Extracting LSA Secrets

We can only imagine the chatter on the hacker network on the day that NT was released and the hackers discovered a registry key named SECURITY\Policy\Secrets. Its name alone makes it an attractive target. We could hope that perhaps Microsoft placed it there by that name, filling it with irrelevant data just to create a diversion for the hackers of the world. Such was hardly the case, because its contents were just what the name suggested. What’s more, this same key and content exist today in the most current versions of Windows.

LSA stands for Local Security Authority. The security hive key is part of the registry, although you can’t access this key through regedit. The previously mentioned key (SECURITY\Policy\Secrets ...

Get Mastering Windows Network Forensics and Investigation, 2nd Edition now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.