Issues using dpapimig from a Windows server 2019 to another Windows server 2019

David Lechevalier 1 Reputation point
2020-07-17T14:57:22.773+00:00

Hello,
I have an issue with dpapimig (and with CryptUpdateProtectedState) when I try to migrate a master keys from a Window server 2019 to another Windows server 2019.

dpapimig says that password is not correct and the api CryptUpdateProtectedState return True with pdwSuccessCount=0 and pdwFailureCount=1.
I'm using local user.

If I do the operation on the same Windows Server 2019 (after having removed the user and created a new one). Everything works properly.
With Windows server 2016, Windows server 2012r2, everything works properly also.

Reproduction steps:

  • On Windows server 2019 #1, create a user test
  • Create a session with this user
  • Keep the directory %userprofile%\AppData\Roaming\Microsoft\Protect\<sid>
  • On Windows server 2019 #2, create a user test
  • Follow steps from ee681624(v=ws.10)

Actual Result

  • password issue

    Expected result

  • master keys imported without issue

Thank you for your help,

David

Windows Server 2019
Windows Server 2019
A Microsoft server operating system that supports enterprise-level management updated to data storage.
3,466 questions
Windows Server 2016
Windows Server 2016
A Microsoft server operating system that supports enterprise-level management updated to data storage.
2,374 questions
0 comments

6 answers

Sort by: Newest
Most helpful Newest Oldest
  1. David Lechevalier 1 Reputation point
    2021-09-27T10:55:09.57+00:00

    Hi,

    I made more tests on fully updated Windows. The migration issue with dpapimig still exists.
    The issue is now present on Windows server 2016 but it is OK on Windows server 2012r2

    I noticed that if the password is the same between the old account and the new account, the migration is OK.
    It means that the parameter pwszOldPassword of CryptUpdateProtectedState is buggy.

    The tool dpapimig and the API CryptUpdateProtectedState are still supported ?
    I see no remarks in the page https://learn.microsoft.com/en-us/windows/win32/api/dpapi/nf-dpapi-cryptupdateprotectedstate
    about password.

    Best regards,
    David.

    0 comments
  2. David Lechevalier 1 Reputation point
    2021-01-28T14:59:24.887+00:00

    Hi,

    I made more tests on a fully updated Windows. The migration issue with dpapimig still exists.

    I notices some points:

    • The issue seems to be related to lsass. (according to procmon)
    • The migration works when the 2 computers SID are the same. After a sysprep, a working Windows server is not able to do migration. When I restore the computer SID using sidchg (https://www.stratesave.com/html/sidchg.html), The migration works again.

    The tool dpapimig and the API CryptUpdateProtectedState are still supported ?

    Best regards,
    David.

    0 comments
  3. David Lechevalier 1 Reputation point
    2020-09-25T08:39:33.16+00:00

    Hi,

    I tried again on a fully updated Windows server 2019, the issue still occurs.

    But, I noticed that this issue does not exist on a fresh Windows Server 2019 not updated.

    So this issue is probably caused by a KB deployed after the installation.
    The only KB which seems to be related with dpapi is KB4517211.

    Best regards,
    David.

    0 comments
  4. David Lechevalier 1 Reputation point
    2020-07-30T12:02:28.673+00:00

    Hi,

    Do you have any news on this issue,

    Best regards,
    David.

    0 comments
  5. David Lechevalier 1 Reputation point
    2020-07-23T16:10:17.907+00:00

    Hi,

    Thank you for your help.

    I have already see this link but it does not help me.

    As I said, it was working before Windows server 2019: It works properly with Windows server 2012 and Windows server 2016.

    Best regards,

    David.

    0 comments