Recover Windows User Account Credentials

Backup and Restore

If your database Master Key includes a Windows User Account (WUA) you can backup the protected KeePass WUA secret with the easy to use WUA Backup and Restore powershell script. However, if disaster strikes and you haven't backed up your KeePass WUA secret, the following recovery procedure might save the day.

Recover KeePass WUA

It may be possible to recover a KeePass database whose Master Key includes a Windows User Account (WUA) if certain user data is available. Typical situations are:

• A Windows computer is not bootable but the boot disk can still be mounted as data drive.
• A Windows user profile has been deleted but a backup of the profile is available.
• A Windows user profile has been damaged but the critical files can still be read, or a backup of the user profile is available.

The database recovery process below may be used to temporarily recover a KeePass database whose Master Key includes a non-domain WUA that is no longer operational. The procedure may be adaptable to a domain WUA [1] but it has not been tested. Once a database is recovered its Master Key can be changed to remove the original WUA key component. This database recovery process has not been tested for all cases, one case that has not been tested is where the old WUA password or username was changed after the ProtectedUserKey.bin file (DPAPI blob) was created [2].

The procedure is not suitable for permanently moving the database and retaining the old WUA Master Key component because it will break preexisting databases in the account where the recovery was performed, if the preexisting databases include a WUA in their Master Key. It is strongly recommended that a temporary WUA be used for the KeePass database recovery.

The procedure was developed based on the description of DPAPI in Recovering Windows Secrets and EFS Certificates Offline by Elie Burzstein and Jean Michel Picod (2010) and the Microsoft Technet article How to recover a Vault corrupted by lost DPAPI keys.

---

Section I - Preliminaries.

1. Configure Windows File Explorer to show hidden and system files, and file extensions. A screenshot is attached.
   
   
   1. Start Windows File Explorer (e.g. press Win-E, or type explorer.exe in the Windows Search Bar)
   2. If the Menu bar is not displayed press the 'Alt' key to display it.
   3. Select 'Tools>Folder Options>View(tab)' from the folder options dialog box.
   4. Check 'Show hidden files, folders, and drives'
   5. Uncheck 'Hide extensions for known file types'
   6. Uncheck 'Hide protected operating system files (Recommended)'
2. Definitions:
   
   
   1. WUA is a Windows User Account
   2. WUA Master Key(s) are the Master Key(s) for a WUA. These keys are different from the KeePass database Master Key.

Section II - Collect files and data from the old (non-operational) WUA.

1. Copy the KeePass database to be recovered and if one is used, its associated key file.
2. Obtain the password(s) and username(s) of the old WUA [3].
3. Copy the WUA Master Key folder: C:\Users\<username>\AppData\Roaming\Microsoft\Protect\<SID>\, where <username> is the username and <SID> is the SID of the old WUA. The folder name will be similar to S-1-5-21-2676219764-1201964595-2451656395-1000
   
   
   1. There will likely be only one "SID" folder in the "Protect" folder. If there is more than one SID folder, figure out which is the SID folder of the old WUA and copy it.
   2. The SID folder will contain one file called 'Preferred' and one or more WUA Master Key files with names like
      b8d158ae-b61b-4987-9326-962ed2654c17. Count the number of WUA Master Key files in the folder.
4. Copy the ProtectedUserKey.bin file (DPAPI blob) located in the
   C:\Users\<username>\AppData\Roaming\KeePass\ directory of the old WUA.

Section III - Add the WUA Master Keys used by the old WUA to a temporary WUA.

1. Create a temporary WUA and log in to it.
2. Copy the WUA Master Key folder from Section (2) step 3 to the following directory in the temporary WUA: %APPDATA%\Microsoft\Protect\ Verify that the number of WUA Master Keys in the folder matches the number that was copied in Section (2) step 3.
3. Add registry keys needed by the DPAPI migration utility.
   
   
   1. Edit the attached file: DPAPI migration.reg.txt replacing every instance of <SID> and <username> with the SID and username of the old WUA. For example the final entry in DPAPI migration.reg.txt for username "George" with a SID of S-1-5-21-2676219764-1201964595-2451656395-1000, would be:
      
      [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\DPAPI\MigratedUsers\S-1-5-21-2676219764-1201964595-2451656395-1000\UserName]
      "George"=""
      
      
   2. Rename DPAPI_migration.reg.txt to DPAPI migration.reg and run it (double click on the file). A warning will be displayed. After proceeding a confirmation dialog that the keys have been added to the registry will be displyed.
4. Open a command prompt and run the utility:
   c:\windows\system32\dpapimig.exe. Enter the old WUA password if prompted for it.
   
   
   1. Verify that the WUA Master Keys from the old WUA were moved out of the folder that was created in Section (3) step 2.
   2. If the process was partially successful (some but not all WUA Master Key were moved) check the date of the oldest WUA Master Key that was successfully moved. If it predates the date on ProtectedUserKey.bin file from the old WUA then the remaining unexported WUA Master Keys may probably be ignored. If it doesn't, then it is is probably necessary to repeat the WUA Master Key import process (from Section (3) step 3) using older passwords and usernames, from the old WUA (if they are known).
   3. If the process failed entirely (no old WUA Master Keys were moved), then find the problem and repeat the entire process. This may include recreating the registry keys, because these keys may be deleted when the dpapimig utility is run.

Section IV - Restore the old computer ProtectedUserKey.bin (DPAPI blob), Open the KeePass database, Change the Master Key, and Make a copy of the database.

1. Copy the ProtectedUserKey.bin from the old computer to the temporary WUA directory: %APPDATA%\KeePass\.
2. Copy the KeePass database to be recovered and if one was used, its associated key file, to a convenient location in the temporary WUA (e.g. the Desktop).
3. Open KeePass, navigate to the KeePass database, supply the complete KeePass Master Key remembering to check the 'WUA' box in the Master Key dialog. The database should open. If the database does not open, check the modified date of ProtectedUserKey.bin file in %APPDATA%\KeePass\.
   
   
   1. If the modified time has changed to the current time the ProtectedUserKey.bin file was not valid and the above WUA Master Key migration procedure (Section(3) above) failed. Carefully recheck all steps and for errors and repeat the procedure incorporating any corrections.
   2. If the modified time did not change, the ProtectedUserKey.bin was OK. Some other component of the the Master Key that was entered is incorrect.
4. While the recovered KeePass database is open, change the database Master Key ('File>Change Master Key...') to remove the WUA component. Save and close the database. The database can now be moved to other computers and different WUAs.
5. After verifing that the database can be opened in other WUAs remove the temporary WUA.

---

[1] See How to recover a Vault corrupted by lost DPAPI keys for a descripription on how to recover domain DPAPI Master Keys.

[2] See Recovering Windows Secrets and EFS Certificates Offline section 3.2 for possible issues related to recovering WUA Master Keys.

[3] It appears that WUA Master Keys encrypted with an old WUA passwords and/or usernames can also be recovered if the old WUA passwords and usernames are known. This capability has not been fully tested with respect to recovering KeePass databases.

Additional background: Windows Data Protection

updated: 2024-01-28

[Dale]

It appears that with Win 8.1 the WUA permissions are different.
Access to the old files is not enabled when logged on with temp user account, and a different version of the desktop is presented.

Some suggestions are appreciated

[wellread1]

See this post for a response.

[David Jones]

This guide was a lifesaver! Thank you. We had a catastrophic hardware failure of the hard drives on our server. We had backups of everything. However, the person who originally set up KeePass, had set up encryption to use the Windows User Account as well as a key file. We had all the files for the KeePass datbase, but we couldn't restore it on our other server because it had a different Windows User Account. I was followed this guide and was able to open our KeePass database file. I wanted to leave a few pieces of information for people who may stumble upon this guide who run into the same problems.

1. Regarding the note "This database recovery process has not been tested for all cases, one case that has not been tested is where the old WUA password or username was changed after the ProtectedUserKey.bin file (DPAPI blob) was created [2]." The KeePass database was originally set up under an Active Directory network user account. Since it's creation, the name of the Active Directory network account had changed, as well as the password for that account. Despite the Active Directory network account changing, the location of the KeePass files in our backup, was under the original user account's folder. I don't know if this neccessarily clears this up since it was a network account's name and password that changed, but if you're in the same situation, this guide worked for us.

2. When editing the DPAPI migration.reg.txt file, we changed "computer-1" to the local name of the computer that it was originally set up on, not the network domain the computer was on. Also, if you run into issues and you end up changing the values in this file and then running it again to create registry values, it creates additional values in the registry and doesn't replace the "wrong" ones from the previous time(s) you ran the file. It took a few times to get the values right, and I kept deleting the old ones from the registry before I would try to run dpapimig.exe so only the current registry values I was trying were there.

3. When trying to launch dpapimig.exe on Windows Server 2016, it was causing an issue on the computer which would alert me and say that it ran into a problem and would restart in 1 minute. I tried it a 2nd time after it rebooted and had the same issue. I then tried this guide on 3 other computerse on our domain and dpapimig.exe wouldn't launch. I created a new network user (which may be where I went wrong), used that temp network user to log into the computers, and it wouldn't work. I then tried it on my personal laptop which isn't a part of any domain, I created a temp user, logged into it, and walked through the guide again. When I launched dpapimig.exe, it seemingly didn't work. However, about 5-7 minutes later, the DPAPI migration tool launched and prompted me for the old password for the account. Hallelujah! It worked. Not all the keys from the old user folder were migrated, so I tried it again, and it did the same thing, it took 5-7 minutes or so for the DPAPI migration tool to load.

4. In Section II Step 3 "Copy the WUA Master Key folder: C:\Users\<username>\AppData\Roaming\Microsoft\Protect\<SID>\, where <username> is the username and <sid> is the SID of the old WUA. The folder name will be similar to S-1-5-21-2676219764-1201964595-2451656395-1000" if you open this folder and it is completely empty, go into folder options and uncheck the box that says "Hide protected operating system files (Recommended)"</sid></username>

Hope this helps someone in the future. Cheers!

[Alex Fedorov]

Thanks A LOT. Using this guide I've managed to migrate my old Chrome profile to a new system. Now all my accounts are accesible again. Lifesaver, indeed.

[Trish Bennett]

I am in the process of recovering my computer after it failed, and these steps didn't work for me. There is no 'ProtectedUserKey.bin' file.

As I understand it, I cannot open my KeePass database because on my current Windows installation, there is no ....users\Trish anymore. The error I get when trying to open my KeePass file is --

c:\users\Administrator\Documents\keepass\xxx.kdbx
Failed to load the specified file!
The file signature is invalid. Either the file iasn't a KeePass database file at all or it is corrupted.

These are complex instructions, and I'm not sure I have the patience for them. Since I seem to be missing one of the files required for these instructions, I'm stuck, I think.

I will instead be constructing a new password file (sigh).

[wellread1]

The file signature is invalid. Either the file isn't a KeePass database file at all or it is corrupted. means the database you are trying to open is corrupt. Your option is to try to repair the database using KeePass KDBX (2.x) (Repair Mode) import filter. See KeePass Repairing Databases documentation for details.

If you know that your database master key included the Windows User Account then this wiki may be relevant. However, this comments forum is not the right place to get help. If you need additional help please post in the KeePass Help Forum.

[Trish Bennett]

Thanks for the quick reply. I did try the repair steps, but they did not work.

[michael endrizzi]

Great article! Unfortunately did not help me but hope this helps others.

I also had a domain AD account that got migrated and lost my database. Got most of the procedure to work, but still cannot decode...

1) I think?? what happens is the keys are unencrypted from the old account and re-encrypted under the new temp account. You can watch the keys move from the old account to the new account in the protect folder, just keep both folders open and watch the move.
2) dpapimig.exe takes 3-5 minutes to pop-up so you have to wait
3) For replacing the computer-1 name in the registry key. I had a network AD account also that got lost. I tried using the default computer-1 and my old local computer name, but did not work for me.
4) If you are doing multiple tries, make sure to replace the ProtectedUserKey file every time. I think if something goes wrong keypass will replace it with an uninitialized one. Then on subsequent attempts it uses the wrong key and not your original key.
5) Agree with above, have to "Hide protected operating system files (Recommended)" disable
6) You can open the registry with regedit.exe and watch the registry get updated. not the dpapi data gets deleted every time you run dpapimg.exe so you have to re-run the .reg file.
7) There is a -domain flag on the dpapimg.exe, but I could not find any documentation on it and did not work for me.
8) Here is some details how all the DPAPI works, but did not help me
https://book.hacktricks.xyz/windows/windows-local-privilege-escalation/dpapi-extracting-passwords

[Dain Alexander]

After a few attempts resulting in damaged Windows that had to be reinstalled finally found working algorithm, this is applicable to local accounts only.

And do backup before doing all described below, if something goes wrong you'll have a very good chance of ending up with unbootable OS.

1. Create account with same username on a new computer and assign Admin privileges.
2. Copy S-1-5-21... directory from old computer to new, do not overwrite and do not delete existing S-1-5-21... folder, you should have two S-1-5-21... directories on new computer after that.
3. Edit DPAPI_migration.reg to replace <sid> and <username>, leave "computer-1" as is.
4. Run DPAPI_migration.reg to add keys to registry.
5. Execute c:\windows\system32\dpapimig.exe once or twice, you should get popup window saying something was successful.
6. You can copy Chrome's UserData dir after that.