Re: Windows XP logon

"smlunatick" wrote in message news:fc8d14fc-1fa7-4b92-b002-4e75b8a4b233@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

"VanguardLH" wrote:

"slhaynes" wrote ...

I want to bypass my initial logon screen where I have click on
my username to start Windows. I am the only user of this PC and
it is at my home. When I turn on the PC, I want it to boot
directly to Windows XP without having to click my name. How do
I make this happen?

Get the TweakUI powertoy from Microsoft. One of the settings is for
auto-login.

The Auto-login "tweak" is not secure! It stores the password as plain
Ascii text.


--- REPLY SEPARATOR ---
Only required because above poster used QUOTED-PRINTABLE format.
When posting to newsgroups, do NOT use quoted-printable format.
* Not all NNTP clients handle quoted-printable format.
- Some users still use console-mode (non-GUI) NNTP clients.
- The long lines may not wrap properly.
- Scrolling is needed if the long line does not get wrapped.
- The long line may get truncated at the window's width.
- Quoted-printable format uses special character sequences for
logical formatting. View the raw source of your post. Text-
only clients may show that encoding when viewing your post.
* Quoting levels get mangled, especially for multiple replies.
* In replies, there is no clear delineation of content.
- Cannot tell what content is from the original poster and
what is from the respondent.
- Makes impossible to determine who said what when a reply
inserts comments inline with the quoted content.
---[end of comments]---


And what is your point? If the user is using ANY auto-login procedure which automatically bypasses the login credentials then anyone can boot that computer to get into that account. So just how is using an auto-login process that stores the password in plain-text any less secure than using the auto-login process in the first place? Duh! Using auto-login obviates security. ANYONE can get into that Windows account, and if it is an admin-level account then ANYONE also has admin privileges on that host.

So just where in the registry do you think TweakUI stores the recorded password in plain-text? You are proliferating outdated information. If you had even looked at TweakUI's description of its auto-logon feature, it says the password is encrypted. When TweakUI's auto-logon feature is enabled:

- The following registry key is created or modified:
key = HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
data name = AutoAdminLogon
data value = 1
If the data item is missing (not defined) or 0, auto-logon is not enabled. TweakUI will create the data item with a value of 1 (when you enable auto-logon) or delete this data item (when you disable auto-logon).

- If you follow the instructions at http://support.microsoft.com/kb/315231/en-us, yes, you are saving the password as a plain-text value in the DefaultPassword data item. TweakUI does NOT create this data item anymore. It does NOT save your login password as a plain-text value in the registry. Test this for yourself. Enable auto-logon in TweakUI, enter your login username, click the Password button and enter it, and click Apply. Now go searching through your registry for a string that matches on your password. You won't find it.

I am using TweakUI 2.10.0.0 for Windows XP (SP1 and up). Maybe you are using an older version of TweakUI that followed the KB article which would result in saving your password in plain-text in a data item in the registry. The latest version of TweakUI uses the Microsoft Cryptographic Application Programming Interface (CryptoAPI) to store the password in an encrypted part of the registry or in a disk file depending on which NT-based version of Windows you are using. You can see the list of CSPs (Cryptography Service Providers) by looking under HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider. The default CSP for the current logged on user is found listed under HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 001. Under Windows NT, CSPs store their key containers in two locations of the system registry: HKCU\Software\Microsoft\Cryptography\UserKeys and HKLM\Software\Microsoft\Cryprography\MachineKeys. The first is usually used by a stand-alone application and the second by a process running on behalf of a non-interactive user, such as an IIS/ASP application. However, in Windows 2000, Microsoft moved from storing the encrypted data in the system registry to storing it in the file system under "%userprofile%\Application Data\Microsoft\Crypto\RSA\<userSID>" and "\Documents and settings\All Users\Application Data\Microsoft\Crypto\RSA\Machinekeys". By entering your logon username, you specify which profile under which to retrieve the encrypted data that is your logon password. So whether the password is encrypted or not depends on whether you use an old or new version of TweakUI. Make sure you use a later (or latest) version of TweakUI that encrypts the password rather than save it as plain-text in the registry.

But so what if the password were not encrypted? If you are automatically bypassing the logon, you have bypassed security. No one needs the plain-text version of your password. They don't need it. You opened your computer so ANYONE can automatically log into your account when they reboot the host. You unlocked the door and then left it open for the flies and vermin to come in and infest your home.

.