0

Stepped into DPAPI inner functionement question...

I'm (potentially) in a context pre-logon which means no user has logged on already.

Since the CryptProtectData function uses current user credentials, how will it be acting ?

I was so wondering if there were any issue for this or if it was simply unusable in this context.

And... whatever can be the answer, does anyone knows what(/how to find out) the "key" used for the flag LOCAL_MACHINE. What kind of credentials/identifier is used to make the encryption specific to the machine ?

Answers/advises/redirections/suggestions will be greatly appreciated

Kianii
  • 141
  • 1
  • 9

1 Answers1

1

In your case you should use CRYPTPROTECT_LOCAL_MACHINE flag for dwFlags parameter.

If you don't - only the SYSTEM user can decrypt protected data.

Alexander
  • 1,232
  • 1
  • 15
  • 24
  • That's what i guessed too but i like to understand what i'm using. And it really looks like useless like... just logon to the guest session and you're free to go ! Was hoping for someone telling me "hey ! It's fine ! It's more secure than you think because..." – Kianii Oct 11 '18 at 13:22
  • 1
    The internals of cryptographic key used to encrypt data is not revealed, but it is proven that this key is transferable between different computers of the same domain (roaming profiles). – Alexander Oct 11 '18 at 13:27
  • if you will be using flag `CRYPTPROTECT_LOCAL_MACHINE` any user on this machine (even guest) can decrypt this data. – Alexander Oct 11 '18 at 13:31
  • Well, thanks for not reassuring me then ! =D (It's even worse with the roaming profiles enabled...) Still an answer though. – Kianii Oct 11 '18 at 14:07