My answer is actually an educated guess based on what I've seen in other MS
implementations. I suspect the data in the reg key is protected (encrypted)
using DPAPI and the user's password (from the LSA cache) for additional
entropy. That said, however it is stored in the registry it has to be
reversible encryption, not a hash, or it would not be able to use the MS
CHAP v2 in PEAP as the challenge is always different.
This means, to me, that it would be possible to pull the credentials from
the registry. This is the case with nearly all stored credentials.
Hope this helps a little,
Certified Security Solutions