Windows 10: Data Protection API DPAPI seemingly broken

The Data Protection API seems to be broken on my machine. Data Encrypted using the "ProtectData" function will only reliably decrypt if it was encrypted using the machine key. Data encrypted using the user account key will no longer decrypt after the machine has been restarted.


On every restart, a new file will appear in %APPDATA%\Roaming\Microsoft\Protect\<SID>


Is there a way to reset the data protection API somehow?

I can't find any indication on what goes wrong. There are no event logs. This has become quite annoying since apparently it's not that uncommon to use this API to protect configuration files.

:)

 

What is Crypto-DPAPI and Crypto-NCrypt

Overview of the Cryptography API

About Windows Data Protection API (DPAPI)

Data Protection API

NCryptEncrypt function

NCryptOpenStorageProvider function

CryptProtectData function

CryptUnprotectData function

CRYPTPROTECT_PROMPTSTRUCT structure

 

Windows 10 WiFi password storage protection

For Windows 10 (like prior versions Windows Vista, 7 & 8), there is no longer the use of the registry to store information for the 'Wireless Configuration Manager'. There is now instead all information stored as you mentioned at following file,

You will find the wireless devices are each represented by its GUID {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} and its settings are stored in XML file with a random GUID name.

It uses 'Windows Cryptography' functions - (see here).

The signature at the beginning of each encrypted password is 01000000D08C9DDF0115D1118C7A00C0. So we can understand that 'Wireless Configuration Manager' uses CryptProtectData functions to encrypt the wireless keys and passwords.

Fortunately, decryption is as simple as using CryptUnprotectData, the catch is you need to run it as system. The ways that I know this can be done are:

1. Create a scheduled task as system - (see here). Be sure to make user as SYSTEM, then open task scheduler and run task, etc.
   
2. User System Internals program psexec64.exe
   Windows Sysinternals is a part of the Microsoft TechNet website which offers technical resources and utilities to manage, diagnose, troubleshoot, and monitor a Microsoft Windows environment. Download here.
   
3. If you run CMD as admin, navigate to the folder of the exe and then run the command psexec64.exe -i -s cmd.exe - see here for more details.
   
4. Or run powershell as admin then navigate to the exe and run
   
   PsExec64.exe -i -s powershell.exe –ExecutionPolicy Bypass
   
5. (Risky but common) Inject the code via remote thread in system process - LSASS.EXE
   
6. Go to nirsoft.net and read up on there procedure.
   

Also you will need to learn to work with C++ for the code below:

What are the CryptProtectData and CryptUnprotectData Functions Based On?

• Via Data Protection API.
  
• The user interfaces are available through the Windows SDK and MSDN Library. CryptProtectData function. CryptUnprotectData function.
  

Data Protection Application-Programming Interface Explained

Here is a brief synopsis taken from a Microsoft article with more information about CryptProtectData and DPAPI dated October 2001, as Windows 2000 was the start of data protection application-programming interface (API).

This Data Protection API (DPAPI) is a pair of function calls that provide operating system-level data protection services to user and system processes. They operate at the system-level and do not require any additional libraries. And the data protection is by means of encryption. Thus any program from this time had the ability to encrypt data with out needing any specific cryptographic code other than the necessary function calls to DPAPI. These calls are two simple functions with various options to modify DPAPI behavior.

DPAPI requires a password to protect information, thus it is a password-based data protection service. The downfall of this method is that it only rests on a password, so DPAPI uses proven cryptographic routines, specifically the strong Triple-DES algorithm, and strong keys to ensure protection.

DPAPI initially generates a strong key called a MasterKey, which is protected by the user's password. DPAPI uses a standard cryptographic process called Password-Based Key Derivation, described in PKCS #5 (Password-based Encryption Standard 2.1) (see PKCS wiki here), to generate a key from the password. This password-derived key is then used with Triple-DES (see wiki here) to encrypt the MasterKey, which is finally stored in the user's profile directory.

To familiarize you with DPAPI please read the full article here and see an article on troubleshooting DPAPI here.

The article applies to an older version of Windows, though the fundamentals as far as I can see are the same.

An Explanation of the Process by Two Other People/Groups:

• Here is a PDF by blackhat explaining the process.
  
• @HennoBrandsma of Stack Overflow says "Essentially, the SHA-1 hash of your current password protects the DPAPI masterkeys, which protect in turn each DPAPI-blob (there is a per blob salt as well). Each masterkey has a GUID that identifies the password that is used to protect it. Each blob also has a GUID that identifies which masterkey was used to encrypt it. These masterkeys expire after three months and a new one is created, but the old ones are kept around."
  

Examples About Encryption and Decryption

Nirsoft.net, whom have made a free decryption program that works in Windows 10, says DPAPI decrypted data always begins with the following sequence of bytes, so you can easily detect it:

Nirsoft.net lists some examples for passwords and other data encrypted with DPAPI:

• Passwords of Microsoft Outlook accounts, stored in the Registry.
  
• Credentials files of Windows (i.e C:\Users\[User Profile]\AppData\Roaming\Microsoft\Credentials)
  
• Wireless network keys as this article
  
• Passwords in some versions of Internet Explorer, in Registry key: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage2
  
• Passwords stored in the passwords file of Chrome Web browser ('Login Data' file in the profile of Chrome).
  
• Encrypted cookies in Chrome Web browser ('Cookies' file in profile)
  

Even they admit if decryption fails 'Try to decrypt the data by executing code inside lsass.exe process (Requires elevation)', so for system passwords this can be a difficult thing to do.

Article Sources:

• Microsoft CryptoAPI
  
• Windows Data Protection
  
• NirSoft DataProtectionDecryptor v1.06
  
• Security Xploded Exposing the WiFi Password Secrets
  
• Stack Exchange: Which Encryption algorithm does ProtectedData use?
  
• Stack Exchange: ProtectedData.Unprotect after User changes password
  
• PDF Decrypting DPAPI dataJean-Michel Picod, Elie BurszteinEADS, Stanford University
  

Free Tools

• DPAPIck is a python toolkit to provide a platform-independant implementation
  of Microsoft's cryptography subsytem called DPAPI (Data Protection API).
  
• DataProtectionDecryptor is a powerful tool for Windows that allows you to decrypt passwords and other information encrypted by the DPAPI (Data Protection API) system of Windows operating system. You can use this tool to decrypt DPAPI data on your current running system and to decrypt DPAPI data stored on external hard drive.
  
• WirelessKeyView recovers all wireless network security keys/passwords (WEP/WPA) stored in your computer by the 'Wireless Zero Configuration' service of Windows XP or by the 'WLAN AutoConfig' service of Windows Vista, Windows 7, Windows 8, Windows 10, and Windows Server 2008. It allows you to easily save all keys to text/html/xml file, or copy a single key to the clipboard. You can also export your wireless keys into a file and import these keys into another computer.
  

DPAPI and Crypto Function Resources

• DPAPI Secrets. Security analysis and data recovery in DPAPI
  
• How to troubleshoot the Data Protection API (DPAPI)
  
• Microsoft CryptUnprotectData function
  
• Microsoft CryptProtectData function
  
• Microsoft: Example C Program: Using CryptProtectData
  
• Microsoft: Decrypting Data
  
• Microsoft: Cryptography
  

Examples

• Example C Program: Using CryptProtectData
  
• CryptUnprotectData from powershell
  
• Git Hub AonaSuzutsuki/EncryptDecrypt_Test
  
• Decrypt WEP wlan profile key using CryptUnprotectData
  

Further Reading

• Wikipedia - PKCS
  
• Wikipedia - Triple DES
  
• Server Falut - Windows DPAPI and password reset
  
• Querying Wireless Settings and Decrypting Wireless
  
• Reversing dpapi and stealing windows secrets offline
  

Ideas on How to Compile C and C++ Simply

• Walkthrough: Compile a C program on the command line
  
• 
  
• How To Setup Notepad++ for Writing C++ Programs
  
• How to compile/execute C++ code from within Notepad++
  

 

Data Hiding\Protecting software,Need quick reply

hello everyone, i recently have problems in my laptop and sending it inn for a repair, now i cant take the hdd out to have my data protected but i hope nothing is done to it, so i need a software that hides or protects my folder from being opened?
Any suggestions?