Issues using dpapimig from a Windows server 2019 to another Windows server 2019

David Lechevalier 1

Hello,
I have an issue with dpapimig (and with CryptUpdateProtectedState) when I try to migrate a master keys from a Window server 2019 to another Windows server 2019.

dpapimig says that password is not correct and the api CryptUpdateProtectedState return True with pdwSuccessCount=0 and pdwFailureCount=1.
I'm using local user.

If I do the operation on the same Windows Server 2019 (after having removed the user and created a new one). Everything works properly.
With Windows server 2016, Windows server 2012r2, everything works properly also.

Reproduction steps:

On Windows server 2019 #1, create a user test
Create a session with this user
Keep the directory %userprofile%\AppData\Roaming\Microsoft\Protect\<sid>
On Windows server 2019 #2, create a user test
Follow steps from ee681624(v=ws.10)

Actual Result

password issue
Expected result
master keys imported without issue

Thank you for your help,

David

6 answers

David Lechevalier 1 Reputation point

2021-09-27T10:55:09.57+00:00

Hi,

I made more tests on fully updated Windows. The migration issue with dpapimig still exists.
The issue is now present on Windows server 2016 but it is OK on Windows server 2012r2

I noticed that if the password is the same between the old account and the new account, the migration is OK.
It means that the parameter pwszOldPassword of CryptUpdateProtectedState is buggy.

The tool dpapimig and the API CryptUpdateProtectedState are still supported ?
I see no remarks in the page https://learn.microsoft.com/en-us/windows/win32/api/dpapi/nf-dpapi-cryptupdateprotectedstate
about password.

Best regards,
David.
Please sign in to rate this answer.

0 comments No comments
Sign in to comment

Issues using dpapimig from a Windows server 2019 to another Windows server 2019

Reproduction steps:

Actual Result

Expected result

6 answers