Home > Products > Windows Passwords > Windows Password Recovery > Screenshots > Forensic tools > Windows Vault Explorer
Windows Vault analyzer and decoder
01.03.2024
New blog post
Dumping the history of users' IP addresses in Windows
20.02.2024
Reset Windows Password v14.1
IP addresses history viewer, fast disk search, local security editor and some more
02.01.2024
Wireless Password Recovery v6.9.0
A revision of the GPU health monitor along with some minor updates
23.12.2023
HAPPY NEW YEAR!
Happy New Year greetings and holidays discount

Articles and video

You may find it helpful to read our articles on Windows security and password recovery examples. Video section contains a number of movies about our programs in action

Windows Password Recovery - Vault Explorer and Decoder

 

What is Windows Vault

Windows Vault is a protected storage for user or system secrets, passwords, network keys, web password and other personal information. Data stored in Windows Vault is structured and represents a set of records belonging to a certain Vault schema (see pic. below).

Windows Vault

On the physical level, Vault is a disk-based folder with a set of the following files:

  • Policy.vpol - set of encryption keys for Vault records (credentials). These keys can be protected using two basic methods: either using DPAPI or using a specific user password. The latter protection method is not used in Windows 8 and currently is not supported by the software.
  • .vsch - Vault schema that contains data description, flags and other system information.
  • .vcrd - Vault credential that stores the original encrypted data associated with a certain schema. The data normally consist of several fields. The description of the fields is stored in .vsch.
 

Windows Vault Explorer

Windows Vault Explorer is a utility for offline analyzing and decrypting Vault credentials. The decryption Wizard splits the entire process into the following steps:

  1. Looking for Vault folder
  2. Looking for user's or system's Master Key
  3. Setting registry files and other information necessary for decrypting the Master Key
  4. Selecting Vault Schema
  5. Looking for Vault records belonging to the selected schema
  6. Decrypting selected Vault credential


 

Looking for Vault folder

Windows Vault directory

There are currently two types of Vault storage: system and user. The user Vault storage can be located in the following folders:

%USER_APPDATA%\Microsoft\Vault\
%USER_LOCAL_APPDATA%\Microsoft\Vault\
For example,
С:\Users\John\AppData\Local\Microsoft\Vault\18289F5D-9783-43EC-A50D-52DA022B046E
С:\Users\Helen\AppData\Roaming\Microsoft\Vault\4BF4C442-9B8A-41A0-B380-DD4A704DDB28

The default location of the system Vault storage is:
%SYSTEM_APPDATA%\Microsoft\Vault\
%SYSTEM_LOCAL_APPDATA%\Microsoft\Vault\
%PROGRAMDATA%\Microsoft\Vault\
For example,
С:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Vault\4BF4C442-9B8A-41A0-B380-DD4A704DDB28
С:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Vault\4BF4C442-9B8A-41A0-B380-DD4A704DDB28
C:\ProgramData\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204

 

Note that some of the specified folders have the system attribute set on, which makes these folders hidden.

Windows has VaultCmd.exe utility for creating and managing your own Vault storages.



 

Selecting Master Key

Browsing for Master Key

Once a certain Vault folder is selected, you need to specify the path to the Master Key used in the protection of the Vault encryption keys. The user's Master Key always resides in the folder %APPDATA%\Microsoft\Protect\%SID%, and the system account's Master Keys are stored in %SYSTEMDIR%\Microsoft\Protect. It's worth mentioning that a typical user account contains several Master Keys, while a specific object could be decrypted using only one of them, the name of which is stored in the Policy.vpol file. When searching for the Master Key, the program can filter out unnecessary names.



 

Decrypting Master Key

Decrypting Master Key

To decrypt a user's Master Key, you need to provide at least two parameters: the user's logon password and his security identifier (SID), which is normally included in the path to the Master Key. The program finds the user's SID automatically. If that hasn't been done for whatsoever reason, set it up manually. To decrypt the system's Master Key, we don't need to specify the password; the program will extract all the necessary information from the two registry files: SYSTEM and SECURITY.

In some cases, the decryption of the Master Key requires specifying the path to the SAM registry file. That's the case only when the account of the data owner in Windows 8 has the LiveID type.

Windows Password Recovery starting with version 9.7 uses some vulnerabilities in DPAPI Master Key encryption. Thus, to decrypt ANY Vault entry of a domain user, the owner logon password is not needed any longer.
WPR v11.7 supports for Trusted Boot Auto-Logon feature of Windows 10. If the program detects the Trusted Boot Auto-Logon is set for the user, no logon password is required to decrypt the data.
WPR v15 supports additional decryption methods using Windows Hello PIN or biometrics (password-less recovery).
 

 

Selecting Vault Schema

Selecting Vault schema

On the fourth step, if the previous ones passed successfully, the program prompts you to select one of the schemas belonging to our Vault from the dropdown list. Just below the list, we can see the general characteristics of the selected schema: its name, version, GUID, flags, number of attributes and credentials.



 

Selecting Vault credentials

Selecting Vault credential

In a similar manner, select one of the credentials of interest that belongs to the schema we have selected during the previous step.



 

Decrypting Vault credentials

Decrypting Vault credential

And, at last, the final step, where you can view the decrypted record, copy it to clipboard or save to file for further analysis. The figure shows decrypted plain-text password (it is clobbered) of the administrator account configured to logon using biometric information (fingerprint).