-
Notifications
You must be signed in to change notification settings - Fork 0
FAQ
No. The tool is defensive, runs locally on your own machine, never transmits data over the network, and is open source. It replicates what malware would do, so you can see the consequences and harden your system before they happen.
Because LaZagne, in its original form, is a credential-recovery
binary, and Defender classifies all such binaries as PUA
(Potentially Unwanted Application). That's why our infostealer_audit.py
does not auto-install LaZagne by default, and replicates the
useful parts internally in modules/lazagne_light.py (pure Python,
no external binary).
If you really need the full LaZagne, opt-in with
--install-flagged-tools.
Only for the live version-check step. Use --no-online to disable it.
Everything else operates strictly on local data.
No, for the default audit. Yes, for pwd_audit.py --aggressive (which
attempts the v20 ABE bypass via SYSTEM elevation).
Most likely because they are protected by App-Bound Encryption (v20), introduced in Chrome 127 (July 2024). The default user-mode audit can not decrypt these — and that's a good thing. It means even a user-mode infostealer running as you would fail to steal them.
You will see them in the report as v20-protected. The Cipher column
will be coloured green.
If you want to verify this is correct, run pwd_audit.py --aggressive.
It will try to bypass v20 via SYSTEM elevation. On Chrome 131+ it will
fail at "Stratum 3" (the chrome.dll constant). That's expected and is
exactly the level of protection that Google designed.
It's an authorisation thing: in default mode we show how many credentials
are protected but do not show their URLs or usernames — because we
literally can't decrypt them. With --aggressive (if successful), the
v20 entries would be decrypted and displayed.
The tool will flag it as outdated in the Versions & CVE tab and generate a fix recommendation. Old Chrome versions are extremely vulnerable (v10 era and earlier). Update.
Recent versions detect the Windows wireless service (wlansvc) state
and show "Wi-Fi (n/a): wireless service not running" instead of "0
profiles". If you still see "0 profiles", you are on an older version
of the tool — pull the latest.
No. The tool uses Windows DPAPI through crypt32.dll. Adding Linux/macOS
support would require a completely different implementation (Linux Chrome
uses libsecret/kwallet, macOS Chrome uses Keychain). Contributions
welcome, but it's a significant undertaking.
Yes, but the audit will reflect the VM's user profile, not the host's. DPAPI keys are bound to the user account inside the VM. If you want to audit the host, run it on the host.
Yes, but with caveats:
- If the corporate policy disables "save password", there will be nothing to decrypt — the audit will show 0 credentials.
- If the corporate policy enforces a Primary Password, Firefox audit will fail unless you provide that password (currently a CLI flag is not exposed for this).
The tool fetches from the same APIs Chrome/Firefox/Edge themselves use for updates:
- Chromium Dash for Chrome
- product-details.mozilla.org for Firefox
- edgeupdates.microsoft.com for Edge
- api.github.com/repos/brave/brave-browser/releases/latest for Brave
These are authoritative. The cached value is refreshed every 24 hours.
It's possible for the tool to show "you are more recent than the latest stable" if you're on a beta/dev channel. That's expected.
Only if you passed --showpassword. Without it, passwords are masked
(M*****a). Delete the report after use, or regenerate without the
flag.
-
./reports/— HTML and JSON output, kept until you delete them. -
%TEMP%\pwd_audit_*.json— small JSON caches, expire after 24h. -
%TEMP%\<random>— transient files for aggressive mode, deleted immediately after use.
Nothing is written to the registry, system paths, or outside the project directory.
The tool itself is a regular Python script and should not trigger Defender. However:
- If you opt-in to install LaZagne, Defender will alert on the install.
- In aggressive mode, the scheduled-task-as-SYSTEM step can be reported by behavioural detection on some EDR products.
If you see alerts, that's good. It means your security is working. The tool's behaviour is documented and intentional.
In principle, anyone with administrative access to a Windows machine can audit credentials on that machine, with or without our tool. LaZagne, mimikatz, NirSoft, and many other tools have existed for over a decade.
What our tool offers over those is:
- A defensive framing (no exfiltration, no exploits, no malware samples included).
- A threat-model-aware report (what is decryptable vs. protected, ranked by criticality).
- An education layer (the timeline, the bypass technique catalogue).
If misused, the legal and ethical responsibility lies with the user.
See DISCLAIMER.md.
Reasonable cadences:
- After a security incident: immediately, then again 24 h later to verify nothing was missed.
- After a browser major-version update: to verify the new ABE protection level applied.
- Quarterly: to check that you haven't accumulated unnecessary saved credentials.
- After migrating to a password manager: to confirm the browser is now empty.
Sure. Suggested citation:
ToolSicurezza: Defensive infostealer audit suite for Windows.
GitHub: https://github.com/AlessioSavelli/ToolSicurezza
2026.
If you publish research that updates the KB, please open a PR with the relevant additions and citations.