LSA Secrets are used to store information such as the passwords for service accounts used to start services under an account other than local System. Dial-Up credentials and other application defined passwords also reside here.

 

How it works

This feature of the program follows the same methodology used by Todd Sabin in his PWDUMP2 program to decrypt LSA secrets present on the system. It uses the "DLL injection" technique to run a thread in the same security context of the Local Security Authority Subsystem process. The thread's executable code must first be copied to the address space of LSASS process and this requires an account with the SeDebugPrivilege user right. By default only Administrators have this right.

Once injected and executed the thread will run with the same access privileges of the Local Security Authority Subsystem; it will load the function "DumpLsa" from Abel.dll which will open and query each secret using the LsarOpenSecret and LsarQuerySecret APIs from  LSASRV.DLL. The thread stores the data returned from these functions in a temporary file named lsa.txt located in the same directory of the program. Finally, the content of this file is put on the screen and the temporary file is deleted.

Usage

To dump the content of the LSA Secrets you can press the "Insert" button on the keyboard or click the icon with the blue + on the toolbar. You can choose to dump LSA secrets from the local system or from external registry hive files (SYSTEM and SECURITY); Windows Vista hive files are also supported.

Requirements

This feature requires an account with the SeDebugPrivilege user right. By default only Administrators have this right.

Abel.dll is also required by the remote thread injected into LSASS process.