Where are located the DPAPI BLOBS and is there any tool to decypher them?

Question

I'm doing some testing with DPAPI for a project where I'm involved. I would like to know where the users Masterkey are located and if there is any free utility to find and decipher them.

I'm pretty sure that they are located in "%APPDATA%\Microsoft\Protect\" subfolders, but as far as free utilities goes, the only one I've found is DPAPIck, but is outdated and it doesn't seem to work properly in my system (Windows 2008 Server R2, I'm using the 0.1 version because I don't have any python interpreter installed).

Here is information on the DPAPI keys and C# code to work with them: http://security.stackexchange.com/q/1771/396 — makerofthings7, Oct 15 '12 at 14:06

score 1 · Accepted Answer · answered Oct 15 '12 at 13:54

1

The key blobs are stored in the following path:

%APPDATA%\Microsoft\Protect\{SID}

Where {SID} is the security identifier for the user.

There's a paid tool by PassWare that claims to support Win2K8, but it looks like DPAPick is the only freeware tool. Since it's a community project, you could always drop them a bug report. You also mentioned that you aren't running the latest version due to not having python... just go grab python then!

answered Oct 15 '12 at 13:54

Polynomial

132,208
43
298
379

Thanks, I've already seen the PassWare software, I can't try it from my PC at work due to limitations, I'll try it at home. (maybe I'll get it for free by translating it in Italian) – Fabio Oct 15 '12 at 14:03

Where are located the DPAPI BLOBS and is there any tool to decypher them?

1 Answers1