How to Obtain Win Account Passwords Using Autologon

A malicious software can  capture the all password of whichever account is set for autologon. The answer lines in the Windows reg directory and the password for the autologon account is in plaintext, i.e. unencrypted ! For this idea, I've coded a sample program called APwd.exe which "reads" the plaintext password from the registry and display it together with the user name and domain name of the account.

Win2K operating system , similar to WinNT supports autologon to enable a user to logon to the system without user manually typing r password. This is to speed up  logon as well as ease the user from the hassle of entering his/her password everytime he/she logs on to the system. Win2K by default disables autologon but this can be enabled using registry tweaks. I don't know if there exist other ways of managing autolog without manually editing the registry. I've searched in almost all the snap-ins in MMC but I didn't find any feature that could manage the autologon.The registry value for the account name and password of the user is stored in cleartext, in REG_SZ form. Thus by using the registry APIs exported from ADVAPI32.DLL such as RegOpenKeyExA and RegQueryValueExA, a malicious software  can simply obtain the password for whichever user account is set as autologon. I'm not sure if this can be applied to WinXP because I tested this method on my system running Win2K Advanced Server SP3 and it works !

The autologon feature requires that the AutoAdminLogon value set to 1, REG_SZ type. This can be found in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon( Windows registry). By default, this value doesn't exist in Win2K, but the user can create this value. Note that setting this value to 0 disables autologon. Next, 3 more values have to be set: DefaultDomainName, DefaultPassword and DefaultUserName. The password in the DefaultPassword value is in cleartext and so this can be retrieved easily.

 Basically, if the autologon is set to the "Administrator", the person obtaining the password can virtually do anything. If it's some other user, it's also worth it because the person can hijack that account, installs keyloggers, and other malicious programs under that user account.