Re: Retrieve info in Protected Storage of other users

[Nicolas RUFF <nicolas.ruff () gmail com>]

lpf () exemail com au wrote:
> So far, I can only find tools to retrieve info in WinXP's Protected
> Storage for the "current" user (e.g. pspr from elcomsoft, or C&A).
>
> However, there is no tools to retrieve other users' Protected Storage info
> - assuming that I can login as local administrator.
>
> Is Protected Storage really that "save", and can prevent other users
> (including admin users) on the same system from snooping in my secret
> stored in the Protected Storage ?

The protected storage is encrypted with the user logon password.

Even an administrator cannot gain access to another user's protected
storage. However, he can gain access to the user password through other
means (ex. pwdump + john).

If an administrator try to reset a user password on Windows XP, he gets
a message saying that all user secrets stored in protected storage will
be lost.

More info on :
http://msdn.microsoft.com/library/en-us/dnsecure/html/windataprotection-dpapi.asp

Regards,
- Nicolas RUFF
Security researcher @ EADS-CCR
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/