Home > Products > Windows Passwords > Windows Password Recovery > Screenshots > Forensic tools > Windows Vault Explorer
Windows Vault analyzer and decoder
25.04.2017
Reset Windows Password v7.1.0
RWP now can create new SAM user accounts and supports for Win 10 Creators Update
29.03.2017
Wireless Password Recovery v4.0.3
Some problems and bugs were fixed
17.03.2017
Windows Password Recovery 11.2
Some improvements and speed optimization
27.01.2017
Wireless Password Recovery v4.0
This version can recover multiple handshakes simultaneously almost without speed loss

Articles and video

You may find it helpful to read our articles on Windows security and password recovery examples. Video section contains a number of movies about our programs in action

Windows Password Recovery - Vault Explorer and Decoder


What is Windows Vault

Windows Vault is a protected storage for user or system secrets, passwords, network keys, web password and other personal information. Data stored in Windows Vault is structured and represents a set of records belonging to a certain Vault schema (see pic. below).

Windows Vault

On the physical level, Vault is a disk-based folder with a set of the following files:

  • Policy.vpol - set of encryption keys for Vault records (credentials). These keys can be protected using two basic methods: either using DPAPI or using a specific user password. The latter protection method is not used in Windows 8 and currently is not supported by the software.
  • <GUID>.vsch - Vault schema that contains data description, flags and other system information.
  • <GUID>.vcrd - Vault credential that stores the original encrypted data associated with a certain schema. The data may consist of and normally consists of several fields. Description of the fields is stored in <GUID>.vsch.


Windows Vault Explorer

Windows Vault Explorer is a utility for offline analyzing and decrypting Vault credentials. The decryption Wizard splits the entire process into the following steps:

  1. Looking for Vault folder
  2. Looking for user's or system's Master Key
  3. Setting registry files and other information necessary for decrypting the Master Key
  4. Selecting Vault Schema
  5. Looking for Vault records belonging to selected schema
  6. Decrypting selected Vault credential



Looking for Vault folder

Windows Vault directory

There are currently two types of Vault storage: system and user. The user Vault storage can be located in the following folders:
<USER_APP_DATA>\Microsoft\Vault\<GUID>
<USER_LOCAL_APP_DATA>\Microsoft\Vault\<GUID>
For example,
С:\Users\John\AppData\Local\Microsoft\Vault\18289F5D-9783-43EC-A50D-52DA022B046E
С:\Users\Helen\AppData\Roaming\Microsoft\Vault\4BF4C442-9B8A-41A0-B380-DD4A704DDB28

The default location of the system Vault storage is: 
<SYSTEM_APP_DATA>\Microsoft\Vault\<GUID>
<SYSTEM_LOCAL_APP_DATA>\Microsoft\Vault\<GUID>
<PROGRAM_DATA>\Microsoft\Vault\<GUID>
For example,
С:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Vault\4BF4C442-9B8A-41A0-B380-DD4A704DDB28
С:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Vault\4BF4C442-9B8A-41A0-B380-DD4A704DDB28
C:\ProgramData\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204

Note that some of the specified folders have the system attribute set on, which makes these folders hidden.

Windows has VaultCmd.exe utility for creating and managing your own Vault storages.




Selecting Master Key

Browsing for Master Key

Once a certain Vault folder is selected, you need to specify path to the Master Key used in the protection of the Vault encryption keys. The user's Master Key always resides in the folder %APPDATA%\Microsoft\Protect\%SID%, and the system account's Master Keys are stored in %SYSTEMDIR%\Microsoft\Protect. It must be noted that there could be a number of Master Keys, while a specific object could be decrypted using only one key, the name of which is stored in the Policy.vpol file. When searching for the Master Key, the program can filter out unnecessary names.




Decrypting Master Key

Decrypting Master Key

To decrypt a user's Master Key, you need to provide at least two parameters: the user's logon password and his security identifier (SID), which is normally included in the path to the Master Key. The program finds user's SID automatically. If that hasn't been done for whatsoever reason, set it up manually. To decrypt the system's Master Key, we don't need to specify the password; the program will extract all the necessary information from the two registry files: SYSTEM and SECURITY.

In some cases, the decryption of the Master Key requires specifying path to the SAM registry file. That's the case only when the account of the data owner in Windows 8 has the LiveID type.

Windows Password Recovery starting with version 9.7 utilizes some vulnerabilities in DPAPI Master Key encryption. Thus to decrypt ANY Vault entry of a domain user, the owner logon password is not needed any longer.
 




Selecting Vault Schema

Selecting Vault schema

On the fourth step, if the previous ones passed successfully, the program prompts you to select one of the schemas belonging to our Vault from the dropdown list. Just below the list, we can see the general characteristics of the selected schema: its name, version, GUID, flags, number of attributes and credentials.




Selecting Vault credential

Selecting Vault credential

In a similar manner, select one of the credentials of interest that belongs to the schema we have selected during the previous step.




Decrypting Vault credential

Decrypting Vault credential

And at last the final step, where you can view the decrypted record, copy it to clipboard or save to file for further analysis. The figure shows decrypted plain-text password (it is clobbered) of the administrator account configured to logon using biometric information (fingerprint).