http://sourceforge.net/p/keepass/wiki/Recover%20Windows%20User%20Account%20Credentials/
2015-08-20 13:40
573 查看
It may be possible to recover a KeePass database whose Master Key includes a Windows User Account (WUA) ifcertain
user data is available. Typical situations are:
A Windows computer is not bootable but the boot disk can still be mounted as data drive.
A Windows user profile has been deleted but a backup of the profile is available.
A Windows user profile has been damaged but the critical files can still be read, or a backup of the user profile is available.
The database recovery process below may be used to temporarily recover a KeePass database whose Master Key includes a non-domain WUA that is no longer operational. The procedure may be adaptable to a domain WUA [1]but
it has not been tested. Once a database is recovered its Master Key can be changed to remove the original WUA key component. This database recovery process has not been tested for all cases, one case that has not been tested is where the old WUA password
or username was changed after the ProtectedUserKey.bin file (DPAPI blob) was created [2].
The procedure is not suitable for permanently moving the database and retaining the old WUA Master Key component because it will break preexisting databases in the account where the recovery was performed, if the preexisting databases include a WUA in their
Master Key. It is strongly recommended that a temporary WUA be used for the KeePass database recovery.
The procedure was developed based on the description of DPAPI in Recovering Windows Secrets and EFS
Certificates Offline by Elie Burzstein and Jean Michel Picod (2010) and the Microsoft Technet article How to recover a Vault corrupted by
lost DPAPI keys.
Section I - Preliminaries.
Configure Windows File Explorer to show hidden and system files, and file extensions. A screenshot
is attached.
Start Windows File Explorer (e.g. press Win-E, or type explorer.exe in the Windows Search Bar)
If the Menu bar is not displayed press the 'Alt' key to display it.
Select 'Tools>Folder Options>View(tab)' from the folder options dialog box.
Check 'Show hidden files, folders, and drives'
Uncheck 'Hide extensions for known file types'
Uncheck 'Hide protected operating system files (Recommended)'
Definitions:
WUA is a Windows User Account
WUA Master Key(s) are the Master Key(s) for a WUA. These keys are different from the KeePass database Master Key.
Section II - Collect files and data from the old (non-operational) WUA.
Copy the KeePass database to be recovered and if one is used, its associated key file.
Obtain the password(s) and username(s) of the old WUA [3].
Copy the WUA Master Key folder: C:\Users\<username>\AppData\Roaming\Microsoft\Protect\<SID>\,
where <username> is the username and <SID> is the SID of the old WUA. The folder name will be similar to S-1-5-21-2676219764-1201964595-2451656395-1000
There will likely be only one "SID" folder in the "Protect" folder. If there is more than one SID folder, figure out which is the SID folder of the old WUA and copy it.
The SID folder will contain one file called 'Preferred' and one or more WUA Master Key files with names like
b8d158ae-b61b-4987-9326-962ed2654c17. Count the number of WUA Master Key files in the folder.
Copy the ProtectedUserKey.bin file
(DPAPI blob) located in the
C:\Users\<username>\AppData\Roaming\KeePass\ directory of the old WUA.
Section III - Add the WUA Master Keys used by the old WUA to a temporary WUA.
Create a temporary WUA and log in to it.
Copy the WUA Master Key folder from Section
(2) step 3 to the following directory in the temporary WUA:%APPDATA%\Microsoft\Protect\ Verify that the number of WUA Master Keys
in the folder matches the number that was copied in Section (2) step 3.
Add registry keys needed by the DPAPI migration utility.
Edit the attached file: DPAPI
migration.reg.txt replacing every instance of <SID> and <username> with the SID and username of the old WUA. For example the final entry in DPAPI migration.reg.txt for username "George" with a SID of S-1-5-21-2676219764-1201964595-2451656395-1000,
would be:
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\DPAPI\MigratedUsers\S-1-5-21-2676219764-1201964595-2451656395-1000\UserName]
"George"=""
Rename DPAPI_migration.reg.txt to DPAPI migration.reg and run it (double click on the file). A warning will be displayed. After proceeding
a confirmation dialog that the keys have been added to the registry will be displyed.
Open a command prompt and run the utility:
c:\windows\system32\dpapimig.exe. Enter the old WUA password if prompted for it.
Verify that the WUA Master Keys from the old WUA were moved out of the folder that was created inSection
(3) step 2.
If the process was partially successful (some but not all WUA Master Key were moved) check the date of the oldest WUA Master Key that was successfully
moved. If it predates the date on ProtectedUserKey.bin file from the old WUA then the remaining unexported WUA Master Keys may probably be ignored. If it doesn't, then it is is probably necessary to repeat the WUA Master Key import process (from
Section (3) step 3) using older passwords and usernames, from the old WUA (if they are known).
If the process failed entirely (no old WUA Master Keys were moved), then find the problem and repeat the entire process. This may include recreating the registry keys, because these keys may be deleted when the dpapimig utility is run.
Section IV - Restore the old computer ProtectedUserKey.bin (DPAPI blob), Open the KeePass database, Change the Master Key, and Make a copy of the database.
Copy the ProtectedUserKey.bin from the old computer to the temporary WUA directory:%APPDATA%\KeePass\.
Copy the KeePass database to be recovered and if one was used, its associated key file, to a convenient location in the temporary WUA (e.g. the Desktop).
Open KeePass, navigate to the KeePass database, supply the complete KeePass Master Key remembering to check the 'WUA' box in the Master Key dialog. The database should open. If the database does not open, check the modified date of ProtectedUserKey.bin file
in %APPDATA%\KeePass\.
If the modified time has changed to the current time the ProtectedUserKey.bin file was not valid and the above WUA Master Key migration procedure (Section(3)
above) failed. Carefully recheck all steps and for errors and repeat the procedure incorporating any corrections.
If the modified time did not change, the ProtectedUserKey.bin was OK. Some other component of the the Master Key that was entered is incorrect.
While the recovered KeePass database is open, change the database Master Key ('File>Change Master Key...') to remove the WUA component. Save and close the database. The database can now be moved to other computers and different WUAs.
After verifing that the database can be opened in other WUAs remove the temporary WUA.
[1] See How to recover a Vault corrupted by lost DPAPI keys for a descripription on how to recover domain DPAPI Master Keys.
[2] See Recovering Windows Secrets and EFS Certificates Offline section 3.2 for possible issues
related to recovering WUA Master Keys.
[3] It appears that WUA Master Keys encrypted with an old WUA passwords and/or usernames can also be recovered if the old WUA passwords and usernames are known. This capability has not been fully tested with respect to recovering KeePass databases.
Dale
2015-06-03
It appears that with Win 8.1 the WUA permissions are different.
Access to the old files is not enabled when logged on with temp user account, and a different version of the desktop is presented.
Some suggestions are appreciated
Link
user data is available. Typical situations are:
A Windows computer is not bootable but the boot disk can still be mounted as data drive.
A Windows user profile has been deleted but a backup of the profile is available.
A Windows user profile has been damaged but the critical files can still be read, or a backup of the user profile is available.
The database recovery process below may be used to temporarily recover a KeePass database whose Master Key includes a non-domain WUA that is no longer operational. The procedure may be adaptable to a domain WUA [1]but
it has not been tested. Once a database is recovered its Master Key can be changed to remove the original WUA key component. This database recovery process has not been tested for all cases, one case that has not been tested is where the old WUA password
or username was changed after the ProtectedUserKey.bin file (DPAPI blob) was created [2].
The procedure is not suitable for permanently moving the database and retaining the old WUA Master Key component because it will break preexisting databases in the account where the recovery was performed, if the preexisting databases include a WUA in their
Master Key. It is strongly recommended that a temporary WUA be used for the KeePass database recovery.
The procedure was developed based on the description of DPAPI in Recovering Windows Secrets and EFS
Certificates Offline by Elie Burzstein and Jean Michel Picod (2010) and the Microsoft Technet article How to recover a Vault corrupted by
lost DPAPI keys.
Section I - Preliminaries.
Configure Windows File Explorer to show hidden and system files, and file extensions. A screenshot
is attached.
Start Windows File Explorer (e.g. press Win-E, or type explorer.exe in the Windows Search Bar)
If the Menu bar is not displayed press the 'Alt' key to display it.
Select 'Tools>Folder Options>View(tab)' from the folder options dialog box.
Check 'Show hidden files, folders, and drives'
Uncheck 'Hide extensions for known file types'
Uncheck 'Hide protected operating system files (Recommended)'
Definitions:
WUA is a Windows User Account
WUA Master Key(s) are the Master Key(s) for a WUA. These keys are different from the KeePass database Master Key.
Section II - Collect files and data from the old (non-operational) WUA.
Copy the KeePass database to be recovered and if one is used, its associated key file.
Obtain the password(s) and username(s) of the old WUA [3].
Copy the WUA Master Key folder: C:\Users\<username>\AppData\Roaming\Microsoft\Protect\<SID>\,
where <username> is the username and <SID> is the SID of the old WUA. The folder name will be similar to S-1-5-21-2676219764-1201964595-2451656395-1000
There will likely be only one "SID" folder in the "Protect" folder. If there is more than one SID folder, figure out which is the SID folder of the old WUA and copy it.
The SID folder will contain one file called 'Preferred' and one or more WUA Master Key files with names like
b8d158ae-b61b-4987-9326-962ed2654c17. Count the number of WUA Master Key files in the folder.
Copy the ProtectedUserKey.bin file
(DPAPI blob) located in the
C:\Users\<username>\AppData\Roaming\KeePass\ directory of the old WUA.
Section III - Add the WUA Master Keys used by the old WUA to a temporary WUA.
Create a temporary WUA and log in to it.
Copy the WUA Master Key folder from Section
(2) step 3 to the following directory in the temporary WUA:%APPDATA%\Microsoft\Protect\ Verify that the number of WUA Master Keys
in the folder matches the number that was copied in Section (2) step 3.
Add registry keys needed by the DPAPI migration utility.
Edit the attached file: DPAPI
migration.reg.txt replacing every instance of <SID> and <username> with the SID and username of the old WUA. For example the final entry in DPAPI migration.reg.txt for username "George" with a SID of S-1-5-21-2676219764-1201964595-2451656395-1000,
would be:
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\DPAPI\MigratedUsers\S-1-5-21-2676219764-1201964595-2451656395-1000\UserName]
"George"=""
Rename DPAPI_migration.reg.txt to DPAPI migration.reg and run it (double click on the file). A warning will be displayed. After proceeding
a confirmation dialog that the keys have been added to the registry will be displyed.
Open a command prompt and run the utility:
c:\windows\system32\dpapimig.exe. Enter the old WUA password if prompted for it.
Verify that the WUA Master Keys from the old WUA were moved out of the folder that was created inSection
(3) step 2.
If the process was partially successful (some but not all WUA Master Key were moved) check the date of the oldest WUA Master Key that was successfully
moved. If it predates the date on ProtectedUserKey.bin file from the old WUA then the remaining unexported WUA Master Keys may probably be ignored. If it doesn't, then it is is probably necessary to repeat the WUA Master Key import process (from
Section (3) step 3) using older passwords and usernames, from the old WUA (if they are known).
If the process failed entirely (no old WUA Master Keys were moved), then find the problem and repeat the entire process. This may include recreating the registry keys, because these keys may be deleted when the dpapimig utility is run.
Section IV - Restore the old computer ProtectedUserKey.bin (DPAPI blob), Open the KeePass database, Change the Master Key, and Make a copy of the database.
Copy the ProtectedUserKey.bin from the old computer to the temporary WUA directory:%APPDATA%\KeePass\.
Copy the KeePass database to be recovered and if one was used, its associated key file, to a convenient location in the temporary WUA (e.g. the Desktop).
Open KeePass, navigate to the KeePass database, supply the complete KeePass Master Key remembering to check the 'WUA' box in the Master Key dialog. The database should open. If the database does not open, check the modified date of ProtectedUserKey.bin file
in %APPDATA%\KeePass\.
If the modified time has changed to the current time the ProtectedUserKey.bin file was not valid and the above WUA Master Key migration procedure (Section(3)
above) failed. Carefully recheck all steps and for errors and repeat the procedure incorporating any corrections.
If the modified time did not change, the ProtectedUserKey.bin was OK. Some other component of the the Master Key that was entered is incorrect.
While the recovered KeePass database is open, change the database Master Key ('File>Change Master Key...') to remove the WUA component. Save and close the database. The database can now be moved to other computers and different WUAs.
After verifing that the database can be opened in other WUAs remove the temporary WUA.
[1] See How to recover a Vault corrupted by lost DPAPI keys for a descripription on how to recover domain DPAPI Master Keys.
[2] See Recovering Windows Secrets and EFS Certificates Offline section 3.2 for possible issues
related to recovering WUA Master Keys.
[3] It appears that WUA Master Keys encrypted with an old WUA passwords and/or usernames can also be recovered if the old WUA passwords and usernames are known. This capability has not been fully tested with respect to recovering KeePass databases.
Discussion
Dale
2015-06-03
It appears that with Win 8.1 the WUA permissions are different.
Access to the old files is not enabled when logged on with temp user account, and a different version of the desktop is presented.
Some suggestions are appreciated
Link
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- web service(SOAP)与HTTP接口的区别
- HTTP协议详解(真的很经典)
- Linux网络编程--获取文件状态信息fstat函数
- 每日五题(网络协议)
- Android-Volley网络通信框架(自定义Request 请求:实现 GsonRequest)
- Linux网络编程--文件属性fcntl函数
- Java9新功能之HTTP2和REPL
- http请求之of_ordering_getmiditem
- android-async-http AsyncHttpClient介绍
- http请求之of_ordering_http_post
- http请求之of_ordering_http_get
- http请求之of_ordering_json
- android基于开源网络框架asychhttpclient,二次封装为通用网络请求组件
- 本地拦截genymotion或者Android模拟器的网络请求
- NAT穿越-TCP打洞
- Android-Volley网络通信框架(ImageRequest,ImageLoader,NetWorkImageView)
- Linux网络配置(仅主机模式)
- httpd和nginx
- 基于Windows Socket 的网络通信中的心跳机制原理
- http://www.cnblogs.com/dojo-lzz/p/3722003.html