Where (how?) does IIS store custom application pool identities?

Question

I have an application pool that I use for development… and I have it running under my credentials (so I don't have to worry about permission/access issues). Two things make me think my credentials might be just sitting in a file (or registry entry)… which is worrisome:

• When I change my password, I have to update the stored credentials
• The setup dialog has a confirm password field

If IIS was just storing some authentication token or something, I would expect to only enter my password once (because authentication was happening immediately).

Anyone know where my credentials are being stored? Are they just encrypted using some system key then pulled out and used when the app pool spins up?

Here is the dialog where I'm entering the identity's credentials:

I open that dialog from the app pool's Advanced Settings:

Other Info

IIS 7.5 on Windows 7

I am using virtual accounts for other application pools, but that's not what I'm using here: I'm using actual Windows account credentials

UPDATE

Based on nicolas-dietrich's response, I found the following…

The application pool credentials (and general settings) for IIS 7.5 are stored in %systemroot%\System32\Inetsrv\config\applicationHost.config.

Encryption is handled by AesProtectedConfigurationProvider, which is the standard (?) way to protect sensitive config info (like db connection strings or–you know–passwords)

Here are the relevant sections with sensitive/irrelevant info replaced by ellipses (…):

<configProtectedData>
    <providers>
        <!-- … -->
        <add name="IISWASOnlyAesProvider" type="Microsoft.ApplicationHost.AesProtectedConfigurationProvider" description="Uses an AES session key to encrypt and decrypt" keyContainerName="iisWasKey" cspProviderName="" useOAEP="false" useMachineContainer="true" sessionKey="…" />
    </providers>
</configProtectedData>

<system.applicationHost>
    <applicationPools>
        <add name="DefaultAppPool" queueLength="5000" managedRuntimeVersion="v4.0" />
        <add name="GeneralDev" queueLength="5000" autoStart="true">
            <processModel identityType="SpecificUser" userName="mydomain\myusername" password="[enc:IISWASOnlyAesProvider:…:enc]" />
        </add>
        <!-- … -->
        <applicationPoolDefaults managedRuntimeVersion="v4.0">
            <processModel identityType="ApplicationPoolIdentity" loadUserProfile="true" setProfileEnvironment="false" />
        </applicationPoolDefaults>
    </applicationPools>        
    <!-- … -->
</system.applicationHost>

Hopefully, safe enough? ¯\_(ツ)_/¯

Answer 1

In IIS6 the AppPool identities were stored within the IIS metabase (%systemroot%\System32\Inetsrv\metabase.xml) in an encrypted string located under W3SVC/AppPools//WAMUserPass.

That was not so secured though as it was possible to decrypt and to show it as plain text (http://www.jasonsamuel.com/2010/04/28/how-to-get-the-iusr-and-iwam-user-account-passwords-on-an-iis-server/)