|Password Recovery Solutions|
In other words PWL file is a secured database. Each record has three fields:
Both resource name and resource password may be binary. Moreover program may interpret these fields as it wants so 'resource name' may be not a name and 'resource password' may be not a password. There is exists a limit of 255 records per single PWL file. All records along with user name and checksum are encrypted with strong cipher algorithm RC4. Encryption key is derived from login password. Windows uses PWL files to verify login password. However login password is not stored in PWL file. Windows decrypts PWL file using specified password and then verify checksum. If checksum is correct then entered password assumed to be valid. So it is possible to get access to PWL file if only both login password and user name are known. If login password is unknown then a search is the only way to get access to PWL file's contents. User name must be known because it is involved into checksum verification. Usually PWL file name is the same as user name. However it is not necessary. PWL file name never exceeds 8 characters. Windows never overwrites PWL files. By default PWL files are located in the Windows directory. Since Windows never overwrites PWL files it's possible that resulting PWL file name will be mangled. For example, if robert.pwl file is already exists then new PWL file for user Robert will have rober000.pwl file name. Next file name is rober001.pwl and so forth.
Both user name and login password are case sensitive for PWL file, however high level Windows functions convert them to uppercase. Nevertheless there is an exception: dial-up network server use rna.pwl file to store connections passwords. User name is *Rna (case sensitive).
Each PWL file must be registered in system. There is [Password Lists] section in system.ini file. Each line in this section looks like this: USERNAME=FullPathToPwlFile
Following resource types are most useful.
6 - this resource type is used by dial-up networking and MS Crypto API. Dial-up networking use PWL as follows. Resource name looks like *Rna\ConnectionName\Username . Resource password is a connection password.
19 - WWW resource (used by Internet Explorer). Resource name has following syntax: DomainName/Page title . Resource password contains login name and password separated by colon. For example John:abc
You can use pwlview program to examine current user's PWL file contents.
The original Windows version contained a gross error which enabled easy extracting of cached passwords (in fact, this is possible for most (but not all) PWL files). Well-known program called glide do this. However original glide.exe uses an imperfect algorithm so it fails often. In the OSR2 version this error has been corrected, although security problems persist (as you can see). Windows '98 does not seem to differ from OSR2 in the sense of security, but Windows NT is built quite differently (click here for NT recovery). About Windows 3.11. Its PWLs are same with original Windows 95.
You should keep in mind that a saved password can be extracted by a malefactor - therefore passwords should only be saved if no unauthorized personnel can access your computer. It has to be mentioned that a PWL file is encrypted and it's not easy to extract passwords from it. The first Windows'95 version encryption algorithm was quite poor, which allowed for a program for PWL files decryption to be created. However, in the OSR2 version this drawback has been fixed - it is now much harder to decrypt a PWL file.
Despite the information which is contained on my site, the password storage system in OSR2 is generally made quite professionally and is reliable from the cryptographer’s point of view. Still, it contains several quite serious drawbacks, namely:
Yet, having an access to the computer, it will pose no problem to acquire all passwords which had been saved in it. This can be done with a small program. First version of PWLView was released in a hurry without any documentation (I thought it was kind of self-explanatory). As a result I was simply flooded with hundred questions on this program. PWLView has been distributed quite widely. It is available on different sites under different names. First version of PWLView just shows cached passwords using standard (but undocumented) windows API on local machine for current user (user must be logged in) and no more. Now second version is available. PWLView v2.0 has been completely re-written by Eugene Korolev. The key new feature is ability to show current user's name and login password (of course if it was entered at Windows logon). Now it's a shareware. Free demo version shows only first two characters of login password (and all cached passwords). In other words free demo version of PWLView v2.0 provides same functionality as free first version. Registered version has no restrictions and shows full login password. However if login password is unknown or PWL file is copied from another computer you need for PWL Tool. Please note that PWLView is console Win32 application and looks like dos program (as well as all other console applications). As a result it is really small and does not require for huge external DLLs.
Pwl Tool is much more powerful version of PwlView. It able to obtain information from PWL files when logon password is lost. Pwl Tool uses brute-force attack (fastest!) dictionary search or smart-force technology to recover a password.
MakePWL is an extremely useful tool for administrators who need to pre-configure multiple computers. You can specify password information and MakePWL will create PWL file that can be simply copied to another computers.
Q: Are PWL files safe ?
Q: How to force Windows do not ask login password at startup
Q: Tell me more about passwords
Copyright (C) 1997 - 2012 LastBit Corp. All rights reserved.