Microsoft Windows SMB Registry : Winlogon Cached Password Weakness

info Nessus Plugin ID 11457


User credentials are stored in memory.


The registry key 'HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ Winlogon\CachedLogonsCount' is not 0. Using a value greater than 0 for the CachedLogonsCount key indicates that the remote Windows host locally caches the passwords of the users when they login, in order to continue to allow the users to login in the case of the failure of the primary domain controller (PDC).

Cached logon credentials could be accessed by an attacker and subjected to brute force attacks.


Consult Microsoft documentation and best practices.

See Also

Plugin Details

Severity: Info

ID: 11457

File Name: smb_reg_cachedlogons.nasl

Version: 1.17

Type: local

Agent: windows

Family: Windows

Published: 3/24/2003

Updated: 6/5/2018

Dependencies: smb_login.nasl, netbios_name_get.nasl, smb_registry_access.nasl

Risk Information

Risk Factor: Info

Vulnerability Information

Required KB Items: SMB/name, SMB/login, SMB/password, SMB/registry_access, SMB/transport