Autologin Question

I am reviewing a case where someone had configured their computer with an autologin feature.  I have reveiwed the registry and the autologin is enabled and the default username is that individual's.  There is no default password key located in the registry.

I am wondering:
1.  How do I determine if that individual actually changed those key values?
2.  How does it login with no default password?  Is there another key that allows the login without a password?
3.  Are there other artifacts that I should be looking for?

Any help would be greatly appreciated.
dfollin2Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

johnb6767Commented:
If there is no password on the account, its just like hitting enter to login......

Unless auditing was enabled before hand, there is no way to tell who set the key/values.....

Other artifacts for what??
johnb6767Commented:
How to turn on automatic logon in Windows XP
http://support.microsoft.com/kb/315231

This is everything you need to know about the AutoLogon feature, and related reg entries.....
dfollin2Author Commented:
That's where I went before posting.

There is a password associated with the account as it was part of the company's domain AD.  As far as artifacts goes, I thought that was in my question:  "How do I determine if that individual actually changed those key values?"

I was thinking auditlogs (and if so what IDs may be helpful), but was also curious to know if there were any more artifacts out there that could be beneficial (again to the question I just asked).  Also, if there was no default password setup in the registry and this person did have one, how did it autologin?

Thanks.
Microsoft Azure 2017

Azure has a changed a lot since it was originally introduce by adding new services and features. Do you know everything you need to about Azure? This course will teach you about the Azure App Service, monitoring and application insights, DevOps, and Team Services.

FirstSentinelCommented:
if the login account reference is a local computer account then the local account may not have a password.

If  auditing was enabled on the computer then windows events logs would contain an artifact trail.
If not, then your audit trail goes cold.  You can check it it's enabled by following this:
 Start | Run, type gpedit.msc and press Enter. Under Computer Configuration, look in Windows Settings | Security Settings | Local Policies | Audit Policy, and enable Audit object access on both Success and Failure.

Event IDs: are  Open 4656, Access 4663, Close 4658 and 4657 for modified



You may also check the registry @
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
for a AutoAdminLogon  key set to 1

with this key enabled, technically it's logging into the local admin account, not the domain user....
Which  allows an override login as the LOCAL Admin.

It's often set with a AutoLogonCount key (how many times it will auto logon as admin.

The local admin account would have to have a password or the AutoAdminLogin reset to zero.

The local admin account could have a specialized character password like a hard space  (holding ALT  +255 (on numeric keypad ) creates a non-breaking space)


There is no other key which allows for autologin, but a script or application may be used to modify the registry via schedule, computer command batch or a wrapped application.  ( I investigated one where an individual used a executable wrapper to wrap MS-Word.exe with a batch file, so when some ran Word, it would run a batch file prior to executing Word first.


Hope this helps.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
btanExec ConsultantCommented:
1.  How do I determine if that individual actually changed those key values?
> See this link @ http://www.windowsecurity.com/articles/Auditing-Users-Groups-Windows-Security-Log.html
> Creation, change and deletion of user accounts in AD are tracked with event IDs 624, 642 and 630, respectively
> When a user changes his own password Windows Server 2003 logs event ID 627
> When an administrator resets some other user’s password such as in the case of forgotten password support calls, Windows Server 2003 logs event ID 628.

2.  How does it login with no default password?  Is there another key that allows the login without a password?
> User can only autologon with password specified due to ""Users must enter a user name and password to use this computer" in control panel
> If there is no default password for autologon, it would be disabled for user. Note that if the DefaultPassword registry entry does not exist, Windows XP automatically changes the value of the AutoAdminLogonregistry key from 1 (true) to 0 (false) to turn off the AutoAdminLogon feature after the computer is restarted. So even admin will need password
> Unless there is customised GINA that has hardcoded password or going to retrieve the password from other repository and smartcard.
 
3.  Are there other artifacts that I should be looking for?
> Besides the audit log, I thought being able to trace whether there is the common tools to set the autologon may help as well. Below are some common ones

a) TweakUI @
> auto-logon the Administrator account with its password

b) Autologon @ http://technet.microsoft.com/en-us/sysinternals/bb963905.aspx
> enables you to easily configure Windows’ built-in autologon mechanism

Also I see this tool, LSASecretsView that may be hints to interest to extract existing password  @ http://www.nirsoft.net/utils/lsa_secrets_view.html
> The LSA secrets key is located under HKEY_LOCAL_MACHINE\Security\Policy\Secrets and may contain your RAS/VPN passwords, Autologon password, and other system passwords/keys.

Of course the best means is still the audit trails to detect any anomalies in the system
johnb6767Commented:
If Auditing was NOT enabled, you are not going to find out..... I honestly dont know why it logged on by itself. Sure it was logging onto a Domain account, instead of another local account?
dfollin2Author Commented:
Didn't completely solve what I needed, but provided enough to where I can stop my search.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Digital Forensics

From novice to tech pro — start learning today.