DOCUMENT:Q165402 14-MAR-2002 [win95x] TITLE :Windows 95 Update to Encrypt Passwords in Memory PRODUCT :Microsoft Windows 95.x Retail Product PROD/VER::1,2,2.1 OPER/SYS: KEYWORDS:kbfile kbnetwork win95 kbgraphxlinkcriticalkbfixlist ====================================================================== ------------------------------------------------------------------------------- The information in this article applies to: - Microsoft Windows 95 - Microsoft Windows 95 OEM Service Release, versions 1, 2, 2.1 ------------------------------------------------------------------------------- SYMPTOMS ======== If a computer running Windows 95 is left unattended while a user is logged on to a network, it may be possible to obtain that user's network password by a programmatic examination of the computer's memory. Typically, accomplishing this would require physical access to the computer. However, the network password could also potentially be acquired if a program designed to search for passwords using the same examination of memory were to be downloaded and run by a currently logged-on user. CAUSE ===== In Windows 95, passwords are encrypted before being sent over the network. However, the network password for the user who is currently logged on to the Windows 95-based computer is stored temporarily in memory in an unencrypted format. Using detailed knowledge of Windows 95 internal memory structures, it may be possible to write a program that runs in Windows 95 and reads the password for the currently logged-on user from memory. RESOLUTION ========== Microsoft recommends the following precautions to prevent the current user's network password from being accessed by unauthorized means: - Log off the computer when you leave it for long periods of time. - Run a password-protected screen saver when you leave the computer for short periods of time. - Do not run untrusted programs on the network, the Web, or that have been sent in e-mail. - Install the update described in this article. STATUS ====== Microsoft has confirmed this to be a problem in Microsoft Windows 95 and OEM Service Release 2 (OSR2). An update to address this problem is now available. This issue is resolved by the following updated files: - For Windows 95 (all releases): Mprserv.dll version 4.00.955 (dated 6/12/97) and later Nwnet32.dll version 4.00.951 (dated 4/21/97) and later Nwredir.vxd version 4.00.960 (dated 4/21/97) and later Pppmac.vxd version 4.00.954 (dated 4/28/97) and later Vredir.vxd version 4.00.1114 (dated 6/2/97) and later Vnetsup.vxd version 4.00.1112 (dated 6/2/97) and later - For Windows 95 (retail release) and OEM Service Release 1 (OSR1) only: Rasapi32.dll version 4.00.954 (dated 4/25/97) and later - For Windows 95 OSR2 and OSR2.1 only: Rasapi32.dll version 4.00.1113 (dated 4/25/97) and later - For the Microsoft Service for NetWare Directory Services [MSNDS] (all Windows 95 releases): Nwredir.vxd version 4.00.975 (dated 4/21/97) and later To install this update, follow these steps: 1. Download the appropriate update file(s) to an empty folder. a. If you are running Windows 95 retail release (version 4.00.950) or OSR1 (version 4.00.950 A), download the Secupd.exe file. b. If you are running Windows 95 OEM Service Release 2 or 2.1 (version 4.00.950 B), download the Secupd2.exe file. c. If you are running the Microsoft Client for NetWare Networks with the Microsoft Service for NetWare Directory Services (MSNDS) installed, also download the Nwredup4.exe file. 2. In My Computer or Windows Explorer, double-click the update file(s) you downloaded in step 1. 3. Follow the instructions on the screen. The following files are available for download from the Microsoft Download Center: Download Secupd.exe now Download Secupd2.exe now Download Nwredup4.exe now For additional information about how to download Microsoft Support files, click the article number below to view the article in the Microsoft Knowledge Base: Q119591 How to Obtain Microsoft Support Files from Online Services Microsoft used the most current virus detection software available on the date of posting to scan this file for viruses. Once posted, the file is housed on secure servers that prevent any unauthorized changes to the file. This problem was corrected in Microsoft Windows 98. MORE INFORMATION ================ These components have been updated to encrypt the current user's network password even when it is stored in memory so that it cannot be read even by a programmer with detailed knowledge of Windows 95 internal memory structures. For additional information about Windows 95 security, see Chapter 14 ("Security") in the Windows 95 Resource Kit. The following files are installed by Secupd.exe: File name Version Date/Time Size Destination folder --------------------------------------------------------------------- Mprserv.dll 4.00.955 6/12/97 9:54a 127,488 Windows\System Nwnet32.dll 4.00.951 4/21/97 9:51a 22,016 Windows\System Nwredir.vxd 4.00.960 4/21/97 10:00a 123,987 Windows\System Pppmac.vxd 4.00.954 4/28/97 9:54a 135,288 Windows\System Vredir.vxd 4.00.1114 6/2/97 11:14a 156,773 Windows\System Vnetsup.vxd 4.00.1112 6/2/97 11:12a 17,595 Windows\System Rasapi32.dll 4.00.954 4/25/97 9:54a 151,552 Windows\System The following files are installed by Secupd2.exe: File name Version Date/Time Size Destination folder --------------------------------------------------------------------- Mprserv.dll 4.00.955 6/12/97 9:54a 127,488 Windows\System Nwnet32.dll 4.00.951 4/21/97 9:51a 22,016 Windows\System Nwredir.vxd 4.00.960 4/21/97 10:00a 123,987 Windows\System Pppmac.vxd 4.00.954 4/28/97 9:54a 135,288 Windows\System Vredir.vxd 4.00.1114 6/2/97 11:14a 156,773 Windows\System Vnetsup.vxd 4.00.1112 6/2/97 11:12a 17,595 Windows\System Rasapi32.dll 4.00.1113 4/25/97 11:13a 175,104 Windows\System The following files are installed by Nwredup4.exe: File name Version Date/Time Size Destination folder --------------------------------------------------------------------- Nwredir.vxd 4.00.975 4/21/97 10:15a 178,714 Windows\System For additional information about issues resolved by updates to these components, please see the following articles in the Microsoft Knowledge Base: Vredir.vxd: Q165403 Windows 95 Update Prevents Sending Clear-Text Password Over Net Q161100 File May Be Truncated When Copied to a Full Network Drive Q157114 "Access Denied" Attempting to Run File on LM/X Server Q148367 Possible Network File Corruption with Redirector Caching Q142803 Updated Vredir.vxd Corrects Problems Accessing Database Files Q140558 Deleting Files on Samba Servers May Delete Local Files Instead Q138249 Updated Vredir.vxd Corrects Errors Running Files on LMX Q160807 Cannot Connect to Windows NT Server with Many Shares Q150215 Disabling Automatic Network Shortcut Resolution Q138014 File May Be Truncated to Zero Bytes When Copied Onto Itself Q136834 Error Copying Read-Only Files to Core SMB Server Nwredir.vxd: Q136303 Connecting to Schedule+ 1.0 Calendar File Drops Connections Rasapi32.dll/Pppmac.vxd:nect to Remote Access Server with Dial-Up Q149396 Cannot Change Expired Windows NT Password with DUN Q154434 Err Msg: No Domain Controller Was Available to Validate... Additional query words: security ====================================================================== Keywords : kbfile kbnetwork win95 kbgraphxlinkcritical kbfixlist Technology : kbWin95search kbOPKSearch kbZNotKeyword3 kbWin95OPKOSR2 kbWin95OPKOSR1 kbWin95OPKOSR210 Version : :1,2,2.1 Issue type : kbprb ============================================================================= THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. Copyright Microsoft Corporation 2002.