Skip to main content

Overview

The search command searches for potential DPAPI blobs in the Windows registry, files, folders, and base64-encoded strings. It identifies data containing DPAPI blob headers, helping discover hidden or non-standard DPAPI-protected data.
The search command looks for the DPAPI blob header signature to identify encrypted data that can then be decrypted with the blob command.

Basic Usage

# Search entire registry
SharpDPAPI.exe search /type:registry

# Search specific registry path
SharpDPAPI.exe search /type:registry /path:HKLM\Software\CustomApp

# Search folder
SharpDPAPI.exe search /type:folder /path:C:\ProgramData\App

# Search specific file
SharpDPAPI.exe search /type:file /path:C:\config.dat

# Validate base64 blob
SharpDPAPI.exe search /type:base64 /base:AQAAAAAADQCAAAAAgA...

Command Arguments

Search Types

TypeDescriptionRequired Arguments
registrySearch Windows registry for DPAPI blobsOptional: /path, /showErrors
folderSearch folder recursively for DPAPI blobsRequired: /path, Optional: /maxBytes, /showErrors
fileSearch specific file for DPAPI blobsRequired: /path, Optional: /maxBytes
base64Validate if base64 string contains DPAPI blobRequired: /base

Additional Arguments

ArgumentDescription
/path:PATHRegistry path or file/folder path to search
/maxBytes:NMax bytes to read from each file (default: 1024)
/showErrorsDisplay errors during enumeration
/base:BASE64Base64 string to validate for DPAPI blob

DPAPI Blob Header Signature

The search command looks for this byte sequence: 
0x01, 0x00, 0x00, 0x00, 0xD0, 0x8C, 0x9D, 0xDF,
0x01, 0x15, 0xD1, 0x11, 0x8C, 0x7A, 0x00, 0xC0,
0x4F, 0xC2, 0x97, 0xEB
This represents:
  • Version: 0x01000000 (Version 1)
  • Provider GUID: DF9D8CD0-0115-D111-8C7A-00C04FC297EB

Search Type: Registry

Registry Search Behavior:
  • Searches HKLM and HKU hives by default
  • Recursively enumerates all subkeys
  • Checks all registry values for DPAPI headers
  • /showErrors displays access denied and other errors
Example Output: 
[*] Searching registry for DPAPI blobs...

[+] Found DPAPI blob at:
    Path: HKLM\Software\CustomApp\Settings
    Value: EncryptedPassword
    Size: 512 bytes

[+] Found DPAPI blob at:
    Path: HKCU\Software\Application\Config
    Value: UserCredential
    Size: 256 bytes

Search Type: Folder

# Search folder (default 1024 bytes per file)
SharpDPAPI.exe search /type:folder /path:C:\ProgramData\Application

# Search with larger byte limit
SharpDPAPI.exe search /type:folder /path:C:\Users\admin\Documents /maxBytes:4096

# Show enumeration errors
SharpDPAPI.exe search /type:folder /path:C:\Windows\System32 /showErrors
Folder Search Behavior:
  • Recursively searches all files in folder
  • Reads up to /maxBytes from beginning of each file (default: 1024)
  • Searches read bytes for DPAPI blob header
  • /showErrors displays file access errors
Example Output: 
[*] Searching folder for DPAPI blobs...

[+] Found DPAPI blob in file:
    Path: C:\ProgramData\Application\config.dat
    Offset: 64 bytes
    Size: ~340 bytes

[+] Found DPAPI blob in file:
    Path: C:\ProgramData\Application\backup\credentials.bin
    Offset: 0 bytes
    Size: ~512 bytes
Use /maxBytes to increase search depth for larger files, but be aware this increases search time.

Search Type: File

# Search specific file (default 1024 bytes)
SharpDPAPI.exe search /type:file /path:C:\config\settings.dat

# Search with larger byte limit
SharpDPAPI.exe search /type:file /path:C:\data\large-config.bin /maxBytes:10240
File Search Behavior:
  • Reads up to /maxBytes from beginning of file (default: 1024)
  • Searches read bytes for DPAPI blob header
  • Reports offset and approximate size
Example Output: 
[*] Searching file for DPAPI blobs...

[+] Found DPAPI blob in file:
    Path: C:\config\settings.dat
    Offset: 128 bytes
    Blob starts at byte 128

Search Type: Base64

# Validate base64 string contains DPAPI blob
SharpDPAPI.exe search /type:base64 /base:AQAAAAAADQCAAAAAgAAAAAAAAAAAAAABAAAAAAAA...
Base64 Search Behavior:
  • Decodes base64 string
  • Checks for DPAPI blob header signature
  • Validates blob structure
Example Output: 
[*] Validating base64 string for DPAPI blob...

[+] Valid DPAPI blob found
    Decoded size: 342 bytes
    Blob appears valid

Common Search Scenarios

Search common application directories:
# Application data
SharpDPAPI.exe search /type:folder /path:C:\ProgramData

# User application data
SharpDPAPI.exe search /type:folder /path:C:\Users\admin\AppData\Local

# Look in registry
SharpDPAPI.exe search /type:registry /path:HKLM\Software
Find DPAPI usage in custom applications:
# Search application directory
SharpDPAPI.exe search /type:folder /path:"C:\Program Files\CustomApp"

# Search configuration files
SharpDPAPI.exe search /type:file /path:"C:\Program Files\CustomApp\config.xml" /maxBytes:8192

# Search application registry keys
SharpDPAPI.exe search /type:registry /path:HKLM\Software\CustomApp
Comprehensive DPAPI discovery:
# Search entire registry
SharpDPAPI.exe search /type:registry

# Search common data directories
SharpDPAPI.exe search /type:folder /path:C:\ProgramData
SharpDPAPI.exe search /type:folder /path:C:\Windows\System32\config

# Search user profiles
SharpDPAPI.exe search /type:folder /path:C:\Users
Analyze extracted data:
# Search evidence directory
SharpDPAPI.exe search /type:folder /path:C:\Evidence\

# Validate extracted blob
SharpDPAPI.exe search /type:base64 /base:AQAAAAAADQCAAAAAgA...

# Search specific suspect file
SharpDPAPI.exe search /type:file /path:C:\Evidence\unknown.dat /maxBytes:10240

Using Search Results

Once DPAPI blobs are found, decrypt them with the blob command:
1

Search for Blobs

SharpDPAPI.exe search /type:folder /path:C:\ProgramData\App
2

Note File Paths

Record paths of files containing DPAPI blobs
3

Decrypt Discovered Blobs

# Extract from registry
reg query "HKLM\Software\CustomApp" /v EncryptedPassword

# Decrypt found file
SharpDPAPI.exe blob /target:C:\ProgramData\App\config.dat /pvk:key.pvk

Registry Search Targets

High-value registry locations for DPAPI blobs: 
HKLM\Software\
HKLM\System\CurrentControlSet\Services\
HKCU\Software\
HKU\*\Software\
Specific Applications:
  • Custom enterprise software
  • Third-party credential managers
  • Backup/sync applications
  • Remote access tools
  • Automation software

File System Search Targets

Common locations containing DPAPI blobs: 
C:\ProgramData\
C:\Users\*\AppData\Local\
C:\Users\*\AppData\Roaming\
C:\Windows\System32\config\systemprofile\
C:\Windows\ServiceProfiles\
File Types:
  • Configuration files (.config, .xml, .json)
  • Database files (.db, .sqlite)
  • Binary data files (.dat, .bin)
  • Application-specific formats

Performance Considerations

Registry and folder searches can be time-consuming on large systems. Target specific paths when possible.
Optimization Tips:
  • Use specific /path instead of full searches
  • Reduce /maxBytes for faster file scanning
  • Target known application directories
  • Use /showErrors only when troubleshooting
  • Search user-specific locations instead of system-wide

Detection Considerations

Host-Based Indicators:
  • Bulk registry enumeration
  • File system traversal patterns
  • High volume of file reads
  • Access to protected registry keys
  • Systematic directory enumeration
Defensive Monitoring:
  • Monitor for registry enumeration tools
  • Alert on bulk file access patterns
  • Track process accessing many files quickly
  • Detect systematic directory traversal
  • Monitor protected registry key access

blob

Decrypt discovered DPAPI blobs

credentials

Decrypt Credential Manager files

vaults

Decrypt Windows Vault data

masterkeys

Decrypt user masterkeys

Tips

  • Start with known application directories
  • Use registry searches for custom software
  • Increase /maxBytes for large configuration files
  • Combine with file system analysis tools
  • Document all discovered blob locations
  • Targeted searches are less noisy than full scans
  • Consider time-of-day for extensive searches
  • File system searches generate disk I/O patterns
  • Registry enumeration may trigger alerts
  • Use /showErrors sparingly (generates noise)
No blobs found:
  • Application may not use DPAPI
  • Blobs may be in non-standard locations
  • Check file encoding (may need larger /maxBytes)
  • Verify search path is correct
  • Try searching parent directories
Access denied errors:
  • Need elevation for protected registry keys
  • Some files require admin access
  • System directories may be restricted
  • Use /showErrors to see all errors
Search takes too long:
  • Reduce scope to specific directories
  • Lower /maxBytes value
  • Target specific registry paths
  • Exclude large directories

Advanced Usage

# Find all .dat files and search each
Get-ChildItem -Path C:\ProgramData -Recurse -Filter *.dat | ForEach-Object {
    Write-Host "Searching: $($_.FullName)"
    & SharpDPAPI.exe search /type:file /path:$_.FullName
}