Jump to content
McKay Development

InvalidPassword when trying to login with the sentry file of the real client


Recommended Posts


I'm currently trying to replicate what I assume the real Steam client would be doing when logging in a "remembered" account.
I'm parsing the VDF configs to grab the recently logged in user.
Therefore, from what I can tell, the sentry file should be up to date after having logged in with the real client once beforehand.

This is my script:

const fs = require('fs');
const VDF = require('@node-steam/vdf');
const { enumerateValues, HKEY } = require('registry-js');
const SteamUser = require('steam-user');

const steamPath = enumerateValues(HKEY.HKEY_LOCAL_MACHINE, 'SOFTWARE\\WOW6432Node\\Valve\\Steam').filter(value => value.name === "InstallPath")[0].data;

// Get the name of the recently logged in account.
const loginUsersFile = fs.readFileSync(`${steamPath}\\config\\loginusers.vdf`).toString();
const accountName = Object.entries(VDF.parse(loginUsersFile).users).filter(([_, user]) => user.mostrecent === 1)[0][1].AccountName;

// Get sentry.
const configFile = fs.readFileSync(`${steamPath}\\config\\config.vdf`).toString();
const sentryFilePath = VDF.parse(configFile).InstallConfigStore.Software.valve.Steam.SentryFile;
const sentry = fs.readFileSync(sentryFilePath);

// Try to login with that information.
const steamUser = new SteamUser();
	'accountName': accountName
steamUser.on('loggedOn', details => {
	console.log('loggedOn', steamUser.steamID);
steamUser.on('error', e => {
	console.log('error', e);

However, I'm always receiving an error with EResult 5 InvalidPassword.

Directly running against the steam-user source code instead of the NPM package and dumping the SteamUser._logOnDetails shows the following data being sent when calling .logOn(...) (with private information being redacted):

  account_name: '???',
  password: undefined,
  login_key: undefined,
  auth_code: undefined,
  two_factor_code: undefined,
  should_remember_password: false,
  obfuscated_private_ip: { v4: 0 },
  protocol_version: 65580,
  supports_rate_limit_response: true,
  machine_name: '',
  ping_ms_from_cell_search: 20,
  client_language: 'english',
  client_os_type: 16,
  anon_user_target_account_name: '',
  steamguard_dont_remember_computer: false,
  ui_mode: undefined,
  chat_mode: 2,
  web_logon_nonce: undefined,
  _steamid: undefined,
  cell_id: ??,
  sha_sentryfile: <Buffer ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ??>,
  eresult_sentryfile: 1,
  machine_id: <Buffer ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ... 105 more bytes>

Am I doing something wrong?
What do I need to pass to .logOn(...) to login just with the sentry file?

I also tried a self-generated sentry file by using the steam-user package to do a remembered password/2FA-based login before.
This first password/2FA login attempt succeeds.
However, using the resulting sentry file in the code above afterwards leads to the same error.

Maybe also my understanding is wrong and a loginKey ist always required for passwordless authentication (and sentry is somehow optional?).
If that is the case, how would I obtain such a loginKey from the real client? Are the values of InstallConfigStore.Software.valve.Steam.ConnectCache within the config.vdf the loginKeys? If so, how would I need to transform these hex strings to match the format used by steam-user?

Edited by ceptoplex
Link to comment
Share on other sites

9 hours ago, ceptoplex said:

Maybe also my understanding is wrong and a loginKey ist always required for passwordless authentication (and sentry is somehow optional?).

Yes, this is the case. You need to use a loginKey for passwordless authentication; the sentry file is used to remember your machine for Steam Guard (and probably is also necessary when logging on with a loginKey). I don't know where the real client stores the loginKey; I've looked for it briefly in the past but I didn't find it. It might be stored somewhere encrypted.

Link to comment
Share on other sites

Posted (edited)
On 3/18/2022 at 4:51 AM, Dr. McKay said:

It might be stored somewhere encrypted.

After some investigation, I found out that the loginKey is indeed stored in the InstallConfigStore.Software.valve.Steam.ConnectCache values inside config.vdf.
The "encryption" method is known by the real client.

Sometimes I could also authenticate with such a decrypted loginKey even without using a sentry and also no 2FA code, but this may also be due to some other configuration (e.g. obfuscated private IP etc.) being identical to the previous attempt. I haven't yet tested enough to figure out what the conditions are for a sentry to be required.

TL;DR for me is that the config.vdf seems to be equally worth protecting compared to the sentry file.

Edited by ceptoplex
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Create New...