How to obtain the plaintext password of the IIS application pool account
Sometimes, in order to obtain the necessary permissions, we will set a local or domain account for the identity of the IIS application pool to run. For example, SharePoint applications often do this. However, this is very insecure. The passwords of these accounts are stored in plain text.
For a local account, the password cannot be read. However, if you are using a domain account, the person with IIS management permissions can directly read the plaintext password of the application pool account. No third-party tools are required. CMD is sufficient:
Appcmd list apppool "application pool name"/text :*
The effect is as follows. The plaintext account and password are displayed under the [processModel] node. This is a domain account. This is also because the password here is saved separately, so every time you change the password, if you forget to change the IIS, the website will still be executed when it is accessed, in this way, your account will be locked...
There is no way to hide the plaintext password here. Therefore, try to avoid setting domain accounts in the IIS application pool.