry file damage.\r\nCurrVal and OldVal data structure\r\nBeginning with version 1.9, the structure of secrets has changed dramatically; therefore, we are not going to cover\r\nthe old format. Instead of a single encryption key, now you can bind each secret to any value on the encryption\r\nkey list (PolEKList). There is also an option to select an encryption algorithm! So, the first 4 bytes in the data\r\nstructure is the version of the data; then there follows a 16-byte encryption key identifier for locating the necessary\r\nkey on the list. That is followed by a DWORD with an identifier for a list of encryption algorithms the secret is\r\nencrypted with. For example, the value 3 matches a bundle of the SHA-256 hashing algorithm and the AES-256\r\nblock encryption algorithm. The algorithm identifier is followed by a 4-byte value with different flags used during\r\nthe decryption. And, finally, there goes the encrypted data. See the figure.\r\nEncrypting LSA secrets in Windows 2000, XP, 2003\r\nUp to Windows Vista, the decryption of the secrets looked rather trivial. First, one needed to decrypt the secrets\r\nencryption key. Here is what it looked like:\r\nhttps://www.passcape.com/index.php?section=docsys\u0026cmd=details\u0026id=23\r\nPage 3 of 7\n\nBOOL CSecrets::DecryptPrimaryKey()\r\n{\r\n BYTE rc4key[0x10];\r\n MD5Init();\r\n MD5Update(m_pSyskey,0x10);\r\n for ( int i=0; i\u003c1000; i++)\r\n MD5Update(((LPBYTE)m_pCypherKey)+0x3C,0x10);\r\n MD5Final(rc4key);\r\n RC4SetKey(rc4key,0x10);\r\n RC4Decrypt(((LPBYTE)m_pCypherKey)+0xC,0x30);\r\n return ( memcmp(((LPBYTE)m_pCypherKey)+0xC,CYPHERKEY_AUTHENTIFICATOR,0x10)==0 );\r\n}\r\nWhere m_pSyskey - 16-byte SYSKEY value\r\nm_pCypherKey - value from the registry key\r\nHKEY_LOCAL_MACHINE/Security/Policy/PolSecretEncryptionKey\r\nOnce the secrets encryption key was obtained, one could proceed to the decryption of the secrets. The secrets were\r\nencrypted using DES algorithm.\r\nEncrypting secrets in Windows Vista, Windows 7\r\nBeginning with Windows Vista, the encryption algorithm, as it was mentioned, has become much more\r\nsophisticated. First, one still needs to decrypt the list of the encryption keys (yes, now multiple keys are allowed),\r\nstored in HKEY_LOCAL_MACHINE/Security/Policy/PolEKList. Then proceed to the actual secrets. Each\r\nsecret now stores a key identifier, encryption algorithm identifier and the actual encrypted data. A working\r\nalgorithm for decrypting the key looks like:\r\nRead the key value and find the encryption key identifier.\r\nOn the list of encryption keys (PolEKList)), find the necessary key using the identifier you obtained\r\nearlier.\r\nDecrypt the secret using the algorithm identifier and the found key.\r\nThus, secrets in the LSA database can now be not only encrypted with different algorithms, but also have different\r\noriginal context. For example, use SYSKEY from other PC.\r\nReading and editing secrets\r\nThere is a set of API for handling secrets available to software developers. Thus, any Windows application can\r\ncreate and read its own secrets, but only within the boundaries of current user context. See application 1 with the\r\nsource code for reading secrets. If you require viewing or editing LSA secrets, for instance, to delete your\r\naccount's text password, you can take advantage of Windows Password Recover, which has a convenient plugin\r\nhttps://www.passcape.com/index.php?section=docsys\u0026cmd=details\u0026id=23\r\nPage 4 of 7\n\nfor handling LSA secrets. By the way, this plugin works with both current operating system's secrets and with\r\nexternal registry files.\r\nAppendix\r\n1. Source code of the program for reading LSA Secrets. Note that not all secrets can be read under user context.\r\nBesides, the Administrator privileges are required. The executable of the program can be downloaded at the\r\nfollowing link. \r\n// LsaSecretReader.cpp : Defines the entry point for the console application.\r\n#include \"stdafx.h\"\r\n#include \u003cwindows.h\u003e\r\n#include \u003cstdio.h\u003e\r\n#include \u003cntsecapi.h\u003e\r\n#pragma comment (lib, \"Advapi32\")\r\nPLSA_UNICODE_STRING InitLsaString(IN LPWSTR wszString, OUT PLSA_UNICODE_STRING lsastr)\r\n{\r\nif ( !lsastr )\r\nreturn NULL;\r\nif ( wszString )\r\n{\r\nlsastr-\u003eBuffer=wszString;\r\nlsastr-\u003eLength=(USHORT)lstrlenW(wszString)*sizeof(WCHAR);\r\nlsastr-\u003eMaximumLength=lsastr-\u003eLength+2;\r\n}\r\nelse\r\n{\r\nlsastr-\u003eBuffer=L\"\";\r\nlsastr-\u003eLength=0;\r\nlsastr-\u003eMaximumLength=2;\r\n}\r\nreturn lsastr;\r\n}\r\nint _tmain(int argc, _TCHAR* argv[])\r\n{\r\nNTSTATUS status;\r\nLSA_OBJECT_ATTRIBUTES att;\r\nLSA_HANDLE pol;\r\nLSA_UNICODE_STRING secret, *data=NULL;\r\nif ( argc!=2 )\r\n{\r\n_tprintf(TEXT(\"Syntax: %s secretnamen\"),argv[0]);\r\nhttps://www.passcape.com/index.php?section=docsys\u0026cmd=details\u0026id=23\r\nPage 5 of 7\n\nreturn 1;\r\n}\r\nmemset(\u0026att,0,sizeof(att));\r\nstatus=LsaOpenPolicy(NULL,\u0026att,0,\u0026pol);\r\nif ( status!=ERROR_SUCCESS )\r\n{\r\n_tprintf(TEXT(\"LsaOpenPolicy error: %lXn\"),status);\r\nreturn 2;\r\n}\r\nInitLsaString(argv[1],\u0026secret);\r\nstatus=LsaRetrievePrivateData(pol,\u0026secret,\u0026data);\r\nif ( status!=ERROR_SUCCESS )\r\n{\r\n_tprintf(TEXT(\"LsaRetrievePrivateData error: %lXn\"),status);\r\nreturn 3;\r\n}\r\nLsaClose(pol);\r\nif ( data \u0026\u0026 data-\u003eBuffer \u0026\u0026 data-\u003eLength )\r\n{\r\nfor ( USHORT i=0; i\u003cdata-\u003eLength; i+=16 )\r\n{\r\n_tprintf(TEXT(\"%04X: \"),i);\r\nLPBYTE ptr=(LPBYTE)data-\u003eBuffer;\r\nptr+=i;\r\nfor ( int j=0; j\u003cmin(16,data-\u003eLength-i); j++ )\r\n_tprintf(TEXT(\"%02X \"),ptr[j]);\r\n_tprintf(TEXT(\"n\"));\r\n}\r\n}\r\nelse\r\n{\r\n_tprintf(TEXT(\"No datan\"));\r\n}\r\nreturn 0;\r\n}\r\nExample of the output\r\nC:\u003eLsaSecretReader.exe DPAPI_SYSTEM\r\n0000: 01 00 00 00 73 4F 19 CF 6B B7 6C 8A BC 6D 35 EF\r\n0010: 19 9C A6 3E 9A 80 A7 0C 9D D4 FD B1 20 C6 B1 A5\r\n0020: 7A 87 5F 2B 51 3E 1D E0 45 9B 99 B2\r\nhttps://www.passcape.com/index.php?section=docsys\u0026cmd=details\u0026id=23\r\nPage 6 of 7\n\nSource: https://www.passcape.com/index.php?section=docsys\u0026cmd=details\u0026id=23\r\nhttps://www.passcape.com/index.php?section=docsys\u0026cmd=details\u0026id=23\r\nPage 7 of 7\n\nExample of C:\u003eLsaSecretReader.exe the output DPAPI_SYSTEM  \n0000: 01 00 00 00 73 4F 19 CF 6B B7 6C 8A BC 6D 35 EF\n0010: 19 9C A6 3E 9A 80 A7 0C 9D D4 FD B1 20 C6 B1 A5\n0020: 7A 87 5F 2B 51 3E 1D E0 45 9B 99 B2 \n   Page 6 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.passcape.com/index.php?section=docsys\u0026cmd=details\u0026id=23"
	],
	"report_names": [
		"index.php?section=docsys\u0026cmd=details\u0026id=23"
	],
	"threat_actors": [],
	"ts_created_at": 1775434289,
	"ts_updated_at": 1775791237,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ac3300216171dc152f7dd1e8693159bededf0019.pdf",
		"text": "https://archive.orkl.eu/ac3300216171dc152f7dd1e8693159bededf0019.txt",
		"img": "https://archive.orkl.eu/ac3300216171dc152f7dd1e8693159bededf0019.jpg"
	}
}