12

I am using DPAPI to store an XML data. The data after CryptProtectData is stored in a file. In one of my use cases, this data needs to be decrypted before any user logs in to the workstation. Since, I cannot use user specific key in this, I am setting the flag "CRYPTPROTECT_LOCAL_MACHINE" while encrypting. Entropy key is a static text.

Unprotect is working in all the scenarios except when I am calling it before logon ( no user is logged in). Its returning error 87 (the paramter is incorrect).

I re-read the entire DPAPI documentation to see how the keys are being generated. But, unfortunately, there is not enough information for this specific flag.

Will CryptUnprotectData work in this scenario at all? Can it be called by the applications that are running under some user session? Any help is appreciated.

Thanks, D

Wander3r
  • 1,801
  • 17
  • 27
  • Are you talking about `CryptProtectData` and `CryptUnprotectData`? – Steve May 14 '13 at 14:17
  • @Steve, yes the same.. – Wander3r May 15 '13 at 09:39
  • Have you tried using `CryptEncrypt` and `CryptDecrypt` instead? – Harry Johnston May 16 '13 at 06:52
  • 1
    I can think of an almighty hack for this - create a temp user, replace the users DPAPI keys with the real users keys. Now impersonate your temp user, decrypt the data, remove the user – paulm May 17 '13 at 08:45
  • @paulm, that's a very good suggestions paul. For now, what I have done is using 3DES algo to encrypt and decrypt my data with a user specific key and moved on from this. – Wander3r May 29 '13 at 06:47
  • @paulm, one thing that needs to be considered while impersonating the temp user is that it may call Network Providers before the actual windows login has happened. If the network providers are not well written, this may cause issues. Having said that, this is still a good way... – Wander3r May 29 '13 at 06:49
  • Interresting problem... Do the problem disaper if a user - any user - has logged in and out at least once after booting (or can you reproduce the bug anytime no one is logged in ? – ixe013 Sep 18 '13 at 16:31
  • Under what account is your *pre-login* process running ? `SYSTEM`, `LOCAL_SERVICE`, a local account with a stored password, etc. – ixe013 Sep 18 '13 at 16:32

2 Answers2

2

We use DPAPI to store a password required by a service:

  • Encrypt with CRYPTPROTECT_LOCAL_MACHINE | CRYPTPROTECT_UI_FORBIDDEN.

  • Decrypt with CRYPTPROTECT_UI_FORBIDDEN

The service runs when the machine boots (i.e. before logon); all works fine.

user3392484
  • 1,929
  • 9
  • 9
1

The Microsoft documentation is indeed vague on this point. Passcape has done a very good write-up called DPAPI Secrets.

The relevant section for your question is Recovering wireless connection passwords in Windows 7, which describes in detail the data required for decryption:

  1. The "system Master Key from folder E:/Windows/System32/Microsoft/Protect/S-1-5-18/User"
  2. Two registry files: "SYSTEM" and "SECURITY"

Based on the names, I wouldn't be surprised if these files are protected by the operating system and only accessible to logged in users, though somebody else might be able to confirm.

jtpereyda
  • 6,987
  • 10
  • 51
  • 80