Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > NTBugtraq> 1998-1999

Re: NetUserChangePassword WinAPI

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: NetUserChangePassword WinAPI

To: NTBUGTRAQLISTSERV.NTBUGTRAQ.COM
Subject: Re: NetUserChangePassword WinAPI
From: "Larimer, Jon (ISSAtlanta)" <JLarimerISS.NET>
Date: Tue, 18 May 1999 13:23:41 -0400
Approved-By: Russ.CooperRC.ON.CA
Comments: To: Shane Harrelson <SHarrelsonMATRASYSTEMS.COM>
Reply-To: "Larimer, Jon (ISSAtlanta)" <JLarimerISS.NET>
Sender: Windows NT BugTraq Mailing List <NTBUGTRAQLISTSERV.NTBUGTRAQ.COM>

> -----Original Message-----
> From: Shane Harrelson [mailto:SHarrelsonMATRASYSTEMS.COM]
> Sent: Tuesday, May 18, 1999 11:55 AM
> To: NTBUGTRAQLISTSERV.NTBUGTRAQ.COM
> Subject: NetUserChangePassword WinAPI
>
>
> I've noticed two strange problems when
> using the NetUserChangePassword() WinAPI
> to programmatically change a users
> password.
>
> 1) When I change my password with the
> API, and then use CTRL-ALT-DEL to get to
> the security panel, if I choose
> "Lock Workstation" I must use my *OLD*
> password to unlock it.

When you use CTRL+ALT+DEL to lock your workstation and then try to unlock
it,
NT validates the password you type in with an encoded copy of your password
stored in memory, it doesn't use any API calls to validate your password is
correct. MSGINA.DLL stores your password in memory by encoding it with
RtlRunEncodeUnicodeString() (in ntdll.dll). When you press CTRL+ALT+DEL and
enter in your password, MSGINA uses RtlRunDecodeUnicodeString() and then
does
an lstrcmpW() to see if they are the same. When you call
NetUserChangePassword(),
that just updates your password as stored in the SAM database or on the PDC.
When
you lock your workstation, your old password is still in memory so you need
to
use your old password to unlock your machine.

>
> 2) Every time I change my password with
> the API, the "bad login" attempts is
> incremented, even if the change is
> successful, so if the "lockout" option
> is set, changing your password enough
> times locks out your account.
>
> Neither of these problems occur if you
> change your password via CTRL-ALT-DEL
> and the security panel.

The reason changing your password works with CTRL+ALT+DEL and not the API is
because
MSGINA.DLL is what is keeping track of your password for screen locking, and
thats
also what comes up when you press CTRL+ALT+DEL, so it can update itsself.
NetUserChangePassword() probably doesn't know how to change MSGINA's copy of
your password.

-jon

Prev by Date: 2 Bugs, IIS and IE 5.0
Next by Date: Re: 2 Bugs, IIS and IE 5.0
Prev by thread: NetUserChangePassword WinAPI
Next by thread: 2 Bugs, IIS and IE 5.0
Index(es):
- Date
- Thread