Rediger

Del via


ResetAuthLockOut method of the Win32_Tpm class

The ResetAuthLockOut method of the Win32_Tpm class resets the time-out period or other mechanism that TPM manufacturers implement to protect against dictionary attacks on TPM authorization values. In a dictionary attack, an attacker tries to guess a correct TPM authorization value by exhaustively attempting all possible values.

Use this method if the TPM is locked out due to too many incorrect attempts at entering the owner authorization or other authorization values. When the TPM is locked out, some or all commands issued to the TPM will return an error, TPM_E_DEFEND_LOCK_RUNNING (0x80280803).

Note

This method can only be used exactly once when the TPM is locked out. If the owner authorization provided to this method is incorrect, the TPM will lock out for the entire time-out period and additional attempts at resetting the lock will fail.

 

Syntax

uint32 ResetAuthLockOut(
  [in, optional] string OwnerAuth
);

Parameters

OwnerAuth [in, optional]

Type: string

A string that identifies the TPM owner.

This string must be a base64-encoded null-terminated string that contains exactly 20 bytes of binary data. Use the ConvertToOwnerAuth method to translate a passphrase to this expected format. The OwnerAuth parameter is read from the registry if none is provided.

Return value

Type: uint32

All TPM errors as well as errors specific to TPM Base Services can be returned. The following table lists some of the common return values.

Return code/value Description
S_OK
0 (0x0)
The method was successful.
TPM_E_AUTHFAIL
2150105089 (0x80280001)
The provided owner authorization value is incorrect. Additional attempts at resetting the lock will fail with this same error. Please wait until the time-out period or other manufacturer-specific mechanism has expired before retrying locked TPM commands.

 

Remarks

This method calls the TPM_ResetLockValue command on the TPM. The exact behavior of this method varies among TPM manufacturers. Documentation from the computer or TPM manufacturer may provide additional information on the implementation of the anti-dictionary attack mechanism.

In general, manufacturers can detect dictionary attacks by keeping track of failed authentications. If the number or frequency of failures become high enough, the TPM will lock out further commands for a certain time. Generally, the initial time-out period will be short, to allow a legitimate user a chance to correct the situation. If failures continue, the duration of each subsequent time-out period may increase rapidly.

Managed Object Format (MOF) files contain the definitions for Windows Management Instrumentation (WMI) classes. MOF files are not installed as part of the Windows SDK. They are installed on the server when you add the associated role by using the Server Manager. For more information about MOF files, see Managed Object Format (MOF).

Requirements

Requirement Value
Minimum supported client
Windows Vista [desktop apps only]
Minimum supported server
Windows Server 2008 [desktop apps only]
Namespace
Root\CIMV2\Security\MicrosoftTpm
MOF
Win32_tpm.mof
DLL
Win32_tpm.dll

See also

Win32_Tpm