The only thing you have to worry about, then, is someone bypassing the automatic lock when the computer boots up through some sort of hack.

I will not deny that this is a possibility. However, I *did* try, and wasn’t able to replicate the technique that you mentioned.

So in conclusion, people, if you work in a high-risk environment and your co-workers are all highly knowledgable computer administrators and/or hackers, I recommend that you don’t use this time saving auto-login trick.

However, for the average computer user in a low to medium security environment, I think you will still find this auto-login and lock trick to be useful.

Sorry about the previous post. I followed up and verified what you mentioned above regarding Tweakui storing the password in a “more” secure method. It’s funny that you mention regmon, because that is the tool I used to check out what the new version of tweakui is doing.

However, my recommendation still stands that this is an insecure method for domain logons based on what I found out about Tweakui’s new method.

Tweakui calls the local windows security service and the local windows security service stores the password in an area of the registry that is not normal accessible, even from the admin account. Being curious, I elevated a cmd.exe window to system status, and ran regedit as the system account.

The security service stores a hash at the following location: [HKEY_LOCAL_MACHINE \ SECURITY \ Policy \ Secrets \ DefaultPassword \ CurrVal]

I’ve only played around with it for a little bit, but it looks like the method Microsoft is using to store the password is reversable. That is, everytime Tweakui is used to modify this value, it produces the same result. It doesn’t look like it changes on use.

So, based on this, and the easy way to bypass the lock feature with task manager (I re-tested that), this quick way to logon does not seem secure.

Once again, I am sorry for referring to the old way TweakUI worked in the earlier posts.

Respectfully,
Chad Woznick
http://www.nearlyclever.com

Thank you for your security concerns.

However, one thing you may not be aware of is the fact that the insecure “auto-login” method on Technet is actually unrelated to the method used by TweakUI and my article.

The latest version of TweakUI for Windows XP does *not* store your password in the registry in plaintext.

I encourage you to download Regmon from sysinternals. It is a free utility that will let you monitor your windows registry as programs manipulate it. Turn on TweakUI and go to the auto-login feature. Open up the “Set Password” box, type in a password, and save it with the registry monitor recording everything. You won’t find a clear-text password anywhere.

Rather than debate this, I’ll refer you to a Microsoft Technet article that comments on this feature and then show where in the registry that this setting is stored in plaintext.

http://support.microsoft.com/default.aspx?scid=kb;en-us;234562

Location of plaintext password:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultPassword

What is even worse is that the system restore feature of windows makes copies of the registry hives on a regular basis. So adding it all up, if you now decide to turn off this option, your password is still in plain text on the hard drive.

Sincerly,
Chad Woznick
http://www.nearlyclever.com

First of all an answer:
Q :”Is this registry Tweak possible for Win 2000?”

A efinitely YES. I use Win2K and I use this command in a batch file.Running it from the registry is the same.
———–

And to back-up Thomas:
Misunderstanding :“Your password will be in cleartex stored in the registry”

My opinion : Not the case.Win2K and WinXP have the autologon feature.If you go to Control Panel under Users there is an option to enable it.If you enable it,it asks for the name and password of the user you want to autologon.
TweakUI just enables this option and passes the name and password to Windows.Windows then encrypts the password.
So your password encryption is just as strong as Windows’ is.
I don’t consider this a “horrible security risk”.
Don’t take my word for it!Try a search in the registry with your password, try a file search for files containing your password…You shouldn’t find a thing.I didn’t.

Keep up the good work!
ZaC

Joey (aka “BigMamma”, aka “LiquidG”, aka “unknown soldier”)

Dream mode off.

Un-informed Statement #1: “Tweak UI saves your login in clear text. This is a horrible security risk!”

Reply: Uh. Have you actually done any research on this claim or are you going off of paranoid rumors? Try opening up Tweak UI and go to the autologon section. There is is, plain as day, “The password is stored in encrypted form”.

Un-informed Statement #2: “This is so insecure! All anyone has to do is hold down their Shift key while they’re logging in and it will bypass the automatic lock.”

Reply: Once again. Has anyone actually tried this? Sure, the Shift key, when held, will skip automatic start-up processes. But here’s the beauty of it… If you hold down the Shift key, it doesn’t process your automatic login. So you’re still stuck behind a password box. Verdict: still safe!

Un-informed Statement #3: “While your desktop is loading before the computer locks itself back up, users can click around and get around your security.”

Reply: This may be the case on some computers out there, but my experience with Windows is that while it’s loading the desktop, everything is pretty much completely un-responsive. I try to click the start menu and nothing even happens until everything is loaded and cached up into memory. And the second the computer is loaded and finally becomes responsive… it’s instantly locked. Foiled, once again. Now, this is just my experience that I’ve had with the 10 or so computers that I’ve used this technique with, so I could be wrong. If your computer is responsive while loading your desktop and you are able to click around for a minute or so before it locks, then yeah. Maybe you shouldn’t use this tweak.

Un-informed Statement #4: “Man, this tweak is so stupid! It doesn’t make my computer go any faster! It still takes 5 minutes to load!”

Reply: This tweak isn’t supposed to make your computer boot “faster”, per se. All it does is change that point at which you have to log in. Instead of having the login point half-way during the boot process (requiring you to sit in front of the computer during the whole process), now it’s at the very end after everything is finally loaded. Some people (such as myself) will find this extremely useful. Other people, maybe not so much.

Let me give you an example of one of the ways why I find this tweak useful on my computer at home. My computer at home has a number of programs that run when it boots up. I run a total of 5 different servers on my computer… Apache, Microsoft IIS, my custom home security system, etc… These programs and servers run 24 hours a day. If my computer ever bogs down and crashes for some reason, it automatically reboots. When it re-boots, it automatically logs itself in and locks down.

Well, at least TweakUI says different:
“The password is stored in encrypted form”

Thx for the tip, saves a lotta time for me;)

Hogyan lehet úgy elindítani a Windowst, hogy a belépés után már ne kelljen megvárni a saját programok indítását? Ez szerintem egy nagyon izgalmas kérdés. Tipikus…

Secondly, putting your password in clear text in the registry is a terrible idea. Is it the same password you use for your bank’s online system? Is it the same one you use for your e-mail? Did you disable the Remote Registry service on your computer before you did it? Do you know what the Remote Registry service is? If not, you shouldn’t be following these instructions.

Finally, as somone else pointed out, your machine will be logged in with your credentials for a few minutes with this method before it actually locks the machine. A few minutes is more than enough time for someone to do some damage.

Misinformation is significantly more dangerous than any virus, trojan or hacker on the ‘Net.

How about calling a DLL function that does a “Switch User” so that it doesn’t lock the workstation but just switches out to the Windows Welcome/Logon screen?

How does one discover these new values to add to the Registry? Since the value wasn’t there to begin with in the Registry and had to be added, it must be documented somewhere? Where?

I’ve used hibernation on at least 10 different computers and they always ended up glitching from it eventually.

Basically microsoft dumps an image of your RAM to the hard drive, and then shuts everything down. Then when you turn on your computer, it loads everything back into RAM.

The only problem with this is that sometimes calculations in programs are time-based. So when you restore your computer later on, sometimes things don’t synch up properly.

Or at least that’s my theory on the subject.

On some machines this period of time is very brief – on others it is lenghthy enough for an unauthorized person to do harm.

During this period of time the computer responds exactly as if you yourself had logged on. The keyboard, mouse, drive access, etc are all enabled.

For example – during the brief window the computer is unprotected a person walking by could create a new administrator account on your computer, edit the registry to remove the user32.dll autorun, install a keylogger, set Microsoft Office to automatically BCC every email you send out to another address, etc.

Waiting until your computer is fully locked before wandering off doesn’t help either as all a savvy user has to do is restart the machine in order to access the window of vulnerability.

In short, be wary of using this if anyone else has physical access to your computer.

I’m having trouble getting the reg file from the link you posted.

Thanks

Ronnie

Chris
http://amateureconblog.blogspot.com/