Win95, eh? Its been a while but I believe you can use the Search
feature to look for *.pwl files (they should all be in your /Windows/
directory). If you see any that use your log in name as the file name
(ie joeshmoe.pwl) delete them (send em to your recycle bin , just in
case) and the request for log-in passwords will go away (but so will
all your other saved Windows passwords like your dial up account).
Reboot and if the initial log in screen appears either leave it blank
or enter a log in name but leave the PW block blank. Click OK (NOT
cancel) and the next time you boot up, it should go straight to your
desktop without the log in. See below for more on PWL files.
======================================
From <http://lastbit.com/vitas/pwl.asp>
"PWL file contains valuable information like dial-up and network
passwords. This is an universal storage for sensitive information. Any
program could use PWL files. However Microsoft does not provide
technical specification for PWL files and API description (as far as I
know), so usually only Microsoft programs use PWL files.
In other words PWL file is a secured database. Each record has three fields:
Resource type (0..255)
Resource name
Resource password
Both resource name and resource password may be binary. Moreover
program may interpret these fields as it wants so 'resource name' may
be not a name and 'resource password' may be not a password. There is
exists a limit of 255 records per single PWL file. All records along
with user name and checksum are encrypted with strong cipher algorithm
RC4. Encryption key is derived from login password. Windows uses PWL
files to verify login password. However login password is not stored
in PWL file. Windows decrypts PWL file using specified password and
then verify checksum. If checksum is correct then entered password
assumed to be valid. So it is possible to get access to PWL file if
only both login password and user name are known. If login password is
unknown then a search is the only way to get access to PWL file's
contents. User name must be known because it is involved into checksum
verification. Usually PWL file name is the same as user name. However
it is not necessary. PWL file name never exceeds 8 characters. Windows
never overwrites PWL files. By default PWL files are located in the
Windows directory. Since Windows never overwrites PWL files it's
possible that resulting PWL file name will be mangled. For example, if
robert.pwl file is already exists then new PWL file for user Robert
will have rober000.pwl file name. Next file name is rober001.pwl and
so forth.
Both user name and login password are case sensitive for PWL file,
however high level Windows functions convert them to uppercase.
Nevertheless there is an exception: dial-up network server use rna.pwl
file to store connections passwords. User name is *Rna (case
sensitive).
Each PWL file must be registered in system. There is [Password Lists]
section in system.ini file. Each line in this section looks like this:
USERNAME=FullPathToPwlFile"
Q: How to force Windows do not ask login password at startup ?
A: You can enable silent logon as follows
- Set empty login password
- Select "Windows Logon" as the value in the "Primary Network Logon"
box in the Network option in Control Panel.
- Make sure that user profiles are NOT enabled (using the Passwords
option in Control Panel or by setting the related system policy).
====================================
??Windows creates a file with the extension PWL, which stands for
password list to hold this [log in] information. The file is saved in
the directory that Windows 9X (referring to any flavor of Windows 95
or 98) was loaded in, typically C:\WINDOWS. The file?s name is the
first eight characters of your login name, unless there is already a
like named PWL file on the system. This would happen if your logon
name was RichardSmith, and RichardSimon had already logged on the
system in question. The result would be truncating what would have
been a "RichardS" file name to its first five letters - "Richa", and
appending 000 to the end, creating a file named Richa000.pwl. If
another login occurred by someone whose login name's first eight
characters also matched RichardS, then their PWL file would become
Richa001.pwl, and so the process would continue.
What purpose does the PWL file serve? What information does the PWL
file hold and why? Microsoft does not offer much detailed technical
information on the PWL file, because they believe in "security through
obscurity". This theory says that the less you know about a products
inner security workings, the safer it will be. That may hold true if
the product is secure to begin with. Typically the most secure systems
are proven secure through the testing of their inner-workings by
security aficionados. If everyone knows how your product works, and it
still isn't defeated, then it is a truly secure product!
Due to Microsoft?s lack of "documentation", most technical information
that can be found on PWL files is the result of programmer?s and
security experts' efforts to document the files themselves. Much of
this information is through reverse engineering, and experimentation.
The PWL file?s function is to hold any cached password information.
This is a convenience for the end-user, so they don't have to type in
all of those annoying passwords every time they access a passworded
resource. The resource could be a share on a neighboring Windows 9X
machine, access to a server in an alternate domain, contact to Samba
shares on a Unix system, your dial-up networking dialer, or even
contact with a Novell NetWare file-server! Any of these could be
accessed from a Windows 9X station, and would have the potential of
being "cached" in a PWL file.
Technically the PWL file is actually a database file. It contains a
series of records representing the name of the resource that you are
connecting to, the type of resource, and of course the password that
enables you to connect to said resource, encrypted of course. Note,
each of the three records are defined by the program doing the saving,
so the records, in some cases, could be juggled around or used
completely differently then mentioned. For a more graphical
representation of a PWL file, [use] Pwledit.
Pwledit is a tool that comes on the Windows 95/98 CD-ROM. On the
Windows 98 CD-ROM find it under the \tools\reskit\netadmin\pwledit
directory. On the Windows 95 CD-ROM find it under the
\admin\apptools\pwledit directory. It shows all of the resources that
are stored in the currently logged-in user?s PWL file with their type
represented by a graphical icon and name. The password is the only of
the record types not represented. This utility is Microsoft?s answer
to making PWL files manageable. It allows the removal of individual
resources from the PWL file with the remove button (as seen above).
Otherwise, the only way you could clear a resource would be to
completely delete the PWL file, and recreate it without the resource
in question (not a pleasant proposition on a file with many
resources!). There are two limits on the resources listed in the PWL.
The first is that there can only be a total of 255 total entries. The
second is that the service/client that allows login to the resource
must be compatible with the PWL format, which at this point means that
it must be a Microsoft client.
The entries actually get in the file through the cooperation of the
end-user. Like in the example mentioned above, during initial logon
when you are asked to confirm your password, Windows is making a PWL
for your logon name! By clicking check boxes like the one in Dial-up
Networking's dialer that says, "Save Password" (see below), you are
adding resources to your PWL!
This isn?t such a bad thing, right? PWL files make it easy to logon to
a collection of networks with just one logon on startup! Who wants to
type in a long, confusing password supplied by your Internet Service
Provider every time you want to connect to the Internet? For these
reasons PWL files are used quite heavily, despite the fact that they
have a history of being, and still are, rather insecure.
What are the security issues of the PWL file? Well, it doesn?t take a
security guru to determine that one small file filled with lots of
network passwords could be a bane to network security. Place this same
file on a very insecure operating system (like Windows), and the
problems multiply. It?s not just a Microsoft network problem, either!
Any resource that you allow a Microsoft Windows 9X client to connect
to using a Microsoft client will be at risk as well! So Samba shares
on Unix and Linux are at risk, as are Novell NetWare Servers that are
logged-on to through Microsoft?s client for NetWare Networks (if you
are using NetWare?s client, password?s aren?t saved in the PWL file!)
A less involved means [of protecting passwords] is to manually add an
entry to your registry. Using Regedit add the following key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Network\DisablePwdCaching
=1
Making sure that the DisablePwdCaching value is added as a Dword
value. For more information on this procedure check
http://support.microsoft.com/support/kb/articles/q140/5/57.aspor
http://www.software.com.pl/newarchive/mailingl/Bugtraq/bugtraq/1995_4/0139.html.
After setting the system to disable password caching, delete all PWL
files from the system's hard drive and they will not be created again.
Perhaps an easier way to prevent the saving of passwords at your local
station may be to simply notsave them when prompted! When you get
prompted for a confirm password, or save password check box, simply
don't comply. The frustrating part is that you will be prompted every
time you login with that annoying little confirm password box, and
you'll always have to type your password in for shares and dial-up
networking. No matter what, I would suggest a policy like this for
Administrator/Admin/Supervisor logon ID?s. Their passwords should
NEVER be cached on a station's local drive. You may want to go as far
as to regularly audit stations to verify that there are no PWL files
for these logins on your user's local hard drives. This can be done
manually, with a batch file, or even setup in Microsoft Scheduler to
be performed once every week or so??
See http://www.sans.org/rr/papers/66/982.pdf for more on PWL files and
their security (or lack of!)
====================================
Here are some other links to check:
http://www.softstack.com/password/pwl_files.html
This should work for both Win95 and Win98. |
