Updated: April 6, 2000

What is lsadump2?

This is an application to dump the contents of the LSA secrets on a machine. It uses the same technique as pwdump2 to bypass restrictions that Microsoft added to LsaRetrievePrivateData(), which cause the original lsadump, by Paul Ashton, to fail. You need the SeDebugPrivilege for it to work. By default, only Administrators have this right, so this program does not compromise NT security.

How do I use it?

First, of course, back your system up, and try it on a test machine. Take both the lsadump2.exe and dumplsa.dll files and place them together in a directory on your NT box's local file system. Then, just run

[c:\lsadump2] lsadump2

and all of the LSA secrets will be written to the console. To capture the output in a file, run, e.g. "lsadump2 > secrets.txt"

What's new?

This is an updated version of lsadump2 that is able to find the pid of lsass.exe automatically. It uses information from a book recently published by Gary Nebbett, Windows NT/2000 Native API Reference, an invaluable reference, documenting virtually every undocumented NT kernel call. Among other things, it demonstrates a method of determining pids without linking to more DLLs. lsadump2 now includes code which does this. If for some reason lsadump2 fails to determine the proper pid, it will complain and exit. You can still specify the pid on the command line, to work around this possibility. Determine the process id of lsass.exe. (You can do this with Task Manager.). Then, assuming the pid is, e.g. 43, run:

[c:\lsadump2] lsadump2 43

Warning

Note that the LSA secrets are usually very sensitive information, which could possibly be used to compromise other machines, so be careful what you do with them.

Download

Download lsadump2

MD5 (lsadump2.zip) = TBD

copyright © 2000 Todd Sabin