Is it possible to synchronize the Windows's SAM Password to local file

Question

I am working on the windows credential provider

We start our project based on this https://github.com/DavidWeiss2/windows-Credential-Provider-library

We want to make this authentication passwordless. Therefore we have a "database" in forms of external file that keep the password, username and domain pairs. Due to security reason we hashed it. (eg: C:\Temp\MyCredsDatabase.dat)

If the user change the password from window's Built-in GUI System -> Account -> Sign-in Option -> Change Password, the next login will be failed simply because the user already update their password but our database still using the old password

Well, if I decrypt the password directly from the Microsoft's SAM database it will be whether illegal or hard because Windows keep updating their security package to secure this database.

Is there any possibility that whenever user update the password, we get the password value, and update our "database"?

Or should I save our local database's content with another format?

Like, instead of using the user's information in a plain text for login using our Custom Credential Provider, can I use part of the SAM's value to login?

Answer 1

Your credential provider should implement the CPUS_CHANGE_PASSWORD scenario which is triggered in the change password GUI workflow.

At that point, in ICredentialProviderCredential::GetSerialization, you should have the raw non encrypted password value. Then in ICredentialProviderCredential::ReportResult, if NTSTATUS == STATUS_SUCCESS you could do whatever you want, including updating your database.