Where and how is the password stored for the account associated with a Windows service?

Passwords for Windows services are stored in the registry under:

HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets\_SC_<ServiceName>

When you configure a Windows service to run as a different account, the Service Control Manager uses the LsaStorePrivateData function to store the password, and the corresponding LsaRetrievePrivateData function to retrieve it.

So it is reversible encryption of some kind, but sorry, the exact encryption algorithm and technique are not publically documented. And helping you further reverse engineer it would be fun, but not a good idea for me.


While the actual encryption method may not be clear, accessing the data and requesting that the OS decrypt it on your behalf is a well-defined process - using PowerShell or the NirSoft LSASecretsView tool.