Like most browsers, Internet Explorer also has the single sign-on
feature which stores the username/password for already authenticated
websites. Whenever user login to any website, IE prompts the user
for consent to store the password for future use. If user
acknowledges then username/password along with website link will be
stored in IE secret store. So the next time onwards whenever user
visits the same website, IE automatically populates the
username/password field from its store thus preventing user from
entering credentials every time.
Internals of IE Password Manager
Internet Explorer stores two type of
passwords, Autocomplete and HTTP basic authentication based
passwords. Autocomplete passwords are normal website login passwords
such as email, forum websites. HTTP basic authentication password is
the one which is required to login to website itself. As soon as
user tries to access the website, IE prompts with login dialog box
asking for username/password. Generally proxy servers and
router/modem configuration websites uses these kind of
authentication mechanism. Here is the screenshot of login dialog box
shown by IE while accessing the router webpage.
Password Store Location for IE version 4 to 6.0
Internet Explorer below version 7 stores both Autocomplete and HTTP
basic authentication passwords in the secure location known as
'Protected Storage'. Windows has introduced 'Protected Storage' to allow
applications such as IE, Outlook to store the secrets securely in an
encrypted format. Below is the registry location corresponding to the
HKEY_CURRENT_USER\Software\Microsoft\Protected Storage System Provider
The actual contents of this registry location are encrypted ant not
visible in Regedit tool. However you can use IceSword's registry editor
to view the actual encrypted contents as shown in the below screenshot.
Password Store Location for IE version 7 or more
With version 7 onwards IE has changed the location of password store
to provide better security mechanism compared to existing 'Protected
Storage'. Now IE stores all the Autocomplete passwords in below
mentioned registry location in an encrypted format.
Here is the screenshot of typical entries stored at this location
Here each entry corresponds to a hash of the website for which
username/password has been stored. So one must know the website login
link in order to recover the password.
The HTTP basic authentication passwords are stored in the 'Credentials
store'. The 'Credentials Store' is newly introduced secret store
mechanism by Windows and it is generally used to store the network login
passwords. Its location is given below.
[Windows XP] C:\Documents and
Recovering Passwords from IE Secret Store
Based on IE version, different
method need to be used to retrieve the stored passwords. For IE
version 4 to 6.0, its enough to decrypt the passwords from
'Protected Storage' which contains both Autocomplete and HTTP
For IE version 7 and above we have to decrypt the http
authentication passwords from 'Credentials Store' and Autocomplete
passwords from IE registry storage location.
The remaining section of this article explains all these methods in
detail along with sample code.
Decrypting Passwords from Protected Storage
Protected Storage is also used by other applications such as
Outlook, MSN messenger to store the passwords. So we need to separate
out these passwords from the Autocomplete and HTTP basic authentication
passwords stored by IE.
Windows provides API functions to retrieve the passwords stored in the
'Protected Storage'. All these API functions are exported from
pstorec.dll which is installed as part of Windows system. One can use
PStoreCreateInstance function to get the pointer to protected storage
and then use the enumeration functions to list all the secrets in plain
text. The code sample below illustrate this method using the 'Protected
Storage' API functions.
Decrypting HTTP Basic Authentication Passwords from Credentials
IE since version 7 onwards uses
'Credentials Store' to store the HTTP basic authentication passwords. The same store is also used to
store the network login passwords as well. However its easy to
distinguish between the two as the passwords stored by IE begins with
the identifier text 'Microsoft_WinInet' and they are of type 1.
The passwords are encrypted using the Windows Cryptography functions
after salting them with the text generated from the GUID
'abe2869f-9b47-4cd9-a358-c22904dba7f7'. The decrypted text contains the
username & password pair separated by semicolon.
Windows provides the Credential Management functions to add/remove the
secrets from 'Credentials Store'. We can use the function called
enumerate through these secrets and then decrypt them using
CryptUnprotectData function as shown in the below code example.
Credits : Thanks to SapporoWorks for original
work [Reference 2]
IE 7 onwards uses tricky method to store the Autocomplete passwords as
explained earlier. Instead of storing the website directly, the hash of the
website link is stored in the registry with encrypted username/password
information. This way user can always get the username/password
automatically whenever he/she visits the corresponding website in IE. But the
password stealing is circumvented to certain extent as the cracker now
need to know the website login link to get the password.
However one can use the website links stored in the IE history to try
for the match similar to the brute force approach used in traditional
password recovery method. This is very effective solution as all the visited websites will be stored in IE history
the user has explicitly deleted it.
The code sample below shows how to calculate the hash of the website
link and then decrypting the secrets using Windows cryptography
functions. This is the modified and extended version of original article
published by SapporoWorks.
Credits : Thanks to SapporoWorks for original
work [Reference 2]
// Calculate the hash for the Website URL
void GetURLHashString(wchar_t *wstrURL, char *strHash, int dwSize)
HCRYPTPROV hProv = NULL;
HCRYPTHCRYPTHASH hHash = NULL;
if( CryptHashData(hHash,(unsigned char *)wstrURL, (wcslen(wstrURL)+1)*2,
// retrieve 20 bytes of hash value
//Get the hash value now...
if( CryptGetHashParam(hHash, HP_HASHVAL, Buffer, &dwHashLen,0) )
//Convert the 20 byte hash value to hexadecimal string format...
unsigned char tail=0; // used to calculate value for the last 2 bytes
// add the last 2 bytes
sprintf_s(TmpBuf, 1024, "%s%2.2X",strHash,tail);
strcpy_s(strHash, dwSize, TmpBuf);
// IE Autocomplete Secret Data structures decoded by Nagareshwar
//Main Decrypted Autocomplete Header data
DWORD dwSize; //This header size
DWORD dwSecretInfoSize; //= sizeof(IESecretInfoHeader) + numSecrets * sizeof(SecretEntry);
DWORD dwSecretSize; //Size of the actual secret strings such as username
IESecretInfoHeader IESecretHeader; //info about secrets such as
count, size etc
//SecretEntry secEntries[numSecrets]; //Header for each Secret String
//WCHAR secrets[numSecrets]; //Actual Secret String in
//One Secret Info header specifying number of secret strings
DWORD dwIdHeader; // value - 57 49 43 4B
DWORD dwSize; // size of this header....24 bytes
DWORD dwTotalSecrets; // divide this by 2 to get actual
DWORD id4; //
value - 01 00 00 00
// Header describing each of the secrets such ass username/password.
// Two secret entries having same SecretId are paired
DWORD dwOffset; //Offset of this secret entry from the start of secret
BYTE SecretId; //UNIQUE id associated with the secret
DWORD dwLength; //length of this secret
// For each website URL from IE history, this function checks for match
with stored hash
// and then decrypts the secrets...
void DecryptIEAutocompletePassword(wchar_t *wstrURL)
char strIEStorageKey= "Software\\Microsoft\\Internet Explorer\\IntelliForms\\Storage2";
DWORD DWORD dwSize = 1024;
//Get the hash for the passed URL
GetURLHashString(wstrURL, strUrlHash, 1024);
//Check if this hash matches with stored hash in registry
if( DoesURLMatchWithHash(strUrlHash) == FALSE )
//Now retrieve the encrypted credentials for this registry hash
if(ERROR_SUCCESS != RegOpenKeyEx(HKEY_CURRENT_USER, strIEStorageKey, 0,
//Retrieve encrypted data for this website hash...
//Now get the value...
status = RegQueryValueEx(hKey, strUrlHash, 0, &dwType, Buffer, &BufferLength);
if( status != ERROR_SUCCESS || strlen((char*)Buffer) < 1 )
Here each website can have more than one username/password pairs. If
user has entered different secrets for same website or if same website
link is associated with multiple accounts like in case of Gmail, Orkut
etc then multiple secrets will be stored per website.
The final decrypted Autocomplete data will have
IEAutoCompleteSecretHeader structure followed by
SecretHeader's and clear text Secret strings as shown below...
SecretHeader_0 //Each SecretHeader is represented by SecretEntry
Secret_0 //Each Secret is null terminated unicode string
Before we proceed, we need to find out number of secrets within this
decrypted data. One simple way is to use dwTotalSecrets variable of
IESecretInfoHeader structure which is part of IEAutoCompleteSecretHeader.
Here dwTotalSecrets stands for total number of secrets stored for this
website. Here secret can represent either username or password. So dividing this number by two will give us
actual username/password pairs for the website.
Now, we go through each of the secrets, reading 2 secrets (username &
password) at a time. Each time SecretEntry header is
read to get the offset of associated unicode Secret string and then move
on to next
SecretEntry header until we have done with reading all the secrets.
Recovering IE Passwords using IEPasswordDecryptor
IEPasswordDecryptor is the
free tool to quickly and easily recover stored passwords from Internet Explorer. It
can recover both Autocomplete and HTTP basic authentication based
passwords from IE secret store. User can double click on any of the
entry to visit the website which makes it easy to verify sign-on
It also comes with distinctive feature which allows the user
to reset the IE content advisor password in case user has lost it.
also presents 'IE history manager' interface which not only displays the
contents of IE history in detail but also provides the option to
add/remove websites with ease. User can save the displayed password list
and IE history list to TEXT as well HTML file for offline verification &
IEPasswordDecryptor can recover passwords from all version of
Internet Explorer starting from version 4.0 to latest version 8.0. Also
it works on wide range of Windows platforms including Windows Vista &