This article covers all currently known free solutions for autologon and gives special attention to their levels of security and usability.
The most widespread solution since the beginning of the Windows NT era in 1993 – modifying the registry – has never changed. It is still free, simple, and absolutely insecure.
Before giving instructions on how to apply this method, it is necessary to explain its disadvantages. The point is that in this case logon information (a user name and password) is stored in the system registry in plain text and accessible to anyone working on the computer. Administrative privileges are not needed to read the registry, so users and guests can easily retrieve this sensitive information (in most cases even remotely).
Also, it is not recommended to work with the registry unless you are completely sure you can do it right. Whenever technical advice from Microsoft requires modifications of the registry, they always put a warning like this: “This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully.” If you do not want to work with the registry directly, you can try one of the other solutions described in this article.
|Value Name||Value Data|
|DefaultUserName||A user name to be used for automatic logon|
|DefaultPassword||The password for the user name|
The second method has, in essence, the same principle as the previous one: logon credentials are stored in the system registry in plain text. The difference here is that you use the built-in capabilities of the operating system instead of having to deal with the registry directly.
This solution also does not provide any security at all, because attackers can easily get your user name and password from the registry both locally and remotely.
In addition, this method will not work if the computer is a member of an Active Directory domain.
In October 2006 Microsoft professionals from Shell: Revealed created a new solution known as autologon.exe. This is an application that stores logon data in LSASecret. The tool is not supported officially, works only on Windows Vista and Windows 2008, and has a rather unfriendly command line interface. The autologon.exe related blog entry is now accessible only via the Internet Archive’s Wayback Machine, since the Shell: Revealed website has not worked for quite a while and no one knows if it will ever be relaunched.
In November 2006 Mark Russinovich of Sysinternals updated his Autologon for Windows that had employed the registry before. This tool supports Windows XP and higher. The author does not specify the place used now for storing logon information, but a quick search finds an almost complete source code for his application on Microsoft Developer Network which tells us it is LSASecret too.
Thus, we seem to have finally got a secure place to keep logon credentials, but the fact is your user name and password are again stored in the system registry, since LSASecret is a hidden part of it. The credentials are not encrypted, they are just hidden. As compared to the solutions mentioned earlier, it is a bit harder for intruders to get to your logon data in this case, but they still can do it by applying, for example, LSASecretsView tool. This simple utility is available on the developer’s webpage.
Tweaking applications are those designed to give access to settings that are not exposed in the operating system. The first program of this kind is presumed to be Tweak UI from Microsoft which appeared in the middle of the 1990s and has had many clones ever since. Some of them are freeware, but for most you will have to pay. Among plenty of features tweakers provide they usually have an ability to perform automatic logon, but again there is nothing new here – they place your logon name and password into the registry.
There are a lot of other free third-party solutions for autologon, but you should keep in mind that all of them use the registry for storing login information in plain text. Moreover, most commercial solutions follow the same insecure principle.