AutoLogon (registry / LSA Secret)¶
What it is¶
Windows can auto-logon a user at startup. Credentials may be stored in plain registry values or in LSA Secrets (when configured via Sysinternals AutoLogon).
Where to find it¶
- Depending on configuration, it will be in the Registry or the SECURITY hive.
Registry (classic)¶
- Key:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon - Values:
DefaultUserName,DefaultDomainName,AutoAdminLogon,DefaultPassword
Quick Checks¶
| Action | Command |
|---|---|
| List all Winlogon values | reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" |
| Check if AutoLogon is enabled | reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AutoAdminLogon |
| Show AutoLogon username | reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultUserName |
| Show AutoLogon domain | reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultDomainName |
| Show AutoLogon password | reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultPassword |
SECURITY hive (Sysinternals AutoLogon)¶
-
Stored as LSA Secrets in SECURITY (
HKLM\SECURITY\Policy\Secrets\*) hive.