| external help file | DSInternals.PowerShell.dll-Help.xml |
|---|---|
| Module Name | DSInternals |
| online version | https://github.com/MichaelGrafnetter/DSInternals/blob/master/Documentation/PowerShell/Unprotect-DpapiNgData.md |
| schema | 2.0.0 |
Decrypts DPAPI-NG protected data.
Unprotect-DpapiNgData [-Blob] <Byte[]> [-Encoding <Encoding>] [<CommonParameters>]
Unprotect-DpapiNgData [-Blob] <Byte[]> -KdsRootKey <KdsRootKey[]> [-Encoding <Encoding>] [<CommonParameters>]
This cmdlet decrypts a DPAPI-NG protected blob. The Blob parameter accepts either a byte array or a base64-encoded CngProtectedDataBlob.
By default, the cmdlet returns the decrypted data as a hexadecimal string. When Encoding is supplied, the cmdlet decodes the decrypted bytes and returns the decoded string.
When KdsRootKey is supplied, the cmdlet derives and caches the matching SID group key before decrypting the blob, which enables offline decryption for SID-protected data.
PS C:\> $blob = Protect-DpapiNgData -Descriptor 'LOCAL=user' -Cleartext 'Secret'
PS C:\> Unprotect-DpapiNgData -Blob $blob -Encoding Unicode
<# Sample Output:
Secret
#>Decrypts a protected blob and returns the cleartext as a string.
PS C:\> Unprotect-DpapiNgData -Blob MIIBfgYJKoZIhvcNAQcDoIIBbzCCAWsCAQIxggEdooIBGQIBBDCB3ASBhAEAAABLRFNLAgAAAGwBAAAFAAAAAgAAAHFrVRwi7V/EcjzdvhmfaCQgAAAAGAAAABgAAADbXiCq9P/fSJ7/N+Pp/iN2B2WtpCgvzrvj0JscdeyQBGMAbwBuAHQAbwBzAG8ALgBjAG8AbQAAAGMAbwBuAHQAbwBzAG8ALgBjAG8AbQAAADBTBgkrBgEEAYI3SgEwRgYKKwYBBAGCN0oBATA4MDYwNAwDU0lEDC1TLTEtNS0yMS0zMjg4ODUwMzkyLTMyOTk1MzY5MzItMjYxNDc5MzA4MS01MTIwCwYJYIZIAWUDBAEtBCi/OCkpzyD9YKVGwFhAA7VGmfakng2fpmvMiG/DW4248BSlBDcfIFn+MEUGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMSAygtw55Qk5YcNtiAgEQgBiOh95J+ZwmKUL129c4D7lis40RYNLIs9g= -Encoding UTF8 -KdsRootKey (Get-ADDBKdsRootKey -DatabasePath '.\ntds.dit')
<# Sample Output:
Pa$$w0rd
#>Decrypts a SID-protected blob offline by deriving the matching group key from a KDS root key read from an offline ntds.dit database, then returns the cleartext decoded as UTF-8.
Specifies the DPAPI-NG protected blob as a byte array or base64 string.
Type: Byte[]
Parameter Sets: (All)
Aliases: CngProtectedDataBlob, ProtectedBlob
Required: True
Position: 0
Default value: None
Accept pipeline input: True (ByValue)
Accept wildcard characters: FalseSpecifies the text encoding to use when returning decrypted data as a string.
Accepts a System.Text.Encoding instance (such as [System.Text.Encoding]::Unicode) or one of the following well-known encoding names, which are also offered through tab completion: ASCII, BigEndianUnicode, Unicode, UTF32, UTF7, UTF8.
Type: Encoding
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: FalseSpecifies the KDS root keys used to decrypt SID-protected data offline.
Type: KdsRootKey[]
Parameter Sets: Offline
Aliases: KdsRootKeys, RootKey, RootKeys
Required: True
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: FalseThis cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.
Alias: Unprotect-CngDpapiData
Get-DpapiNgData Protect-DpapiNgData Get-ADDBKdsRootKey Get-ADReplKdsRootKey Get-ADSIKdsRootKey