This function is used to decrypt data that was previously encrypted with the CryptEncrypt function.

BOOL Final, 
DWORD dwFlags, 
BYTE *pbData,
DWORD *pdwDataLen);


  • hKey
    [in] Handle to the key to use for the decryption. An application obtains this handle by using either the CryptGenKey or CryptImportKey function.

    This key specifies the decryption algorithm that is used.

  • hHash
    [in] Handle to a hash object. This parameter is used only if a hash of the data is to be computed. For more information, see Remarks.

    If no hash is to be done, this parameter must be zero.

  • Final
    [in] Boolean value that specifies whether this is the last section in a series being decrypted. This will be TRUE if this is the last or only block. If it is not, then it will be FALSE. For more information, see Remarks.

  • dwFlags
    [in] Specifies a bitmask of flags. This parameter is reserved for future use and should always be zero.

  • pbData
    [in/out] Pointer to the buffer that holds the data to be decrypted. After the decryption has been performed, the plaintext is placed back in this same buffer.

    The number of encrypted bytes in this buffer is specified by pdwDataLen.

  • pdwDataLen
    [in/out] Pointer to the data length. Before calling this function, the caller should set this parameter to the number of bytes to be decrypted. Upon return, this address will contain the number of bytes of plaintext generated.

    When a block cipher is used, this data length must be a multiple of the block size, unless this is the final section of data to be decrypted and the Final flag is TRUE.

Return Values

TRUE indicates success. FALSE indicates failure. To get extended error information, call GetLastError. Common values for GetLastError are described in the following table. The error values prefaced by "NTE" are generated by the particular CSP you are using.

Value Description
ERROR_INVALID_HANDLE One of the parameters specifies an invalid handle.
ERROR_INVALID_PARAMETER One of the parameters contains an invalid value. This is most often an illegal pointer.
NTE_BAD_ALGID The hKey session key specifies an algorithm that this CSP does not support.
NTE_BAD_DATA The data to be decrypted is invalid. For example, when a block cipher is used and the Final flag is FALSE, the value specified by pdwDataLen must be a multiple of the block size. This error can also be returned when the padding is found to be invalid.
NTE_BAD_FLAGS The dwFlags parameter is nonzero.
NTE_BAD_HASH The hHash parameter contains an invalid handle.
NTE_BAD_KEY The hKey parameter does not contain a valid handle to a key.
NTE_BAD_LEN The size of the output buffer is too small to hold the generated plaintext.
NTE_BAD_UID The CSP context that was specified when the key was created cannot be found.
NTE_DOUBLE_ENCRYPT The application attempted to decrypt the same data twice.
NTE_FAIL The function failed in some unexpected way.


If data is to be decrypted and hashed simultaneously, a handle to a hash object can be passed in the hHash parameter. The hash value will be updated with the decrypted plaintext. This option is useful when simultaneously decrypting and verifying a signature.

Before calling CryptDecrypt, the application should obtain a handle to the hash object by calling the CryptCreateHash function. After the decryption is complete, the hash value can be obtained (through CryptGetHashParam), it can be signed (through CryptSignHash), or it can be used to verify a digital signature (through CryptVerifySignature).

When a large amount of data needs to be decrypted, it can be done in sections. This is done by calling CryptDecrypt repeatedly. The Final parameter should be set to TRUE only on the last invocation of CryptDecrypt, so the decryption engine can properly finish the decryption process. The following extra actions are performed when Final is TRUE:

  • If the key is a block cipher key, the data will be padded to a multiple of the block size of the cipher. To find the block size of a cipher, use CryptGetKeyParam to get the KP_BLOCKLEN parameter of the key.
  • If the cipher is operating in a chaining mode, the next CryptDecrypt operation will reset the cipher's feedback register to the KP_IV value of the key.
  • If the cipher is a stream cipher, the next CryptDecrypt call will reset the cipher to its initial state.


For encypting and decrypting examples, see Cryptography.


Runs On Versions Defined in Include Link to
Windows CE OS 2.10 and later Wincrypt.h   Cryptapi.lib

Note   This API is part of the complete Windows CE OS package as provided by Microsoft. The functionality of a particular platform is determined by the original equipment manufacturer (OEM) and some devices may not support this API.

See Also

CryptCreateHash, CryptEncrypt, CryptGenKey, CryptGetKeyParam, CryptGetHashParam, CryptImportKey, CryptSignHash, CryptVerifySignature

 Last updated on Tuesday, July 13, 2004

© 1992-2000 Microsoft Corporation. All rights reserved.