CryptUpdateProtectedState function (dpapi.h)

The CryptUpdateProtectedState function migrates the current user's master keys after the user's security identifier (SID) has changed. This function can be used to preserve encrypted data after a user has been moved from one domain to another.


DPAPI_IMP BOOL CryptUpdateProtectedState(
  [in]  PSID    pOldSid,
  [in]  LPCWSTR pwszOldPassword,
  [in]  DWORD   dwFlags,
  [out] DWORD   *pdwSuccessCount,
  [out] DWORD   *pdwFailureCount


[in] pOldSid

The address of a SID structure that contains the user's previous SID. This SID is used to locate the old master keys. If this parameter is NULL, the master keys for the current user SID are migrated.

Either this parameter or the pwszOldPassword parameter may be NULL, but not both.

[in] pwszOldPassword

A pointer to a null-terminated Unicode string that contains the user's password before the SID was changed. This password is used to decrypt the old master keys. If this parameter is NULL, the password of the current user will be used.

Either this parameter or the pOldSid parameter may be NULL, but not both.

[in] dwFlags

Not used. Must be zero.

[out] pdwSuccessCount

The address of a DWORD variable that receives the number of master keys that were successfully migrated.

[out] pdwFailureCount

The address of a DWORD variable that receives the number of master keys that could not be decrypted.

It is not necessarily an error if one or more master keys cannot be decrypted. Some users may possess master keys that are stagnant and could not have been decrypted for a long time. One way that this can happen is when the password of a local user has been administratively reset.

Return value

If the function succeeds, the return value is TRUE.

If the function fails, the return value is FALSE. For extended error information, call GetLastError. Some possible error codes include the following.

Return code Description
One of the parameters contains a value that is not valid.
A memory allocation failure occurred.
The old password could not be encrypted.


This function decrypts all of the user's master keys in the old master key directory, using the previous password, and stores them in the user's current master key directory, encrypted with the user's current password.

This function must be called from the user account that the keys are being migrated to.

If this function is able to successfully migrate an old master key, it will automatically delete the old master key. Master keys that cannot be decrypted are not deleted.


Requirement Value
Minimum supported client Windows Vista [desktop apps only]
Minimum supported server Windows Server 2008 [desktop apps only]
Target Platform Windows
Header dpapi.h
Library Crypt32.lib
DLL Crypt32.dll