Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,635 questions
how to decrpyt windows laps encryted password using c++ using ADSI services(crypt32.lib)?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(112.00000000000001, 79%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDK%3C/text%3E%3C/svg%3E)
Dinesh Kumar A
10
Reputation points
while ((hr = pDirSearch->GetNextRow(hSearch2)) == S_OK)
{
ADS_SEARCH_COLUMN controlCol;
hr = pDirSearch->GetColumn(hSearch2, L"msLAPS-EncryptedPassword", &controlCol);
if (controlCol.dwNumValues > 0)
{
for (DWORD i = 0; i < controlCol.dwNumValues; ++i)
{
wprintf(L"distinguishedName: %s\n", controlCol.pADsValues[i].OctetString.lpValue);
DATA_BLOB DataIn;
DATA_BLOB DataOut;
LPWSTR pDescrOut = NULL;
// Ensure that pbDataInput points to the octet string and cbDataInput is the correct length
BYTE* pbDataInput = (BYTE*)controlCol.pADsValues[i].OctetString.lpValue;
DWORD cbDataInput = controlCol.pADsValues[i].OctetString.dwLength;
// Initialize the DataIn structure.
DataIn.pbData = pbDataInput;
DataIn.cbData = cbDataInput;
if (CryptUnprotectData(
&DataIn,
&pDescrOut,
NULL, // Optional entropy
NULL, // Reserved
NULL, // Here, the optional
// prompt structure is not
// used.
0,
&DataOut))
{
printf("The decrypted data is: %s\n", DataOut.pbData);
printf("The description of the data was: %s\n", pDescrOut);
LocalFree(DataOut.pbData);
LocalFree(pDescrOut);
}
LPVOID lpMsgBuf;
LPVOID lpDisplayBuf;
DWORD dw = GetLastError();
FormatMessage(
FORMAT_MESSAGE_ALLOCATE_BUFFER |
FORMAT_MESSAGE_FROM_SYSTEM |
FORMAT_MESSAGE_IGNORE_INSERTS,
NULL,
dw,
MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),
(LPTSTR)&lpMsgBuf,
0, NULL);
// Display the error message and exit the process
lpDisplayBuf = (LPVOID)LocalAlloc(LMEM_ZEROINIT,
(lstrlen((LPCTSTR)lpMsgBuf) + lstrlen((LPCTSTR)"CryptUnprotectData") + 40) * sizeof(TCHAR));
StringCchPrintf((LPTSTR)lpDisplayBuf,
LocalSize(lpDisplayBuf) / sizeof(TCHAR),
TEXT("%s failed with error %d: %s"),
(LPCTSTR)"CryptUnprotectData", dw, lpMsgBuf);
MessageBox(NULL, (LPCTSTR)lpDisplayBuf, TEXT("Error"), MB_OK);
}
}
}
I am trying to decrypt "msLAPS-EncryptedPassword" attribute using c++(CryptUnprotectData method),But cant able to decrypt is there any procedure to follow to decrypt laps password.
It throws ""error 13 .Data is invalid" Did I miss something?
{count} votes
-
RLWA32 43,381 Reputation points2023-10-25T15:12:36+00:00 Have you considered starting PowerShell to run Get-LapsADPassword?
-
Jeanine Zhang-MSFT 9,431 Reputation points Microsoft Vendor2023-10-26T01:58:08.3866667+00:00 The Windows LAPS password encryption feature is based on the Cryptography API: Next Generation Data Protection API (CNG DPAPI). Windows LAPS supports encrypting passwords against only a single Windows Server Active Directory.security principal (user or group).
CNG DPAPI does support encryption against multiple security principals, but this mode isn't supported by Windows LAPS. If you need to grant decryption permissions to multiple security principals, to resolve the constraint, you can create a wrapper group that has all the relevant security principals as members.
You could refer to the Doc:Password encryption
-
Dinesh Kumar A 10 Reputation points
2023-10-26T10:26:28.7733333+00:00 hi ,I want to decrypt it using c++ instead of powershell,Let me know if it
possible to do?
-
Jeanine Zhang-MSFT 9,431 Reputation points Microsoft Vendor
2023-10-27T09:10:13.0566667+00:00 As far as I'm concerned, there is no winapi to realize it, and I also suggest you try to use PowerShell (Get-LapsADPassword).
Sign in to comment