Skip to content

module ~ dpapi

Benjamin DELPY edited this page Aug 31, 2015 · 8 revisions

Commands: blob, masterkey, protect, credhist, capi, cng, cred, vault, cache

blob

masterkey

protect

must have

global

%windir%\System32\config\SYSTEM
%windir%\System32\config\SAM
%windir%\System32\config\SECURITY

reg save HKLM\SYSTEM SYSTEM.HIV /y
reg save HKLM\SECURITY SECURITY.HIV /y
reg save HKLM\SAM SAM.HIV /y

ntdsutil "ac in ntds" i "cr fu c:\temp" q q

system

%windir%\System32\Microsoft\Protect
%windir%\System32\Microsoft\Crypto

%allusersprofile%\Application Data\Microsoft\Crypto
%allusersprofile%\Application Data\Microsoft\Credentials
%allusersprofile%\Application Data\Microsoft\Vault
%allusersprofile%\Application Data\Microsoft\Wlansvc\Profiles\Interfaces

%windir%\ServiceProfiles\LocalService\AppData\Local\Microsoft\Crypto
%windir%\ServiceProfiles\LocalService\AppData\Local\Microsoft\Credentials
%windir%\ServiceProfiles\LocalService\AppData\Local\Microsoft\Vault

%windir%\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Crypto
%windir%\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Credentials
%windir%\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Vault

%windir%\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates
%windir%\System32\config\systemprofile\AppData\Roaming\Microsoft\Vault
%windir%\System32\config\systemprofile\AppData\Local\Microsoft\Vault

per user

%appdata%\Microsoft\Protect
%appdata%\Microsoft\SystemCertificates

%appdata%\Microsoft\Crypto
%appdata%\Microsoft\Credentials
%appdata%\Microsoft\Vault

%localappdata%\Microsoft\Credentials
%localappdata%\Microsoft\Vault