Home > Information > Blog > Show blog article
Show blog article
OneNote password recovery v3.4
Support for Microsoft Office 365
Reset Windows Password v14.2
Telegram data recovery, Photo Database and Media Player investigation tools, and some more
Office password recovery tools
Resetting VBA passwords
New blog post
Dumping the history of users' IP addresses in Windows

Articles and video

You may find it helpful to read our articles on Windows security and password recovery examples. Video section contains a number of movies about our programs in action

DPAPI-NG in Windows 8

15:45:37 24.08.2012 posted by Passcape_Admin at 15:45:37 24.08.2012

The Data Protection Application Programming Interface is a cryptosystem designed by Microsoft and built into all versions of Windows operating systems since 2000. DPAPI exposes advanced symmetric and asymmetric encryption algorithms that developers can utilize to sufficiently protect information. At the time of it's release, it was truly revolutionary for the following main reasons. 

  1. It enabled developers to adequately protect user data for the first time on Windows without being concerned about the problem of key management.
  2. In the underlying design, it featured future adaptable parameters that increases resistance to cryptanalysis by equally increasing power of computers.
  3. Strong cryptographic features yet simple to implement for most software developers.

DPAPI was problematic for attackers/forensic analysts because DPAPI data could only be decrypted on the system and under the account where it was encrypted.

However, with the release of Windows 8, Microsoft decided to change the situation by releasing a new-generation DPAPI named (guess!) DPAPI-NG. The main revision is that DPAPI data from one computer can now be decrypted on another - but, according to Microsoft, "only after proper authentication and authorization"

No explanation has been provided and one can only speculate as to the reasons for this major revision. (perhaps it relates to migration of user or system data in large corporations? - Ed.) Microsoft lists ten new functions part of DPAPI-NG and naturally, the storage format, has changed too. The protected data is now stored in the ASN.1 format and consists of three parts:

  • Header with description
  • Recipient data containing a secure encryption key
  • Actual encrypted data.
The following chart illustrates how it all works.

What isn't clear is why Microsoft with such stubbornness has been trying to grasp the immensity, combining the data protection and storage interface. In fact, simple and convenient API for storing private data is what has been missing in Windows throughout its life. With the release of Windows 95, Protected Storage, with all its flaws, by a long stretch of imagination, could be named such, although using the registry for these purposes, putting it mildly, wasn't such a brilliant idea. In Windows 7, we've got a new closed interface called Windows Vault. But it doesn't have, for example, functionality for data synchronization and migration, working in the cloud (the new interface DPAPI-NG has actually been created with an eye to the popularization of cloud computing), etc.

Software developers have been starving for such interface, as they often have to store secret data - e.g., encrypted with DPAPI - left and right. Let's hope that with the release of Windows 9 the situation at last will change for the better :)


Current rating RatingRatingRatingRatingRating
Avarage rating Ø 10.00
Number of votes 2
Your vote Rate this message: 1Rate this message: 2Rate this message: 3Rate this message: 4Rate this message: 5Rate this message: 6Rate this message: 7Rate this message: 8Rate this message: 9Rate this message: 10


some changes were made
posted by Admin at 12:12:32 09.09.2012
The blog post was kindly edited and reposted by Kevin, the good old friend of ours.
Add comment