DataProtectionDecryptor permits the decryption of Windows passwords and other information that has been encrypted by DPAPI (Data Protection API).

This tool can be easily utilized to decrypt DPAPI data on your current running system, as well as for decrypting DPAPI data stored on an external hard drive. All results can be saved to a file for later use.

DPAPI is a decryption/encryption system used by Microsoft products to decrypt/encrypt passwords and other sensitive information. DPAPI decrypted data will always begin with the following byte sequence, allowing for easy detection: 01 00 00 00 D0 8C 9D DF 01 15 D1 11 8C 7A 00 C0 4F C2 97 EB

Below you will find instances of DPAPI encrypted data:

Passwords of Microsoft Outlook accounts, stored under HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWindows Messaging SubsystemProfiles or HKEY_CURRENT_USERSoftwareMicrosoftOffice15.0OutlookProfiles or HKEY_CURRENT_USERSoftwareMicrosoftOffice16.0OutlookProfiles (Depending on the version of Outlook)

Credentials files of Windows (ie: C:Users[User Profile]AppDataRoamingMicrosoftCredentials, C:Users[User Profile]AppDataLocalMicrosoftCredentials)

Wireless network keys (Stored inside XML files under C:ProgramDataMicrosoftWlansvcProfilesInterfaces )

Passwords in some versions of Internet Explorer, stored in the following Registry key: HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerIntelliFormsStorage2

Passwords stored in the passwords file of Chrome Web browser ('Login Data' file in the profile of Chrome).

Encrypted cookies in Chrome Web browser ('Cookies' file in the profile of Chrome)


Version History for DataProtectionDecryptor:
http://www.nirsoft.net/utils/dpapi_data_decryptor.html