How to prevent data stored using LsaStorePrivateData to be easily read from anyone from remote machine using LsaRetrievePrivateData?

Question

How to prevent data stored using LsaStorePrivateData to be easily read from anyone from remote machine using LsaRetrievePrivateData?

2k Views Asked by Artur At 04 April 2025 at 12:14

I store some data on computer A with LsaStorePrivateData. The problem is that it is easily readable using LsaRetrievePrivateData api func from any other PC on the same local network. How can I prevent this? Stopping 'remote registry' service does not help. Any other trick to prevent remote access to data stored with LsaStorePrivateData?

Regards, Artur

Original Q&A

There are 1 best solutions below

**Harry Johnston** · Answer 1

There is no need to do anything, unless:

the operating system on the target machine is badly corrupted, in which case a reinstallation is probably the only safe approach.
you have stored the data using a guest account, or some other account which untrusted users have access to, in which case the answer is to not do that. :-)

The documentation for LsaStorePrivateData says:

The data stored by the LsaStorePrivateData function is not absolutey protected. However, the data is encrypted before being stored, and the key has a DACL that allows only the creator and administrators to read the data.

This test code may be useful for anyone interested in the subject, or wanting to double-check that their machine is secure in this respect. My own tests using this code confirmed the documented behaviour.

#include <Windows.h>
#include <Ntsecapi.h>

#include <stdio.h>

wchar_t keyname_string[] = L"harrytest";

LSA_UNICODE_STRING keyname;

LSA_OBJECT_ATTRIBUTES lsa_object_attributes;

int set(void)
{
    LSA_HANDLE ph;
    LSA_UNICODE_STRING secretdata;
    wchar_t secretdata_buffer[2];

    DWORD status;

    status = LsaOpenPolicy(NULL, &lsa_object_attributes, POLICY_ALL_ACCESS, &ph);
    if (status != 0)
    {
        printf("LsaOpenPolicy: %X\n", status);
        return status;
    }

    secretdata.Length = 2;
    secretdata.MaximumLength = sizeof(secretdata_buffer);
    secretdata.Buffer = secretdata_buffer;
    secretdata_buffer[0] = L'x';
    secretdata_buffer[1] = L'\0';

    status = LsaStorePrivateData(ph, &keyname, &secretdata);
    if (status != 0)
    {
        printf("LsaStorePrivateData: %X\n", status);
        return status;
    }

    printf("Success!\n");
    return 0;
}

int get(wchar_t * target_string)
{
    LSA_HANDLE ph;
    LSA_UNICODE_STRING * secretdata;
    LSA_UNICODE_STRING target;

    DWORD status;

    if (target_string != NULL)
    {
        target.Length = wcslen(target_string) * 2;
        target.MaximumLength = target.Length + 2;
        target.Buffer = target_string;
    }

    status = LsaOpenPolicy(target_string ? &target : NULL, &lsa_object_attributes, MAXIMUM_ALLOWED, &ph);
    if (status != 0)
    {
        printf("LsaOpenPolicy: %X\n", status);
        return status;
    }

    status = LsaRetrievePrivateData(ph, &keyname, &secretdata);
    if (status != 0)
    {
        printf("LsaRetrievePrivateData: %X\n", status);
        return status;
    }

    if (secretdata == NULL)
    {
        printf("NULL pointer retrieved\n");
        return 1;
    }

    printf("%u bytes retrieved\n", secretdata->Length);
    return 0;
}

int delete_data(void)
{
    LSA_HANDLE ph;

    DWORD status;

    status = LsaOpenPolicy(NULL, &lsa_object_attributes, POLICY_ALL_ACCESS, &ph);
    if (status != 0)
    {
        printf("LsaOpenPolicy: %X\n", status);
        return status;
    }

    status = LsaStorePrivateData(ph, &keyname, NULL);
    if (status != 0)
    {
        printf("LsaStorePrivateData: %X\n", status);
        return status;
    }

    printf("Success!\n");
    return 0;
}

int wmain(int argc, wchar_t ** argv)
{
    keyname.Length = wcslen(keyname_string) * 2;
    keyname.MaximumLength = keyname.Length + 2;
    keyname.Buffer = keyname_string;

    lsa_object_attributes.Length = sizeof(lsa_object_attributes);
    lsa_object_attributes.RootDirectory = NULL;
    lsa_object_attributes.ObjectName = NULL;
    lsa_object_attributes.Attributes = 0;
    lsa_object_attributes.SecurityDescriptor = NULL;
    lsa_object_attributes.SecurityQualityOfService = NULL;

    if (argc > 1)
    {
        if (_wcsicmp(argv[1], L"set") == 0)
        {
            return set();
        }
        if (_wcsicmp(argv[1], L"delete") == 0)
        {
            return delete_data();
        }
        else if (_wcsicmp(argv[1], L"get") == 0)
        {
            if (argc == 2)
            {
                return get(NULL);
            }
            else if (argc == 3)
            {
                return get(argv[2]);
            }
        }
    }
    printf("Syntax:\n"
         "testprivatedata set\n"
         "testprivatedata get\n"
         "testprivatedata get \\\\target\n"
         "testprivatedata delete\n");
    return 1;
}

How to prevent data stored using LsaStorePrivateData to be easily read from anyone from remote machine using LsaRetrievePrivateData?

There are 1 best solutions below

Related Questions in WINDOWS

Related Questions in SECURITY

Related Questions in REGISTRYKEY

Trending Questions

Popular # Hahtags

Popular Questions