Let’s Start
1. Let’s assume we do not know or have forgot the password of the account used by the Site_App_Pool Application pool and for some reason we cannot reset the password of the same.
2. Right-click Command Prompt and click “Run as Administrator”
Tip: You can also select CMD and press CTRL + Shift + Enter to Start Command Prompt as Administrator or with Machine Administrator rights [More on Machine Administrator in another Post]
3. Run the following %systemroot%\system32\inetsrv\APPCMD list apppool “Site_App_Pool” /text:*
or Browse to C:\Windows\System32\inetsrv and run APPCMD list apppool “Site_App_Pool” /text:*
Replace “Site_App_Pool” with the App Pool name of which you want to retrieve the password.
4. Under the [processModel] section you will get your password which is in Clear text. [The credentials shown below are setup for this example only].
Note As mentioned above similar to IIS 6.0, where the password for the application pool was stored in Clear text, so does IIS 7.0 & IIS 7.5 stores it in clear text which you can see from the above example.
And here’s where the least-privilege part comes into play for all those who are running there SharePoint environment with Accounts which has rights more than needed, as getting the password now is more easy than it was for IIS 6.0. Finally a word of caution always perform a least-privileged installation of your SharePoint environment, meaning the Application Pool account doesn’t get more permissions than needed.
Richard Mueller edited Revision 5. Comment: Removed (en-US) from title, added tag
Gokan Ozcifci edited Revision 4. Comment: New Website - gknzcfc.net
Gokhan Ozcifci edited Revision 3. Comment: New account
Craig Lussier edited Revision 2. Comment: added en-US to tags and title
Gokhan Ozcifci edited Revision 1. Comment: Lay-out and size
Ed Price - MSFT edited Original. Comment: Great article!
Ed, I've known about this way to retrieve an app pool identity password for quite some time. If someone has physical (or remote) access to a machine with IIS they can get any identity password using this method. My question, with a white hat security conscience mind, is why is this method available at all? Why is the password stored in 'Clear text'? Granted the app pool identity account is and should be easy to identify, however should the password of said identity account be so easy to retrieve as well? From a security perspective, what is the official MSFT position about allowing an identity password to be 'discovered' in this way (i.e. the method in this wiki article)? I am just curious as I have wondered this for a long time... Any insight you may be able to provide would be appreciated. c.