Skip to main content

Overview

The blob command decrypts arbitrary DPAPI blobs provided as base64 strings or binary files. This is a general-purpose decryption tool for any DPAPI-protected data not covered by other specific commands.
DPAPI blobs are the fundamental encrypted data structure used throughout Windows. This command can decrypt any DPAPI blob if you have the appropriate masterkeys.

Basic Usage

# Decrypt blob file with CryptUnprotectData (unprivileged)
SharpDPAPI.exe blob /target:C:\Path\To\blob.bin /unprotect

# Decrypt blob with domain backup key
SharpDPAPI.exe blob /target:C:\Path\To\blob.bin /pvk:key.pvk

# Decrypt base64 blob with masterkey mappings
SharpDPAPI.exe blob /target:AQAAAAAADQCAAAAAgA... {GUID}:SHA1

# Decrypt blob file with user password
SharpDPAPI.exe blob /target:C:\Path\To\blob.bin /password:Password123!
The /target parameter is required for the blob command. You must specify either a file path or base64-encoded blob data.

Command Arguments

Required Arguments

ArgumentDescription
/target:BASE64Base64-encoded DPAPI blob to decrypt
/target:blob.binPath to binary file containing DPAPI blob

Decryption Methods

  • CryptUnprotectData
  • Domain Backup Key
  • Masterkey Mappings
  • User Credentials
# Use Windows API for decryption (unprivileged)
SharpDPAPI.exe blob /target:C:\Temp\blob.bin /unprotect
This method works without masterkeys if run from the user context who created the blob. No LSASS access required!
The /server argument is not applicable to the blob command since you must specify a specific target blob or file.

Example: Decrypting Binary Blob File with /unprotect

SharpDPAPI.exe blob /target:C:\Temp\blob.bin /unprotect
Output: 
[*] Action: Describe DPAPI blob

[*] Using CryptUnprotectData() for decryption.

    guidMasterKey    : {0241bc33-44ae-404a-b05d-a35eea8cbc63}
    size             : 170
    flags            : 0x0
    algHash/algCrypt : 32772 (CALG_SHA) / 26115 (CALG_3DES)
    description      :
    dec(blob)        : Password123!

Example: Decrypting with Masterkey Mappings

SharpDPAPI.exe blob /target:C:\Temp\blob2.bin {0241bc33-44ae-404a-b05d-a35eea8cbc63}:E7E481877B9D51C17E015EB3C1F72FB887363EE3
Output: 
[*] Action: Describe DPAPI blob

[*] Using CryptUnprotectData() for decryption.

    guidMasterKey    : {0241bc33-44ae-404a-b05d-a35eea8cbc63}
    size             : 314
    flags            : 0x0
    algHash/algCrypt : 32772 (CALG_SHA) / 26115 (CALG_3DES)
    description      :
    dec(blob)        : 01 00 00 00 3F 3F 3F 3F 01 15 3F 11 3F 7A 00 3F 4F 3F 3F ...
Binary data is displayed as hex bytes. Text data is displayed as a string.

Example: Decrypting with Domain Backup Key

SharpDPAPI.exe blob /target:C:\Temp\blob2.bin /pvk:HvG1sAAAAAABAAAAAAAAAAAAAAC...
Output: 
[*] Action: Describe DPAPI blob

[*] Using a domain DPAPI backup key to triage masterkeys for decryption key mappings!

[*] User master key cache:

{0241bc33-44ae-404a-b05d-a35eea8cbc63}:E7E481877B9D51C17E015EB3C1F72FB887363EE3

    guidMasterKey    : {0241bc33-44ae-404a-b05d-a35eea8cbc63}
    size             : 314
    flags            : 0x0
    algHash/algCrypt : 32772 (CALG_SHA) / 26115 (CALG_3DES)
    description      :
    dec(blob)        : 01 00 00 00 3F 3F 3F 3F 01 15 3F 11 3F 7A 00 3F 4F 3F 3F ...

DPAPI Blob Structure

A DPAPI blob contains:
FieldDescription
guidMasterKeyGUID of masterkey used for encryption
sizeSize of encrypted data
flagsProtection flags (e.g., CRYPTPROTECT_SYSTEM)
algHashHash algorithm used (e.g., CALG_SHA)
algCryptEncryption algorithm used (e.g., CALG_3DES, CALG_AES_256)
descriptionOptional description string
encrypted dataThe actual encrypted content

Common DPAPI Blob Sources

  • Browser saved passwords
  • Application credentials
  • Windows settings
  • Software configurations
  • Configuration files
  • Credential stores
  • Encrypted user data
  • Application data
  • Process memory containing DPAPI data
  • Crash dumps with credentials
  • Hibernation files
  • Third-party software using DPAPI
  • Custom credential management
  • Encrypted configuration data

Finding DPAPI Blobs

Use the search command to find DPAPI blobs: 
# Search registry
SharpDPAPI.exe search /type:registry

# Search folder
SharpDPAPI.exe search /type:folder /path:C:\ProgramData\

# Search specific file
SharpDPAPI.exe search /type:file /path:C:\config.dat

# Search base64 string
SharpDPAPI.exe search /type:base64 /base:AQAAAAAADQCAAAAAgA...

Common Scenarios

Decrypt DPAPI blobs from custom applications:
# Find blobs in application directory
SharpDPAPI.exe search /type:folder /path:C:\Program Files\CustomApp\

# Decrypt discovered blob
SharpDPAPI.exe blob /target:C:\Program Files\CustomApp\encrypted.dat /unprotect
Extract and decrypt registry DPAPI blobs:
# Extract from registry
$regValue = Get-ItemProperty -Path "HKCU:\Software\App" -Name "EncryptedData"
$base64 = [Convert]::ToBase64String($regValue.EncryptedData)

# Decrypt the blob
SharpDPAPI.exe blob /target:AQAAAAAADQCAAAAAgA... /unprotect
Decrypt arbitrary DPAPI blobs with domain backup key:
# 1. Retrieve backup key
SharpDPAPI.exe backupkey /file:key.pvk

# 2. Find interesting blobs
SharpDPAPI.exe search /type:folder /path:C:\ProgramData\

# 3. Decrypt discovered blobs
SharpDPAPI.exe blob /target:C:\ProgramData\App\data.bin /pvk:key.pvk
Analyze extracted DPAPI blobs:
# Decrypt with backup key
SharpDPAPI.exe blob /target:C:\Evidence\unknown.blob /pvk:key.pvk

# Decrypt with known masterkey
SharpDPAPI.exe blob /target:C:\Evidence\unknown.blob {GUID}:SHA1

Blob Flags

Common DPAPI protection flags:
FlagValueDescription
CRYPTPROTECT_UI_FORBIDDEN0x1No UI prompts
CRYPTPROTECT_LOCAL_MACHINE0x4Machine-scope protection
CRYPTPROTECT_SYSTEM0x20000000System credential protection
The CRYPTPROTECT_SYSTEM flag (0x20000000) indicates credentials saved by Windows services or scheduled tasks.

Encryption Algorithms

Common DPAPI encryption algorithms:
AlgorithmValueDescription
CALG_3DES26115Triple DES encryption
CALG_AES_12826126AES-128 encryption
CALG_AES_25626128AES-256 encryption (newer Windows)

Detection Considerations

Host-Based Indicators:
  • Reading unknown/arbitrary files
  • Processing base64-encoded data
  • Decryption attempts on multiple blobs
  • Access patterns suggesting blob enumeration
Defensive Monitoring:
  • Monitor for bulk file access patterns
  • Alert on DPAPI-related process activity
  • Track access to application credential stores
  • Detect registry value enumeration
  • Monitor for LSASS access (when not using /unprotect)

search

Find DPAPI blobs in registry, files, and folders

ps

Decrypt PowerShell credential XML files

credentials

Decrypt Credential Manager files

masterkeys

Decrypt user masterkeys

Tips

  • Use the search command to locate DPAPI blobs first
  • Extract blobs from registry using PowerShell
  • Binary data may require further parsing after decryption
  • Check blob flags to understand protection scope
  • Text data will be displayed directly, binary as hex
  • Prefer /unprotect when running as target user
  • Target specific blobs to avoid bulk processing
  • Redirect output to file with /consoleoutfile
  • Consider the visibility of accessing unusual files
  • Base64 blobs in command line may be logged
Decryption fails with /unprotect:
  • Must run from user context who created the blob
  • Try using masterkeys or backup key instead
  • Verify you’re running as correct user
  • Blob may use machine-scope protection
Invalid blob format:
  • Data may not be a DPAPI blob
  • File may be corrupted
  • Check file header for DPAPI signature
  • Verify base64 encoding is correct
Decrypted data is binary:
  • Data is not plain text
  • May require additional parsing
  • Check application documentation
  • Could be encrypted with additional layer