LSA secrets in Win10 2004 19041.450 x64

[Papotito123]

Hello; I installed Win10 2004 19041.450 x64(August 2020) to test some tools.

lazagne runs well. Pypykatz/Hashump/WIFI are good. Still haven't set password to Chrome.

But for LSA Secrets: ------------------- Lsa_secrets passwords -----------------

DPAPI_SYSTEM 0000 01 00 00 00 10 B2 F8 60 BF 72 E1 E4 20 2D 3D B9 .......`.r.. -=. 0010 0E 92 FC 8F 38 C4 9C 16 2E 24 B4 41 DF 79 1F 40 ....8....$.A.y.@ 0020 1F CA 8A 88 B7 25 A1 27 CE F4 F1 38 .....%.'...8

,and I set the 3 questions and answers.

Any info?

Thanks.

[Papotito123]

Hello: Tested mimikatz and doesn't retrieve.

But I found nirsoft SecurityQuestionsView v1.00. It retrieves LSA questions and answers for logged and other partitions.

[AlessandroZ]

Right now, I cannot answer this question. I have no idea :) Sorry.

[Papotito123]

Hello: https://answers.microsoft.com/en-us/windows/forum/all/updates-and-now-logged-out/662e6606-9bb1-47f9-873a-d7693d399b7a

https://www.zdnet.com/article/windows-10-2004-issues-now-browser-bugs-hit-edge-startup-launches-chrome-sign-outs/

Seems is a bug in DPAPI only pertaining to Win10 2004 and is in some way affecting Chrome ,Edge and maybe this LSA Secrets thing.

I tested lazagne from May and from July in win 10 2004 and alsi failed to retrieve LSA secrets Q&A,which do good in win10 1809.

[Papotito123]

Hello: Tonight I tested again to retrieve LSA secrets Q&A(which did good in win10 1809,but not having now) in Win 2004H1 and same behaviour.Also test other tools and can't retrieve the Secrets.

[Papotito123]

Hello: Win 10 20H1 x64 local user.

I ran regedit as TrustedInstaller and as SYSTEM user but in HKLM\SECURITY\Policy\Secrets you can only have DPAPI_SYSTEM with subkeys of:CupdTime,CurrVal,OldVal,OutputTime,SecDesc No others. Also there's no L$_SQSA_S-1-5-21-16xxxxxxxxxxxxxxxxx-100x found in registry.

Still only tool to see LSA Secrets for Win 20H1 is SecurityQuestionsView from nirsoft.

But when talking about a MicrosoftAccount user ,I have not found a tool that can read this user LSA secrets .

Thanks.

[Papotito123]

Hello: For the benefit of you and some other tools devs,for which I have some contact,I reinstalled Windows 10 2004H1.

Windows 10 2004H1 (OS Build 19041.685) fresh installation for local user account and Defender turned OFF.

I ran lazagne and all well. Except the LSA Secrets are not still retrieved.

Apart from SecurityQuestionsView v1.00(Nirsoft) , I found that Passcape Reset Password(boot tool) and PCUnlocker(boot tool) can see my LSA Secrets.

Thanks again.

[Papotito123]

Hello: I have been in touch with a guy named Erwan dev of NTHASH-FPC and after my insistence with many posts with my testings ,he realized and found what I 've been saying.

In Windows 2004 , LSA secrets Q&A they are not in HKLM\SECURITY\Policy\Secrets registry. Also there's no subkeys in the form of L$_SQSA_S-1-5-21-16xxxxxxxxxxxxxxxxx-100x because the format changed.

This guy have an interesting tool.

Thanks for your effort.

[AlessandroZ]

Hi @Papotito123,

Sorry to no take the time to answer you. Thanks for your feedbacks, I don't have lot of time to fix it but I let the issue open if someone wants to take a look.

Thanks again for all your contributions.

[Papotito123]

Hello: So much thanks.

[AlessandroZ]

I close this old issue but could be opened again if it's a still a big problem.