{"id":21523585,"url":"https://github.com/exoosh/amnesicdpapi","last_synced_at":"2026-02-10T22:35:09.704Z","repository":{"id":263831990,"uuid":"888586078","full_name":"exoosh/AmnesicDPAPI","owner":"exoosh","description":"This attempts to reproduce/trigger an issue with the (classic) DPAPI being in an amnesic state on Windows 10/11 (credhist never gets updated, but master keys get re-generated)","archived":false,"fork":false,"pushed_at":"2024-11-26T20:49:02.000Z","size":17,"stargazers_count":2,"open_issues_count":0,"forks_count":0,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-04-09T22:51:18.358Z","etag":null,"topics":["cng","dpapi","etw","tracelogging","windows"],"latest_commit_sha":null,"homepage":"","language":"C#","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/exoosh.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-11-14T16:47:41.000Z","updated_at":"2024-11-26T20:49:05.000Z","dependencies_parsed_at":"2024-11-20T14:48:42.854Z","dependency_job_id":null,"html_url":"https://github.com/exoosh/AmnesicDPAPI","commit_stats":null,"previous_names":["exoosh/amnesicdpapi"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/exoosh%2FAmnesicDPAPI","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/exoosh%2FAmnesicDPAPI/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/exoosh%2FAmnesicDPAPI/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/exoosh%2FAmnesicDPAPI/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/exoosh","download_url":"https://codeload.github.com/exoosh/AmnesicDPAPI/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248125643,"owners_count":21051766,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cng","dpapi","etw","tracelogging","windows"],"created_at":"2024-11-24T01:18:38.181Z","updated_at":"2026-02-10T22:35:09.659Z","avatar_url":"https://github.com/exoosh.png","language":"C#","readme":"# DPAPI: \"Key not valid for use in specified state.\" (NTE_BAD_KEY_STATE)\n\nThere has been a lot of writeups about the classic DPAPI. There are two functions `CryptProtectData` and `CryptUnprotectData` which basically make up the whole of the _classic_ DPAPI. Under the hood it uses the classic Crypto API (CAPI) and basically is closely related to the functionality of the following two functions:\n\n* `RtlEncryptMemory` (== `advapi32!SystemFunction040`)\n* `RtlDecryptMemory` (== `advapi32!SystemFunction041`)\n\n `System.Security.Cryptography.ProtectedData.ProtectOrUnprotect` and `System.Security.Cryptography.ProtectedData.Unprotect` from .NET uses the classic DPAPI (`CryptProtectData` and `CryptUnprotectData`).\n\n The main point is that one can protect secrets based on the machine or the user. For the user they're stored in `%AppData%\\Microsoft\\Protect\\` (with Windows Explorer you can alternatively navigate to `shell:DpAPIKeys`). So clearly that part depends on the user profile being loaded and available.\n\n Inside the `Protect` directory there is a file called `credhist` and a subdirectory named after the user's SID. In the latter there are files with a GUID as their name and a single `Preferred` file that denotes the latest master key in the chain of master keys that _should_ be stored in `credhist`. This repo is about the case where the `credhist` file never gets updated and the master-key generation gets triggered every fews hours.\n\nAdditionally since around Windows 8 there is a so-called CNG DPAPI (aka DPAPI NG) which is based on CryptoNG (CNG) and aside from providing a small project attempting to observe the amnesic DPAPI state it attempts to ascertain if DPAPI NG is a suitable replacement for the classic DPAPI. I.e. does it follow from the classic DPAPI being in an amnesic state that the DPAPI NG also ends up in that state?\n\n## Related\n\n* [An investigation by Tavis Ormandy regarding an issue caused by S4U logon type scheduled tasks](https://bugs.chromium.org/p/chromium/issues/detail?id=1069383#c90)  \n  ```\n  Get-ScheduledTask | %{ If ($_.Principal.LogonType -eq 'S4U') { $_ } }\n  ```  \n  Of note (since a correlation to locking/unlocking was also found in our case):  \n  \u003e I think the problem is in the dpapisrv cache, maybe a lock is not being released. I wonder if Microsoft made some changes to it recently?\n  \u003e I forgot to mention that there is an easy way to trigger this bug, at least after it has happened the first time:\n  \u003e 1. Close Chrome. Wait until there are no more \"chrome.exe\" instances in the Task Manager.\n  \u003e 2. Press WIN+L to lock the PC.\n  \u003e 3. Log in again.\n  \u003e 4. Open Chrome. Every cookie will be lost and errors will appear in the Event Viewer.\n  * `chrome://histograms/OSCrypt` was introduced due to the observations from this ticket\n* [Windows 10 2004/20H2 and the broken 'Credentials Manager': Root Cause and Workaround – Part 1](https://borncity.com/win/2020/11/09/windows-10-2004-20h2-und-der-kaputte-credentials-manager-ursache-und-workaround/)\n* [Windows 10 2004/20H2 and the broken 'Credentials Manager': Cause and Workaround – Part 2](https://borncity.com/win/2020/11/10/windows-10-2004-20h2-und-der-kaputte-credentials-manager-ursache-und-workaround-teil-2/)\n* [Systemwide password amnesia (v2004 build 19041.173) ](https://answers.microsoft.com/en-us/windows/forum/all/systemwide-password-amnesia-v2004-build-19041173/232381f8-e2c6-4e8a-b01c-712fceb0e39e)\n* [February 2, 2021 -- KB4598291 (OS Builds 19041.789 and 19042.789)](https://support.microsoft.com/en-us/topic/february-2-2021-kb4598291-os-builds-19041-789-and-19042-789-preview-6a766199-a4f1-616e-1f5c-58bdc3ca5e3b)\n  * \"Addresses an issue in which using local Service for User (S4U) affects Data Protection API (DPAPI) credential keys and causes users to sign out unexpectedly.\"\n\n### Writeups\n\n* https://www.synacktiv.com/ressources/univershell_2017_dpapi.pdf\n* https://tierzerosecurity.co.nz/2024/01/22/data-protection-windows-api.html\n  * successor post: https://tierzerosecurity.co.nz/2024/11/26/data-protection-windows-api-revisited.html\n* https://github.com/rxwx/chlonium\n\n## Support tickets with Microsoft\n\n* 2208300040004683 (closed, they claimed it was the wrong division it ended up with)\n* 2210040060000363 (closed in late 2024, succeeded by the one below)\n* 2410070050003494\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fexoosh%2Famnesicdpapi","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fexoosh%2Famnesicdpapi","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fexoosh%2Famnesicdpapi/lists"}