Issues using dpapimig from a Windows server 2019 to another Windows server 2019

David Lechevalier 1 Reputation point
2020-07-17T14:57:22.773+00:00

Hello,
I have an issue with dpapimig (and with CryptUpdateProtectedState) when I try to migrate a master keys from a Window server 2019 to another Windows server 2019.

dpapimig says that password is not correct and the api CryptUpdateProtectedState return True with pdwSuccessCount=0 and pdwFailureCount=1.
I'm using local user.

If I do the operation on the same Windows Server 2019 (after having removed the user and created a new one). Everything works properly.
With Windows server 2016, Windows server 2012r2, everything works properly also.

Reproduction steps:

  • On Windows server 2019 #1, create a user test
  • Create a session with this user
  • Keep the directory %userprofile%\AppData\Roaming\Microsoft\Protect\<sid>
  • On Windows server 2019 #2, create a user test
  • Follow steps from ee681624(v=ws.10)

Actual Result

  • password issue

    Expected result

  • master keys imported without issue

Thank you for your help,

David

Windows Server 2019
Windows Server 2019
A Microsoft server operating system that supports enterprise-level management updated to data storage.
3,443 questions
Windows Server 2016
Windows Server 2016
A Microsoft server operating system that supports enterprise-level management updated to data storage.
2,368 questions
0 comments

6 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Cedric Chen 171 Reputation points
    2020-07-21T12:13:22.19+00:00

    Hi,

    This link may be helpfu to you:
    https://www.reddit.com/r/vivaldibrowser/comments/65qrlb/importing_cookiespasswords_from_vivaldichrome/

    Please Note: Since the website is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

    0 comments
  2. David Lechevalier 1 Reputation point
    2020-07-23T16:10:17.907+00:00

    Hi,

    Thank you for your help.

    I have already see this link but it does not help me.

    As I said, it was working before Windows server 2019: It works properly with Windows server 2012 and Windows server 2016.

    Best regards,

    David.

    0 comments
  3. David Lechevalier 1 Reputation point
    2020-07-30T12:02:28.673+00:00

    Hi,

    Do you have any news on this issue,

    Best regards,
    David.

    0 comments
  4. David Lechevalier 1 Reputation point
    2020-09-25T08:39:33.16+00:00

    Hi,

    I tried again on a fully updated Windows server 2019, the issue still occurs.

    But, I noticed that this issue does not exist on a fresh Windows Server 2019 not updated.

    So this issue is probably caused by a KB deployed after the installation.
    The only KB which seems to be related with dpapi is KB4517211.

    Best regards,
    David.

    0 comments
  5. David Lechevalier 1 Reputation point
    2021-01-28T14:59:24.887+00:00

    Hi,

    I made more tests on a fully updated Windows. The migration issue with dpapimig still exists.

    I notices some points:

    • The issue seems to be related to lsass. (according to procmon)
    • The migration works when the 2 computers SID are the same. After a sysprep, a working Windows server is not able to do migration. When I restore the computer SID using sidchg (https://www.stratesave.com/html/sidchg.html), The migration works again.

    The tool dpapimig and the API CryptUpdateProtectedState are still supported ?

    Best regards,
    David.

    0 comments