From my learning of IIS7 I understand that IIS7's metabase is actually XML configuration file very familiar to me and similar to ASP.NET's web.config. It is called applicationHost.config and sits in C:\Windows\System32\inetsrv\config
My first interest was to see how it manages passwords when specifying specific accounts for application pool.
I created demo application pool called xxxx, then I created demo account and specified my application pool to run under it. Then I navigated to C:\Windows\System32\inetsrv\config\applicationHost.config and opened it Notepad. I needed to run Notepad as administrator since UAC prevents from opening it directly into Notepad (I cannot say it about Visual Studio, which opens it gladly without running as Administrator). The following picture depicts what I found there:
Seems like the password encrypted using RSA and the cipher was stored in the config file, not the clear text password.
Where is the key? Digging deeper...
I learned it from: