delete LSA cache password ?

Discussion in 'Security Software' started by bigstyle [MVP], Apr 18, 2007.

  1. Hello,

    First of all, sorry if I make mistakes but I am french :D

    Some of you have ever found a solution to prevent attacks that let
    hackers discovering some users password thanks to the LSA Cache stored
    in the registry ?

    1) Can we just delete specific entries in the registry ?

    2) I have read that the LSA cache is storing the domain user
    credentials but my password doesn't appear when I dump the LSA cache.

    3) I have read too that I should have to modify the registry key
    NT\CurrentVersion\Winlogon\cachedlogonscount but to my opinion this is
    not the right key.

    Thanks for your advices.

    bigstyle [MVP], Apr 18, 2007
    1. Advertisements

  2. bigstyle [MVP]

    S. Pidgorny Guest

    Not really, no. The issue is that one can read those password hashes from
    memory, not even from the registry.
    So the way to prevent it is to prevent people from becoming local
    S. Pidgorny, Apr 18, 2007
    1. Advertisements

  3. Not really, no. The issue is that one can read those password hashes from

    thank you for your answer.

    I have read that only the SeDEbugPrivilege is needed to obtain this
    kind of list... :/

    There's no way to prevent this dump or to delete this cache ?
    The cache is still able after a reboot so I think it will be deleted if
    I delete the registry key first and then reboot the computer, what do
    you think ?

    Thank you
    bigstyle [MVP], Apr 18, 2007
  4. bigstyle [MVP]

    S. Pidgorny Guest


    That is correct... And it gives you everything indirectly. LSA secrets, NTLM
    hashes, even cryptographic keys (unless in special purpose hardware like
    smart cards).
    There are some known LSA secret locations
    ( but cleaning up everything is a
    big thing to ask.

    Well there are ways to revert the system to the pristine state after reboot.
    DeepFreeze is the commercial software that does just that.
    S. Pidgorny, Apr 19, 2007
  5. G'day:

    Hi Svyatoslav
    That's strange because I have test to dump my LSA cache with only the
    SeDebugPrivilege and it didn't work !
    Thanks for this links.

    When I try to dump my LSA cache I am not able to see the domain
    credentials hash. Only the HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets
    is read and there's nothing about the NTLM hashed.

    I would like to understand how an attacker proceed to retrive this hash
    because it's a potentially high security risk I think !

    Thanks :)
    bigstyle [MVP], Apr 19, 2007
  6. bigstyle [MVP]

    S. Pidgorny Guest


    By itself that's just it - debug. But that privilege allows you to debug
    kernel, which results in the ability to elevate yourself to the system
    equivalent, I think.
    Cached logon credentials are spread throughout the registry and encrypted in
    a funny way. I haven't seen tools that allow to dump those.
    S. Pidgorny, Apr 20, 2007
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.