Home > Products > Windows Passwords > Windows Password Recovery > Screenshots > Forensic tools > DPAPI > DPAPI blob recovery
DPAPI recovery
Reset Windows Password v11.4
Windows activity timeline, Windows clipboard history, etc.
Windows Password Recovery v14.3
Preliminary support for Windows 11
Outlook Password Recovery v3.2.1
Support for Windows 11 and the latest version of MS Outlook
Reset Windows Password v11.3
New forensic utilities, support for Windows 11 and Windows Server 2022

Articles and video

You may find it helpful to read our articles on Windows security and password recovery examples. Video section contains a number of movies about our programs in action

Windows Password Recovery - DPAPI blob decryption

The decryption of DPAPI blobs consists of four steps of the wizard.

Select DPAPI-encrypted blob file
Selecting DPAPI blob

On the first step, specify the path to the file with a DPAPI blob. It must be said that actual DPAPI objects may be stored in different locations of the operating system; for example, in individual XML files, in the registry, in Active Directory; and in different formats: binary, ASCII, UNICODE. There is a special tool for locating, extracting and saving DPAPI blobs to files. With that utility, for example, you can save all DPAPI blobs from a user's registry to individual files and use them in the program. In order to be able to decrypt data, you will also have to set up the Windows directory of the target drive.

Here are storage locations for some DPAPI objects.

  • Internet Explorer and Outlook passwords, WiFi passwords (XP only): user's registry, %APPDATA%\ntuser.dat
  • Google Chrome: %LOCALAPPDATA%\Google\Chrome
  • WiFi passwords (Windows Vista and higher): %PROGRAMDATA%\Microsoft\Wlansvc
  • Network connection passwords (Windows Credential Manager): %LOCALAPPDATA%\Microsoft\Credentials or %APPDATA%\Microsoft\Credentials
Use the finder utility to extract DPAPI data from there.


Select Master Key
Selecting DPAPI Master Key

Master Key is a set of 64 random bytes, used as the primary key when decrypting DPAPI blobs. Master Key is encrypted with the user's password (or system's password if that is a system Master Key). User's Master Key is always located in %APPDATA%\Microsoft\Protect\%SID% folder, while a system account's Master Keys are stored in %SYSTEMDIR%\Microsoft\Protect. It must be noted that there can be several Master Keys, and only one of them is suitable for decrypting a certain object, the one with the name stored inside the DPAPI blob. When searching for a Master Key, the program may filter out unnecessary names. The folder %APPDATA%\Microsoft\Protect also contains the CREDHIST file, which is an optional parameter, and in the majority of cases is not required for the decryption.


Decrypt Master Key
Decrypting DPAPI Master Key

At least two parameters must be set in order to decrypt user's Master Key: user's logon password and his security identifier (SID), which is normally specified in the path to the Master Key or flashed in CREDHIST. One way or the other, Windows Password Recovery calculates the user's SID automatically. To decrypt a system's Master Key, as it has been said already, setting a password doesn't make sense, as the program retrieves all data necessary for the recovery from two registry files: SYSTEM and SECURITY. If additional entropy was used when creating the DPAPI blob, you must manually create the binary entropy file and specify the path to it. For example, when encrypting Internet Explorer passwords, the UNICODE-formatted website name is used as entropy.

It is curious that Windows 2000 has a critical vulnerability, which allows decrypting any(!) DPAPI blob on a standalone PC without necessarily specifying user's logon password! I.e. all the data protected with DPAPI are actually vulnerable. This is a major fault in the implementation of DPAPI, which is known to Microsoft; however, other operating systems do not have this drawback. If the CRYPTPROTECT_LOCAL_MACHINE flag was set in the CryptProtectData function when protecting data, the decryption of that data is also possible without the user's logon password (for example, wireless network passwords). However, this is a peculiarity of an interface implementation and is not a bug.

Note that sometimes is is possible to decrypt the data without knowing logon password on Windows 10.

Windows Password Recovery starting with version 9.7 utilizes some new vulnerabilities in DPAPI Master Key protection which were revealed by our company. Thus to decrypt a Master Key of a domain user, the owner logon password is not necessary any longer.

WPR v11.7 supports for Trusted Boot Auto-Logon feature of Windows 10. If the program detects the Trusted Boot Auto-Logon is set for the user, no logon password is required to decrypt the data.


Decrypt data
Decrypting DPAPI blob

Having all that is necessary, Windows Password Recovery performs the final decryption of the DPAPI blob data, which you can then copy to clipboard or save to file. If the final step of the decryption ends up with an error, it is most likely because you have not set properly or not set at all the additional entropy. For example, Internet Explorer and Vista Ftp Manager use the source page where the password was entered as entropy. Windows Credential Manager, similarly, uses certain string constants, and so on.