The Data Protection Application Programming Interface or DPAPI is a set of APIs in Windows operating systems used to encrypt and decrypt DPAPI data blobs on a per-user basis for Windows OS features and various third-party applications. Here are just a few examples of applications that use DPAPI and what they use it for:
Applications
Use of DPAPI
Internet Explorer
Password form auto-completion data (username and password for saved sites).
Google Chrome
Password form auto-completion data (username and password for saved sites).
Outlook
Passwords for email accounts.
Remote Desktop Connection
Saved credentials for connections to remote machines.
Credential Manager
Saved credentials for accessing shared resources, joining Wireless networks, VPNs and more.
DPAPI Discovery
# Function to check if a directory exists and handle access errors silently
function Check-Directory {
param ([string]$Path)
try {
if (Test-Path -Path $Path -ErrorAction SilentlyContinue) {
return $true
}
} catch {
return $false
}
return $false
}
# Function to scan for DPAPI-related paths
function Scan-DPAPI {
$basePath = "C:\Users"
# Check if base path exists
if (!(Test-Path $basePath -ErrorAction SilentlyContinue)) {
Write-Error "Base path $basePath does not exist!"
return
}
# Get all user directories
$userDirs = Get-ChildItem -Path $basePath -Directory -ErrorAction SilentlyContinue | Select-Object -ExpandProperty FullName
# List of DPAPI-related paths to check for each user
$pathsToCheck = @(
"\AppData\Roaming\Microsoft\Protect", # User-specific DPAPI Master Keys
"\AppData\Local\Microsoft\Credentials", # Windows Credential Manager
"\AppData\Roaming\Microsoft\Vault", # Credential Vault
"\AppData\Local\Microsoft\Edge\User Data", # Microsoft Edge Data
"\AppData\Roaming\Microsoft\Internet Explorer" # Internet Explorer Data
)
# Scan each user directory
foreach ($userDir in $userDirs) {
Write-Host "Scanning user directory: $userDir" -ForegroundColor Cyan
try {
# Ensure we can access the user directory
if (!(Test-Path $userDir -ErrorAction SilentlyContinue)) {
Write-Warning "No permissions on directory of user: $userDir"
continue
}
foreach ($subPath in $pathsToCheck) {
$fullPath = Join-Path -Path $userDir -ChildPath $subPath
if (Check-Directory -Path $fullPath) {
Write-Host "Found DPAPI-related path: $fullPath" -ForegroundColor Green
}
}
} catch {
Write-Warning "No permissions on directory of user: $userDir"
}
}
# Check system-wide DPAPI paths
$systemPaths = @(
"C:\Windows\System32\Microsoft\Protect" # System-Wide DPAPI Keys
)
Write-Host "Scanning system-wide paths..." -ForegroundColor Yellow
foreach ($sysPath in $systemPaths) {
if (Check-Directory -Path $sysPath) {
Write-Host "Found DPAPI-related path: $sysPath" -ForegroundColor Green
} else {
Write-Warning "No permissions or path not accessible: $sysPath"
}
}
}
# Run the DPAPI scan
Scan-DPAPI
.\ScanDPAPI.ps1
Scanning user directory: C:\Users\Administrator
Scanning user directory: C:\Users\C.Neri
Found DPAPI-related path: C:\Users\C.Neri\AppData\Roaming\Microsoft\Protect
Found DPAPI-related path: C:\Users\C.Neri\AppData\Local\Microsoft\Credentials
Found DPAPI-related path: C:\Users\C.Neri\AppData\Roaming\Microsoft\Vault
Found DPAPI-related path: C:\Users\C.Neri\AppData\Local\Microsoft\Edge\User Data
Found DPAPI-related path: C:\Users\C.Neri\AppData\Roaming\Microsoft\Internet Explorer
Scanning user directory: C:\Users\c.neri_adm
Scanning user directory: C:\Users\Public
Scanning system-wide paths...
Found DPAPI-related path: C:\Windows\System32\Microsoft\Protect
