Recover the password of a Windows service user login account

One method to access LSA secrets is documented here.

In a nutshell:

Call the Enable-TSDuplicateToken function.
Copy the existing registry keys to another, temporary key.
User Powershell or another framework to call the functions to read the secrets.

You can also use the NirSoft LSASecretsView tool.

You do indeed have to already have admin privileges on the system, and as far as I know there are no differences in recent versions of Windows (other than the mitigations that McMatty already pointed out).

Recover the password of a Windows service user login account

Tags:

Windows

Active Directory

Passwords

Service Account

Related

Recent Posts