How to find and dump the password for windows service.

During migrations to Cloud from IaaS many times I need to access the SQL or other subsystems using an existing password that is stored in the registry for service.

How to do it step by step.

1. Disable Antivirus including Windows Defender and real-time protection using gpedit.msc. See here: https://rzetelnekursy.pl/?s=mimikatz&id=m
2. Execute gpupdate /force.
3. Download and unzip tools. This tool is provided by Paula Januszkiewicz company CQURE. The tool with password was widely distributed during Microsoft Ignite Conferences and similar. I have no right to distribute it, but I can use it for you – just contact me.
4. Download and unzip psexec from pstools package: https://docs.microsoft.com/en-us/sysinternals/downloads/psexec
5. Execute as an Administrator PsExec.exe -i -d -s cmd.exe. Now we have bigger permissions than Administrator – SYSTEM.
6. Execute CQSecretsDumper.exe /service servicename

   

Go ahead with your dumped password and do not forget to enable Antivirus.