IE 6 Persistent data in Fields (IE 6 SP-1 current

Topic

New Reply

Have the same problem on two computers. One is ME and the other is 98SE both are using IE SP-1 with all latest windows updates applied. IE is NOT my preferred browser on either computer, due to this problem I am using Firebird.

When I go to a secure webpage that requires login and pwd the login and password fields already contains an entry. The login is “invisible” but when I click in the field, the cursor shows up mid-field. The pwd field has the correct number of asteriks as the number of digits in my pwd., and the cursor starts at the end of the *** .
I have already done the following with no change.
1) Unchecked ALL autocomplete settings, and cleared FORM and PWD data
2) Run two spyware detectors
3) Run Anti-virus scan with latest software and data files
4) Searched the Registry for keys related to these fields or the webpages involved. Nothing out of the ordinary.
5) Ran Regclean to fix any errors
6) I am behind a hardware firewall and use ZoneAlarm on both machines and am very cautious of security issues so I don’t think it is a virus or trojan type thing.

The problems started several weeks ago following application of a Windows Update, but I don’t remember the patch number or exact time.

As this is a security risk, I’d really like to find a solution to get rid of the persistent data. Thanks in advance for any suggestions.

Reply | Quote

Replies

Is the password data correct? Can you simply click OK and log in? Sometimes you can copy the asterices and paste them on to a Notepad sheet and read the password (this does not always work).

The password and username data is generally stored in the Protected Storage Service keys in your registry. The data is encrypted, so you cannot simply Search for strings. In theory, clearing the AutoComplete data for usernames and passwords should get rid of this data. But, as typical, this may not always be effective. Additionally, there are sometimes other hidden registry sections that can hold passwords — but I think that is only in Win2k-XP (the “SAM” or Secure Access? Managnement keys).

Regardless, give this program a try and see if it comes up with what you want: Protected Storage PassView.

Reply | Quote

Really great ideas. Thanks for reply. Yes, the password will work if I first delete the saved user name and type the correct one in and make no entry in the pwd field.

I tried checking the pwd but it doesn’t show in Notepad. Neither does the user name/login part. Seems they do not copy to the clipboard at all.

The program you suggested didn’t find it either… all it showed was my outlook pwds. But it is a great tool and I can share it with my forgetful friends that are always asking me how to recover a lost password.

So, still looking for a solution to this oddball problem. Again, thanks R2

Reply | Quote

Hmmm… not in the Protected Storage Service Keys. How about in cookies? (Not likely, but who knows…). Is there a cookie for the site? Does it contain username and password crumbs?

Next, how savy with computers are you? You might want to run RegMon (http://www.sysinternals.com) just before the logon box pops up. It will monitor your registry and it MAY capture from where the persistent data is coming.

The other source of persisting data for IE is “User Data Persistence” — which is stored in XML files on your computer. You can toggle this off or on using the Security tab in Tools | Interent Optoins.

Reply | Quote

R2 Thanks again… No sign of a cookie for the sites in question. Already checked that one.

I’m probably intermediate to low advanced as a computer user. I build my own desktops and run dual boot to linux and other assorted tricks. My friends think I’m the tech support guy and I usually fix other peoples problems. But this one has me stumped. I’ll look at RegMon and see if it will help. I’ll also check theSecurity settings again, but I tried that before with no luck. I think this might be a bug or an interaction with other software that is causing this.

Keep those good ideas coming.

Reply | Quote

The User Data Persistent data is usually kept in a folder called “UserData”. You can search for that on your hard drive and snoop around in there. You can also snoop around in the Protect Storage System keys — just to see if you can find any stored information on the site. I don’t know of any other places to look for this data — except maybe MS “Passport”?? (If that is still being used). That might even be tied into the SAM keys….

Cookies
Protected Storage System keys (encrypted)
SAM keys (hidden)
User Data Persistence
??Passport??

Reply | Quote

R2, Thanks for sticking in there with me on this. I’ve tried checking all the files you mentioned and cannot see a lead to anything. I don’t have a hex viewer setup on this machine, but might try ssh’ing in from my Linux machine to see if I can fish it out from there. So far the answer is eluding me.

Really appreciate your efforts on this one.

Reply | Quote

R2, Thanks for sticking in there with me on this. I’ve tried checking all the files you mentioned and cannot see a lead to anything. I don’t have a hex viewer setup on this machine, but might try ssh’ing in from my Linux machine to see if I can fish it out from there. So far the answer is eluding me.

Really appreciate your efforts on this one.

Reply | Quote

Another thing to use — albiet unlikely to help — is AgentRansack (http://www.agentransack.com). It can ransack through your hard disk for any string you give it. The problem is — I suspect the information is encrypted so AgentRansack probably won’t find it.

Did you use RegMon to see if any special registry keys were accessed (e.g., SAM keys)?

Reply | Quote

Good thought… I have tried a program I use, Subject Search Scanner, that is similar to AgenRansack and searched for strings like password, user data, login, etc and no luck. Ran RegMon and opened the webpage and did not see any sign of it accessing any special registry keys. Went to each key and checked values and none of them had any relation to the form data, it was mostly format related and window behaviour stuff.

I’m going to check the other side (server side) and see if there might be something there that does this. I’m an asst sysadmin on it so maybe some freaky access thing is operating. The server is a Mac G5 so I’m not as saavy on it but at least the OS X is familiar to *nix commands.

Thanks for your persistence and good thoughts. We’re on the same wavelength, but haven’t found the culprit yet.

Reply | Quote

You’ve already looked, but you might like to see what Protected Storage PassView shows — probably nothing, or nothing new, but may be worth a quick download (29 KB)…

Reply | Quote

JohnGray,
Thanks for the URL, nice program… but still no luck.
Guess it might be better to stick with Firebird and park the old IE.

Kmack

Reply | Quote

Didn’t I give you that link several posts ago?

Reply | Quote

R2– Yes, you certainly did give me that link and I tried it with no luck. Out of desperation I tried it again and still no luck. I don’t know what else I can do short of the famous MS Windows reinstall thingey … actually, I”m preparing to dual boot this laptop with my favorite linux distro, Mandrake, and leave IE in the dustbin of obsolete software. Freedom!

Reply | Quote

Hmmmm… If the data is being presented by IE in a “form text box”, then IE must have obtained the data FROM something. There are essentially only two places that data is going to be stored — in the registry or in a file on your disk. There is no where else from which IE can pull this data!

If RegMon shows no registry key being accessed, then the answer is that it is stored in file. Try FileMon (same company). These are not easy tools to use, but I don’t know of any better method to use to see where things come from. There is one more tool — but I think it is even more challenging to use. It is called “Spy++” and it is available from Microsoft. The learning curve on that is quite steep….

Reply | Quote

Hmmmm… If the data is being presented by IE in a “form text box”, then IE must have obtained the data FROM something. There are essentially only two places that data is going to be stored — in the registry or in a file on your disk. There is no where else from which IE can pull this data!

If RegMon shows no registry key being accessed, then the answer is that it is stored in file. Try FileMon (same company). These are not easy tools to use, but I don’t know of any better method to use to see where things come from. There is one more tool — but I think it is even more challenging to use. It is called “Spy++” and it is available from Microsoft. The learning curve on that is quite steep….

Reply | Quote

R2– Yes, you certainly did give me that link and I tried it with no luck. Out of desperation I tried it again and still no luck. I don’t know what else I can do short of the famous MS Windows reinstall thingey … actually, I”m preparing to dual boot this laptop with my favorite linux distro, Mandrake, and leave IE in the dustbin of obsolete software. Freedom!

Reply | Quote

Didn’t I give you that link several posts ago?

Reply | Quote

JohnGray,
Thanks for the URL, nice program… but still no luck.
Guess it might be better to stick with Firebird and park the old IE.

Kmack

Reply | Quote

You’ve already looked, but you might like to see what Protected Storage PassView shows — probably nothing, or nothing new, but may be worth a quick download (29 KB)…

Reply | Quote

Good thought… I have tried a program I use, Subject Search Scanner, that is similar to AgenRansack and searched for strings like password, user data, login, etc and no luck. Ran RegMon and opened the webpage and did not see any sign of it accessing any special registry keys. Went to each key and checked values and none of them had any relation to the form data, it was mostly format related and window behaviour stuff.

I’m going to check the other side (server side) and see if there might be something there that does this. I’m an asst sysadmin on it so maybe some freaky access thing is operating. The server is a Mac G5 so I’m not as saavy on it but at least the OS X is familiar to *nix commands.

Thanks for your persistence and good thoughts. We’re on the same wavelength, but haven’t found the culprit yet.

Reply | Quote

Another thing to use — albiet unlikely to help — is AgentRansack (http://www.agentransack.com). It can ransack through your hard disk for any string you give it. The problem is — I suspect the information is encrypted so AgentRansack probably won’t find it.

Did you use RegMon to see if any special registry keys were accessed (e.g., SAM keys)?

Reply | Quote

The User Data Persistent data is usually kept in a folder called “UserData”. You can search for that on your hard drive and snoop around in there. You can also snoop around in the Protect Storage System keys — just to see if you can find any stored information on the site. I don’t know of any other places to look for this data — except maybe MS “Passport”?? (If that is still being used). That might even be tied into the SAM keys….

Cookies
Protected Storage System keys (encrypted)
SAM keys (hidden)
User Data Persistence
??Passport??

Reply | Quote

R2 Thanks again… No sign of a cookie for the sites in question. Already checked that one.

I’m probably intermediate to low advanced as a computer user. I build my own desktops and run dual boot to linux and other assorted tricks. My friends think I’m the tech support guy and I usually fix other peoples problems. But this one has me stumped. I’ll look at RegMon and see if it will help. I’ll also check theSecurity settings again, but I tried that before with no luck. I think this might be a bug or an interaction with other software that is causing this.

Keep those good ideas coming.

Reply | Quote

Hmmm… not in the Protected Storage Service Keys. How about in cookies? (Not likely, but who knows…). Is there a cookie for the site? Does it contain username and password crumbs?

Next, how savy with computers are you? You might want to run RegMon (http://www.sysinternals.com) just before the logon box pops up. It will monitor your registry and it MAY capture from where the persistent data is coming.

The other source of persisting data for IE is “User Data Persistence” — which is stored in XML files on your computer. You can toggle this off or on using the Security tab in Tools | Interent Optoins.

Reply | Quote

Really great ideas. Thanks for reply. Yes, the password will work if I first delete the saved user name and type the correct one in and make no entry in the pwd field.

I tried checking the pwd but it doesn’t show in Notepad. Neither does the user name/login part. Seems they do not copy to the clipboard at all.

The program you suggested didn’t find it either… all it showed was my outlook pwds. But it is a great tool and I can share it with my forgetful friends that are always asking me how to recover a lost password.

So, still looking for a solution to this oddball problem. Again, thanks R2

Reply | Quote

kmack, something worth trying would be to first backup this key (just in case ):
HKEY_LOCAL_MACHINESoftwareMicrosoftProtected Storage System ProviderusernameData
and then deleting all the long-numbered sub-keys in the Data key.

Reply | Quote

kmack, something worth trying would be to first backup this key (just in case ):
HKEY_LOCAL_MACHINESoftwareMicrosoftProtected Storage System ProviderusernameData
and then deleting all the long-numbered sub-keys in the Data key.

Reply | Quote