How to recover a Vault corrupted by lost DPAPI keys

  • Article

Applies To: Windows 7

This article applies to the following operating systems:

  • Windows® 7

Background

Windows Vaults stored in the profile of a user are protected by the Windows Data Protection application programming interface (DPAPI). This protection depends on the Security ID (SID) of the user. The SID for the user is unique to the computer on which the user account is created. As a result, simply restoring a previously backed up Vault on a different computer is not sufficient. The DPAPI keys on the new computer also need to be updated so that they can decrypt the restored Vault.

Prerequisites

Before you begin, you will need the following:

  1. The files containing the backed up Vault.

  2. The Password Recovery Disk or the backup directory of the Master key directories. These are needed to figure out the SID of the user. If the user’s computer is joined to a domain, then the SID does not change and the Domain Controller will use the same SID for the new computer that it used for the previous one.

  3. The password of the user on the original computer. The combination of the SID and password is needed.

The restore process

Follow these steps to restore a Vault

  1. Figure out the SID of the user on the old computer:

    1. This can be derived by using the Password Restore Disk of the old computer.

    2. It can also be derived by using the path of the folder containing the restored DPAPI Master keys. The typical path would be: %userprofile%\AppData\Roaming\Microsoft\Protect\<sid>

  2. Adjust registry keys. For example, if you had a non-domain user named user1 with a SID of S-1-5-21-2676219764-1201964595-2451656395-1000, you need to set the following registry values:

    1. [HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\DPAPI\MigratedUsers\S-1-5-21-2676219764-1201964595-2451656395-1000]

    2. [HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\DPAPI\MigratedUsers\S-1-5-21-2676219764-1201964595-2451656395-1000\UserDomain]"computer-1"=""

    3. [HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\DPAPI\MigratedUsers\S-1-5-21-2676219764-1201964595-2451656395-1000\UserName]"user1"=""

  3. Add a copy of the Master Key file to the following directory: %userprofile%\AppData\Roaming\Microsoft\Protect\S-1-5-21-2676219764-1201964595-2451656395-1000

  4. Run the utility dpapimig.exe or for a domain joined computer, dpaimig.exe –domain, from the command prompt. This will attempt the blank password first, and if that fails it will prompt for the old password in order to proceed with the migration. Upon successful completion, the Vaults will be useable.