Exploring IE’s Form Data
Posted by William Diaz on December 22, 2011
A while back I was troubleshooting a user complaint about disappearing form data in Internet Explorer. This provided me a chance to explore some of the internals of IE and how it handles this data. Form data is AutoComplete information that is stored locally on your computer to make it more convenient to input commonly used data into forms in web pages. This information can be username logins, passwords, and other common fields like First Name, Last Name, Address, etc…
To begin, Forms data is enabled or disabled from from Internet Options > Content > AutoComplete:
Before starting, I went ahead and deleted any form data that was already saved. I then navigated to a login page, entered my login information, and signed in. Using Process Monitor, I set a filter for iexplore.exe and limited operations to the registry only, since this is where this information is stored in all versions of IE from 7 to 9:
From the trace above, IE starts by attempting to open HKCU\Software\Microsoft\Internet Explorer\IntelliForms\Storage1. Since form data was already deleted previously, this key does not exist any longer, as seen by the result of NAME NOT FOUND. The next step, then, is to create this key. And last, a value is created in the registry for the inputted username.
If the web page form supports saving passwords as well and you elect for IE to remember the password, then a different key named Storage2 will be created and\or populated with the username and password data1:
On the flipside, when you delete form data or password data from within Internet Explorer, the Storage1 or Storage2 key is deleted in the registry2.
Form and password data are stored in obfuscated form, i.e. it is encrypted. For sites that support autocomplete username + password combinations, this is done by linking the stored password to a specific URL. Here is a technical breakdown of the actual process3:
Save the URL of the webpage. This is then used as the encryption key:
EncryptionKey = URL
Calculate the hash of the encryption key and store this as the record key:
RecordKey = SHA(EncryptionKey)
Calculate the checksum for RecordKey to ensure integrity:
RecordKeyCRC = CRC(RecordKey)
Encrypt the data passwords using the encryption key:
EncryptedData = DPAPI_Encrypt(Data, EncryptionKey)
Save RecordKeyCRC, RecordKey, and EncryptedData in the registry.
Some pages do no support username + password data as an autocomplete. For example, Windows Live sign-in (Hotmail, Skydrive, whatever) will only save username form data (Storage1) but not password. On the other hand, GMail login will save username + password (Storage2) as an autocomplete. You can tell when a web page does not support username + password autocomplete by opening the Developer Tools in IE and searching for AutoComplete=”off” in the HTML code:
Financial Institutions, for example, normally do not support username + password autocomplete.
When troubleshooting form data failing to autocomplete, remember that this data is tied to a specific URL. For example, If I go to http://www.xyz.com\login, then login and logout again, the logout page may take me to an identical looking login page but the URL will be different, say http://www.xyz.com\login\loginagain.html, and hence the autocomplete is not going to work:
Last, some excellent resources on this and related topics from the IEInternals Blog at Microsoft TechNet:
1 A note on usernames and passwords. Storage1 and Storage2 are two distinct keys, i.e. Storage1 does not store the username and Storage2 the password.
2 This is an all or nothing approach. You cannot selectively delete form data in any of the Internet Explorer options. You can, on the other hand, visit the page where you no longer want to store this information and select the data from the autocomplete field and then delete it.
Alternatively, you can use any number of free applications on the web that collects a list of web pages where you have stored form data. A good URL-Username-Password utility is IEPassView from Nirsoft. This will be flagged by most anti-virus so you will need to make an exception for it on your personal computer (too bad, Enterprise users).
3”Forensic Implications of Windows Vista” by Barrier Stewart. You should be able to find this on the Internet in PDF format.