Exposing the Secrets of
Windows Credential Provider
Give me your password
Common Methods to Steal Password
• Reading registry hives - LM and NT password hashes for local
accounts are stored in the Security Accounts Manager (SAM)
• Injecting into LSASS - inject code into the existing LSASS process, so
the code is able to call the necessary functions to read memory
• Reading LSASS’s memory - recovering credentials from a memory
dump file is supported in mimikatz.
• Decoding NTDS.DIT - LM and NT hashes for Active Directory domain
accounts are stored in the Active Directory database file, NTDS.DIT
• Interactive Logon
• Local Logon: A local logon requires that the user have a user account in the
SAM on the local computer.
• Domain Logon: A domain logon requires that the user have a user account in
the domain’s Active Directory.
• Network Logon
Windows Interactive Logon Component
Winlogon Provides interactive logon infrastructure.
Logon UI Provides interactive UI rendering.
Credential providers (password and smart card) Describes credential information and serializing
LSA Processes logon credentials.
Authentication packages Includes NTLM and Kerberos. Communicates
with server authentication packages to
Windows Credential Providers
LogonUI enumerates all of the credential providers registered under -
DLL should Implement following 2 COM Interfaces –
Disable Credential Provider
• Method 1: Using Group Policy.
• Open local Group Policy editor, navigate to Computer Configuration -> Administrative Templates -
> System -> Logon, and then find the policy Exclude credential providers on the right side.
• Right Click Exclude credential providers, click Edit, click Enabled and enters the comma-separated
CLSID which to exclude multiple credential providers during authentication.
• Click OK to save the changes.
• Method 2: Using Registry.
• Open Registry Editor , then Navigate to the registry
• Right click on the CLSID of the provider, select New -> DWORD (32-bit) Value, then enter the value
name to Disabled, after that modify the value data to 1.
• The provider will be disabled on the next session which is created during log off, switch user, or
• SysInternal - AutoRuns