In HKLM\SYSTEM\CurrentControlSet\Services\MY-SERVICE-NAME there is the Object Name key which contains the name of the user, but I can not find the password.
I am trying to understand how DP API interacts with Windows services management and with the service process itself.
Thanks!
Passwords for Windows services are stored in the registry under:
HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets\_SC_<ServiceName>
When you configure a Windows service to run as a different account, the Service Control Manager uses the LsaStorePrivateData function to store the password, and the corresponding LsaRetrievePrivateData function to retrieve it.
So it is reversible encryption of some kind, but sorry, the exact encryption algorithm and technique are not publically documented. And helping you further reverse engineer it would be fun, but not a good idea for me.
While the actual encryption method may not be clear, accessing the data and requesting that the OS decrypt it on your behalf is a well-defined process - using PowerShell or the NirSoft LSASecretsView tool.
Stumbled across this page when looking for the ADSync password for Azure AD Connect service.
For anyone else, to change the NT SERVICE\ADSync password, follow this guide as it's not straightforward:
