How can I find Protected EAP credentials of a wireless network stored on Windows 7?

I need to remember the authentication credentials (username/password) of the wireless network on which I am connected. There is a way to reveal those informations on Windows 7? The wireless network is protected with WPA2-Enterprise AES, with Protected EAP (PEAP) authentication method; authentication mode is set to "User authentication".

I searched in:

C:\ProgramData\Microsoft\Wlansvc\Profiles\Interfaces\[INTERFACE GUID]\[PROFILE].xml

But there is no mention of user or password.


You can find an encrypted (with CryptProtectData function) version of PEAP credentials stored in the binary data value named "MSMUserData" in the registry locations already specified in the NON answer:

Location of PEAP passwords

User HKCU\Software\Microsoft\Wlansvc\UserData\Profiles[GUID]

Machine HKLM\Software\Microsoft\Wlansvc\UserData\Profiles[GUID]

The data begins with hex values 01 00 00 00 d0 8c 9d df 01.

Exporting the "MSMUserData" value from registry you will obtain a text file containing something like:

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Wlansvc\UserData\Profiles\{GUID}]
"MSMUserData"=hex:01,00,00,00,d0,8c,9d,df,01,...

You must convert the hex values list (right after the ""MSMUserData"=hex:" string) in a binary file. Use this link: https://tomeko.net/online_tools/hex_to_file.php

Once you obtain the binary file (e.g. called file.dat), you can decrypt it using crypt.exe http://www.outerhost.com/www/upload/8t4l1q2g7549/Crypt.zip in addition with PsExec tool https://docs.microsoft.com/en-us/sysinternals/downloads/psexec

running the following command in an elevated command prompt

PsExec.exe -s -i cmd /k crypt.exe file.dat

you will obtain something like:

Decrypted: AAAAAAAAAAAAAAAAAAAAAJAEAAAYAAAAAgAAAJAEAAAAAAAAaQQAACAAAAAAAAAAkAQAA
AAAAAABAAAAGQAAAAAAAAAAAAAAAAAAAAEAAABJBAAAIAAAABkAAAAAAAAAAAAAAAAAAAA1BAAAAgAAA
[...]
A== <<<>>>

Crypt.exe output (after the "Decrypted: " and before the " <<<>>>" strings) is base64 encoded, so you'll need to decode it into hex. Use: https://base64.guru/converter/decode/hex

The decoded output will contain the PEAP username and, at the end, beginning with hex values 01 00 00 00 d0 8c 9d df 01, the encrypted (again with CryptProtectData function) version of the password.

Use again crypt.exe to decrypt this new ciphertext and then decode the output from base64 encoding and you will obtain the PEAP password.