Automatic Logon: A Review of Free Solutions

This article covers all currently known free solutions for automatic logon and gives special attention to their levels of security and usability.

Registry

Screenshot of the RegEdit The most widespread solution since the beginning of the Windows NT era in 1993 – modifying the registry – has never changed. It is still free, simple, and absolutely insecure.

Before giving instructions on how to apply this method, it is necessary to explain its disadvantages. The point is that in this case logon information (a user name and password) is stored in the system registry in plain text and accessible to anyone working on the computer. Administrative privileges are not needed to read the registry, so users and guests can easily retrieve this sensitive information (in most cases even remotely).

Also, it is not recommended to work with the registry unless you are completely sure you can do it right. Whenever technical advice from Microsoft requires modifications of the registry, they always put a warning like this: “This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully.” If you do not want to work with the registry directly, you can try one of the other solutions described in this article.

Instructions

  1. Start Registry Editor + details
  2. Navigate to the following registry key:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
  3. Add the values with the corresponding data from the table below to the selected Winlogon key. If these values already exist there, just edit them + details
    Value Name Value Data
    AutoAdminLogon 1
    DefaultUserName A user name to be used for automatic logon
    DefaultPassword The password for the user name
    ForceAutoLogon 1
    The ForceAutoLogon value should be added to the Winlogon key only if the computer is running Windows 2000.
  4. On the File menu, click Exit to close Registry Editor.

Advanced User Accounts Control Panel

screenshot of user accounts settings window The second method has, in essence, the same principle as the previous one: logon credentials are stored in the system registry in plain text. The difference here is that you use the built-in capabilities of the operating system instead of having to deal with the registry directly.

This solution also does not provide any security at all, because attackers can easily get your user name and password from the registry both locally and remotely.

In addition, this method will not work if the computer is on Windows NT 4.0, or if it is a member of an Active Directory domain.

Instructions

  1. Start Advanced User Accounts Control Panel + details
  2. In the User Accounts (Users and Passwords in Windows 2000) dialog box, on the Users tab, click to clear the Users must enter a user name and password to use this computer check box, and then click OK.
  3. In the Automatically Log On dialog box, type a user name and password to be used for automatic logon in the User name and Password boxes respectively, type the password again in the Confirm Password box, and then click OK.
  4. Click OK to close the User Accounts (Users and Passwords in Windows 2000) dialog box.

LSASecret

screenshot of the command promt window In October 2006 Microsoft professionals from Shell: Revealed created a new solution known as autologon.exe. This is an application that stores logon data in LSASecret. The tool is not supported officially, works only on Windows Vista and Windows 2008, and has a rather unfriendly command line interface. The autologon.exe related blog entry is now accessible only via the Internet Archive’s Wayback Machine, since the Shell: Revealed website has not worked for quite a while and no one knows if it will ever be relaunched.

In November 2006 Mark Russinovich of Sysinternals updated his Autologon for Windows that had employed the registry before. This tool supports Windows XP and higher. The author does not specify the place used now for storing logon information, but a quick search finds an almost complete source code for his application on Microsoft Developer Network which tells us it is LSASecret too.

Thus, we seem to have finally got a secure place to keep logon credentials, but the fact is your user name and password are again stored in the system registry, since LSASecret is a hidden part of it. The credentials are not encrypted, they are just hidden. As compared to the solutions mentioned earlier, it is a bit harder for intruders to get to your logon data in this case, but they still can do it by applying, for example, lsasecret.exe. This simple utility is distributed with source code and available on the developer’s webpage.

Furthermore, incompatibility with older versions of Windows (such as NT 4.0 and 2000) prevents either of these LSASecret based methods from being considered a universal solution for automatic logon.

Tweakers

Tweaking applications are those designed to give access to settings that are not exposed in the operating system. The first program of this kind is presumed to be Tweak UI from Microsoft which appeared in the middle of the 1990s and has had many clones ever since. Some of them are freeware, but for most you will have to pay. Among plenty of features tweakers provide they usually have an ability to perform automatic logon, but again there is nothing new here – they place your logon name and password into the registry.

Other Third-Party Tools

There are a lot of other free third-party solutions for automatic logon, but you should keep in mind that all of them use the registry for storing logon information in plain text. Moreover, most commercial solutions follow the same insecure principle.

Download LogonExpert

File Name: LogonExpertSetup.exe
Current version: 6.3.6.1 (what is new?)
File size: 7.27 Mb
Supported OS: Windows XP/2003/Vista/2008/7/2012/8/8.1 (32/64bit)

Download now Download now!