How does Windows 7/8/10 store and protect WiFi password?

Windows 10 Wifi location storage:

For Windows 10 (like prior versions Windows Vista, 7 & 8), there is no longer the use of the registry to store information for the 'Wireless Configuration Manager'. There is now instead all information stored as you mentioned at following file,

C:\ProgramData\Microsoft\Wlansvc\Profiles\Interfaces\{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}\{Random-GUID}.xml

You will find the wireless devices are each represented by its GUID {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} and its settings are stored in XML file with a random GUID name.

Understanding Windows 10 Encryption / Decryption

It uses 'Windows Cryptography' functions - (see here).

The signature at the beginning of each encrypted password is 01000000D08C9DDF0115D1118C7A00C0. So we can understand that 'Wireless Configuration Manager' uses CryptProtectData functions to encrypt the wireless keys and passwords.

Fortunately, decryption is as simple as using CryptUnprotectData, the catch is you need to run it as system. The ways that I know this can be done are:

Create a scheduled task as system - (see here). Be sure to make user as SYSTEM, then open task scheduler and run task, etc.
User System Internals program psexec64.exe Windows Sysinternals is a part of the Microsoft TechNet website which offers technical resources and utilities to manage, diagnose, troubleshoot, and monitor a Microsoft Windows environment. Download here.
If you run CMD as admin, navigate to the folder of the exe and then run the command psexec64.exe -i -s cmd.exe - see here for more details.
Or run powershell as admin then navigate to the exe and run

PsExec64.exe -i -s powershell.exe –ExecutionPolicy Bypass
(Risky but common) Inject the code via remote thread in system process - LSASS.EXE
Go to nirsoft.net and read up on there procedure.

Also you will need to learn to work with C++ for the code below:

//
// Wireless Key/Password Decryption Algorithm for Vista/Windows 7/Windows 8/Windows 10
//
void DecryptWiFiPassword(BYTE *buffer, DWORD dwSizeBuffer)
{
    DATA_BLOB DataIn;
    DATA_BLOB DataOut;

    DataIn.pbData = buffer;
    DataIn.cbData = dwSizeBuffer;

    if(CryptUnprotectData(&DataIn, 0, NULL, NULL,NULL,0,&DataOut))
    {
        printf("\n Wireless Key Password : %s", (char *) DataOut.pbData);

    }
 }

What are the CryptProtectData and CryptUnprotectData Functions Based On?

Via Data Protection API.
The user interfaces are available through the Windows SDK and MSDN Library. CryptProtectData function. CryptUnprotectData function.

Data Protection Application-Programming Interface Explained

Here is a brief synopsis taken from a Microsoft article with more information about CryptProtectData and DPAPI dated October 2001, as Windows 2000 was the start of data protection application-programming interface (API).

This Data Protection API (DPAPI) is a pair of function calls that provide operating system-level data protection services to user and system processes. They operate at the system-level and do not require any additional libraries. And the data protection is by means of encryption. Thus any program from this time had the ability to encrypt data with out needing any specific cryptographic code other than the necessary function calls to DPAPI. These calls are two simple functions with various options to modify DPAPI behavior.

DPAPI requires a password to protect information, thus it is a password-based data protection service. The downfall of this method is that it only rests on a password, so DPAPI uses proven cryptographic routines, specifically the strong Triple-DES algorithm, and strong keys to ensure protection.

DPAPI initially generates a strong key called a MasterKey, which is protected by the user's password. DPAPI uses a standard cryptographic process called Password-Based Key Derivation, described in PKCS #5 (Password-based Encryption Standard 2.1) (see PKCS wiki here), to generate a key from the password. This password-derived key is then used with Triple-DES (see wiki here) to encrypt the MasterKey, which is finally stored in the user's profile directory.

To familiarize you with DPAPI please read the full article here and see an article on troubleshooting DPAPI here.

The article applies to an older version of Windows, though the fundamentals as far as I can see are the same.

An Explanation of the Process by Two Other People/Groups:

Here is a PDF by blackhat explaining the process.
@HennoBrandsma of Stack Overflow says "Essentially, the SHA-1 hash of your current password protects the DPAPI masterkeys, which protect in turn each DPAPI-blob (there is a per blob salt as well). Each masterkey has a GUID that identifies the password that is used to protect it. Each blob also has a GUID that identifies which masterkey was used to encrypt it. These masterkeys expire after three months and a new one is created, but the old ones are kept around."

Examples About Encryption and Decryption

Nirsoft.net, whom have made a free decryption program that works in Windows 10, says DPAPI decrypted data always begins with the following sequence of bytes, so you can easily detect it:

01 00 00 00 D0 8C 9D DF 01 15 D1 11 8C 7A 00 C0 4F C2 97 EB

Nirsoft.net lists some examples for passwords and other data encrypted with DPAPI:

Passwords of Microsoft Outlook accounts, stored in the Registry.
Credentials files of Windows (i.e C:\Users\[User Profile]\AppData\Roaming\Microsoft\Credentials)
Wireless network keys as this article
Passwords in some versions of Internet Explorer, in Registry key: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage2
Passwords stored in the passwords file of Chrome Web browser ('Login Data' file in the profile of Chrome).
Encrypted cookies in Chrome Web browser ('Cookies' file in profile)

Even they admit if decryption fails 'Try to decrypt the data by executing code inside lsass.exe process (Requires elevation)', so for system passwords this can be a difficult thing to do.

Article Sources:

Free Tools

DPAPIck is a python toolkit to provide a platform-independant implementation of Microsoft's cryptography subsytem called DPAPI (Data Protection API).
DataProtectionDecryptor is a powerful tool for Windows that allows you to decrypt passwords and other information encrypted by the DPAPI (Data Protection API) system of Windows operating system. You can use this tool to decrypt DPAPI data on your current running system and to decrypt DPAPI data stored on external hard drive.
WirelessKeyView recovers all wireless network security keys/passwords (WEP/WPA) stored in your computer by the 'Wireless Zero Configuration' service of Windows XP or by the 'WLAN AutoConfig' service of Windows Vista, Windows 7, Windows 8, Windows 10, and Windows Server 2008. It allows you to easily save all keys to text/html/xml file, or copy a single key to the clipboard. You can also export your wireless keys into a file and import these keys into another computer.

DPAPI and Crypto Function Resources

Examples

Further Reading

Ideas on How to Compile C and C++ Simply

Under A Tree

Posted 2019-05-05T14:56:36.397

Reputation: 849

2This is by far the most thorough answer I've ever seen in stackexchange. Thank you very much. I do have a follow-up question, though: What are the CryptProtectData/CryptUnprotectData functions based on? How is the session key mentioned in the docs generated and what specific algorithm do they use? – Ege Feyzıoglu – 2019-05-07T16:10:54.583

@EgeFeyzıoglu is your question now answered? – Under A Tree – 2019-05-14T07:22:55.967

How does Windows 7/8/10 store and protect WiFi password?

Answers