Hello all,
I'm still using OE6 to read/write newsgroup messages, and have written a >small program which retrieves the message count for each subscribed >newsgroup, so I can easily see if new messages are available for them.
The thing is, at some point I need to provide a username and password. The >OE6 account already has them, but can't seem to be able to retrieve them for >my "new messages" checking program.
Any idea where-and-how I can retrieve them ?
I've already taken a peek at the 'CredRead' and family functions >(advapi32.ddl), but those return nothing. Presumably OE6 uses another >method.
...The thing is, at some point I need to provide a username and password.
The OE6 account already has them, but can't seem to be able to retrieve >>them for my "new messages" checking program.
Any idea where-and-how I can retrieve them ?
Nirsoft probably has an utility to retrieve them. Filemon or
Regmon it and see where it searches.
Although there is a "NNTP Password2" key present, its data doesn't live up
to it.
Although there is a "NNTP Password2" key present, its data doesn't live
up
to it.
What do you mean? It's there in plain sight. Unencrypted and unobfuscated.
I'm still using OE6 to read/write newsgroup messages, and have written
a small program which retrieves the message count for each subscribed newsgroup, so I can easily see if new messages are available for
them.
The thing is, at some point I need to provide a username and
password. The OE6 account already has them, but can't seem to be
able to retrieve them for my "new messages" checking program.
Any idea where-and-how I can retrieve them ?
I've already taken a peek at the 'CredRead' and family functions (advapi32.ddl), but those return nothing. Presumably OE6 uses
another method.
Not even those with admin privileges for their Windows account
can see the hidden crypto hive in the registry.
replaced with Data Protection API;
see https://en.wikipedia.org/wiki/Data_Protection_API
https://learn.microsoft.com/en-us/windows/win32/devnotes/pstore
why not hard code the login credentials into your script? Yeah, you
end up exposing the login credentials
Vanguard,
Thank you for the links and explanation to them.
Further googeling (following some hunches) resulted in finding the registry key to where the OutLook Express accounts is stored. Although the name is there the password isn't stored there.
Not even those with admin privileges for their Windows account
can see the hidden crypto hive in the registry.
I'm going to assume that the crypto hive is protected by the OS, meaning
that low-level access to the registry thru NTDLL won't help either.
replaced with Data Protection API;
see https://en.wikipedia.org/wiki/Data_Protection_API
Alas, that page talks a lot, but doesn't tell me anything. After having
read it I do not even know which (XPsp3) DLLs are involved :-|
The problem with all I find is that I've still got zero in regard to information (sample code) to what to use and how to apply it.
https://learn.microsoft.com/en-us/windows/win32/devnotes/pstore
The problem with MS is that, contradicting the domans name, that site works well enough when you know what to do but need to check how to call the functions, but not all that much when you are trying to figure out what you need do to arrive at a goal. :-(
I could try and and see what all those enums return, but I would be
stumbling in the dark. Probably will try anyway though, its the best thing I currently got (not that hard when you got nothing :-) ).
I don't think I will mess up the store in any way, as all I need is read access.
As for the possibility to write some plug-ins for OE ? I am not trying to extend OE - how would I access the results from another program ?
why not hard code the login credentials into your script? Yeah, you
end up exposing the login credentials
Thats currently what I'm doing, and not all worried about exposing them.
The thing is the above solution means that I have to manage the data (username, password) at (several) different places, and would like to bring that back to just a single one.
Having to deal with encryption (thru pstore or other) is how it was implemented in Outlook Express, and I have no other choice(?) than to do the same.
Regards,
Rudy Wieser
If you find the documentation on writing OE plug-ins, perhaps there
was a function to ask OE for login credentials. OE gets the data
from its Pstore data, and returns to the plug-in.
Seem far fetched that plug-ins would have access to that info since
that seems a security hole.
Without the hints in OE itself on how it uses Pstore, and what
key it used to seed the encryption, not sure you'll get it
outside of OE.
Thats what this question is all about : if someone knows how to retrieve/extract the sought for data from OE6, sparing me (possible fruitless) hours-upon-hours scouring possible leads in the hope to find such a hint.
Thats what this question is all about : if someone knows how to
retrieve/extract the sought for data from OE6, sparing me (possible
fruitless) hours-upon-hours scouring possible leads in the hope to find
such
a hint.
Seems way too much works for just one instance of OE,
so my guess is you use your script on many instances of OE.
why not use Nirsoft's Protected Storage Passview (pspv) tool already mentioned (https://www.nirsoft.net/utils/pspv.html)?
https://learn.microsoft.com/en-us/windows/win32/devnotes/pstore
The problem with MS is that, contradicting the domans name, that site
works well enough when you know what to do but need to check how to call
the functions, but not all that much when you are trying to figure out
what you need do to arrive at a goal. :-(
Vanguard,
Thats what this question is all about : if someone knows how to
retrieve/extract the sought for data from OE6, sparing me (possible
fruitless) hours-upon-hours scouring possible leads in the hope to find
such
a hint.
Seems way too much works for just one instance of OE,
Indeed*, hence my question. An example of what needs to be done and how >would fix.
* though I'm a hobby programmer, and just/might/ go thru all that trouble >just to see if I can actually do it. You know, like some people like to put >a 10.000 piece puzzle together.
so my guess is you use your script on many instances of OE.
Nope. Just one.
And what "your script" are you talking about ?
why not use Nirsoft's Protected Storage Passview (pspv) tool already
mentioned (https://www.nirsoft.net/utils/pspv.html)?
Reasons:
1) Knowledge. I like to know how its done.
2) Interoperability. it won't work well together with my program (which is >GUI based)
3) Having a hobby. I dislike using other peoples (small) programs when I can >write them myself (also see #1).
Regards,
Rudy Wieser
Use OllyDbg2 or x64dbg and trace the program, so you can see
what files (or registry keys) it opens, what APIs it calls and even
step through whatever horrible code routines it runs. You can adapt
that to your program.
I don't think Nir apps use any protection.
Both debuggers are free, though Olly is somewhat outdated.
I recommend
<https://sourceforge.net/projects/x64dbg/files/snapshots/>
Shadow,
Use OllyDbg2 or x64dbg and trace the program, so you can see
what files (or registry keys) it opens, what APIs it calls and even
step through whatever horrible code routines it runs. You can adapt
that to your program.
I don't think Nir apps use any protection.
Both debuggers are free, though Olly is somewhat outdated.
I recommend
<https://sourceforge.net/projects/x64dbg/files/snapshots/>
Thanks for the suggestion, but have not used a debugger since .. well, >forever (don't like them).
Though over time I've found and created a few programs which could aid me in >drilling down to the matter*. It only would take, just as with going thru
it with a debugger following hunces, time to work thru all the
possibilities - especially when its not known what method OE6 uses to store >the password.
* IDA, snapshotters showing loaded DLLs. The possibility to intercept DLL >calls and log what goes in and comes out. Same for COM objects (like
pstore).
But as said, (this time) I would like to forgo that lengthy process, and
rely on what others have (almost with no doubt) already done before.
Regards,
Rudy Wieser
And what "your script" are you talking about ?
why not use Nirsoft's Protected Storage Passview (pspv) tool already
mentioned (https://www.nirsoft.net/utils/pspv.html)?
3) Having a hobby. I dislike using other peoples (small) programs when
I can write them myself (also see #1).
And what "your script" are you talking about ?
Reread your first message. Says you're using a program.
Well that could be compiled C, or some other language, a script,
or whatever that executes code whether compiled or intrepreted.
Can your program call external programs, like to run pspv.exe
with command-line args?
Then I suggest writing to Nir Sofer to ask if he will show you
his code;
else, you're into learning Pstore programming.
Pstore was a Windows XP-only thing, became read only in Windows
Vista, and dropped in Windows 7
Vanguard,
https://learn.microsoft.com/en-us/windows/win32/devnotes/pstore
The problem with MS is that, contradicting the domans name, that site
works well enough when you know what to do but need to check how to call
the functions, but not all that much when you are trying to figure out
what you need do to arrive at a goal. :-(
To make a point :
I just enumerated the "PStoreProviders" using IEnumPStoreProviders::Next", but am now looking at ... I have no idea, and MS webpage about it* doesn't explain it either.
* https://learn.microsoft.com/en-us/windows/win32/devnotes/ienumpstoreproviders-next
Worse, the "[out] LPWSTR *rgelt" argument is described as :
"A pointer to a string in which to return the provider type name."
As its an "LPWSTR" I'm /assuming/ it returns a pointer to a string manages
it itself. But the phrasing "A pointer to a string in which to return"
seems to indicate I have to provide space for such a string myself.
To check I just provided a pointer to some space and compared that with what got returned, and they differ. Which seems to indicate my first hunch was correct, and the "A pointer to a string in which to return" *should* have been written as "in which a pointer to a string is returned".
... which still is wrong, as it looks like some /value/ is returned (the first four bytes are 0x1C 0x00 0x00 0x00. Not at all looking like a string, wide or not).
Ofcourse, with the MS webpages giving zero indication to what that code
might mean.
Second, very similar issue : I thought I could take a look at what "IEnumPStoreItems::next" would return (and get lucky and get the password). For that I need to call the "IPStore"s "EnumItems" method. But although MS provided a list of methods*, there is no indication of if that list is in VTable order. As such I can't even create the needed VTable.
* https://learn.microsoft.com/en-us/windows/win32/devnotes/ipstore
And than there is the problem that that "EnumItems" method needs "pItemType" and "pItemSubtype" arguments, which are not described anywhere either. And without them I don't stand a chance of even getting the enumeration started. :-(
IOW, even when I go to the horses mouth to get my information I do not get everything thats needed (and have to scour the internet to hopefully find it).
And by the way : I've not seen the msimn.exe or msoe.dll import the pstore.dll anywhere.
I just realized : as the pspv program is GUI (and not console) based, how
did you think you could retrieve (get it to return) the password ?
Before going off on a red herring, have you used Nirsoft PSPV
to check if there is anything in Pstore (...) ?
(for the Windows account under which you are logged into since
Pstore is a per-user crypto cache)?
Thats what this question is all about : if someone knows how to
retrieve/extract the sought for data from OE6, sparing me (possible
fruitless) hours-upon-hours scouring possible leads in the hope to find
such
a hint.
Seems way too much works for just one instance of OE,
...I just realized : as the pspv program is GUI (and not console) based, how
did you think you could retrieve (get it to return) the password ?
It has command-line args to dump to file.
https://www.nirsoft.net/utils/pspv.html
Scroll down to the "Command-line options" section.
That's why I wondered if your program could call an external program
to create the output file, and then your program would parse the output
file to extract the OE creds.
A bit of a downside : the psvp program does not seem to mark email and newsgroups differently (even though the registy "Accounts" entries
make it rather clear which type they are - pop3/smtp vs nntp). The
generated INI would be a bit murky ...
A bit of a downside : the psvp program does not seem to mark email
andnewsgroups differently (even though the registy "Accounts"
entries make it rather clear which type they are - pop3/smtp vs
nntp). The generated INI would be a bit murky ...
It won't help if you give e-mail and newsgroups accounts the same name.
If the registry entries identify type of account, and also give the
account name, you could pair up the registry account name for NNTP
accounts with the PSPV Resource Names.
Sysop: | Keyop |
---|---|
Location: | Huddersfield, West Yorkshire, UK |
Users: | 299 |
Nodes: | 16 (3 / 13) |
Uptime: | 64:33:43 |
Calls: | 6,691 |
Calls today: | 1 |
Files: | 12,228 |
Messages: | 5,345,750 |
Posted today: | 1 |