Trouble exporting Remote Desktop private key Windows 1903 Dev + Carlos update

[BLTSIZE]

For testing purpose, I'm running the Windows 10 1903 development environment with Hyper-V, and I'm trying to export the Remote Desktop certificate private key with the latest version of mimikatz (2.2.0 20190813 Carlos update).

I use an administrator account, and I run mimikatz from a command line running as administrator.

After setting debug privilege (# privilege::debug) and enabling capi (# cryto::capi) I get an error when trying the export :

mimikatz # crypto::certificates /systemstore:CERT_SYSTEM_STORE_LOCAL_MACHINE /store:"Remote Desktop" /export
 * System Store  : 'CERT_SYSTEM_STORE_LOCAL_MACHINE' (0x00020000)
 * Store         : 'Remote Desktop'

 0. WinDev1907Eval
        Key Container  : TSSecKeySet1
        Provider       : Microsoft Enhanced Cryptographic Provider v1.0
        Provider type  : RSA_FULL (1)
ERROR kuhl_m_crypto_l_certificates ; CryptAcquireCertificatePrivateKey (0x80090016)
        Public export  : OK - 'CERT_SYSTEM_STORE_LOCAL_MACHINE_Remote Desktop_0_WinDev1907Eval.der'
ERROR kull_m_crypto_exportPfx ; PFXExportCertStoreEx (0x80090016)
        Private export : KO - ERROR kuhl_m_crypto_exportCert ; Export / CreateFile (0x80090016)

I'm wondering if this is related to some mistake I made, or to this version of Windows?

[gentilkiwi]

It seems there is no private key associated, test with: crypto::keys /machine Maybe try it as administrator, it can be because you're not allowed to access the key.

[BLTSIZE]

Thanks for the advice. Indeed, here is what I get:

mimikatz # crypto::keys /machine
 * Store         : 'machine'
 * Provider      : 'MS_ENHANCED_PROV' ('Microsoft Enhanced Cryptographic Provider v1.0')
 * Provider type : 'PROV_RSA_FULL' (1)
 * CNG Provider  : 'Microsoft Software Key Storage Provider'

CryptoAPI keys :
    0. IIS Express Development Certificate Container
    fad662b360941f26a1193357aab3c12d_19480def-5288-43f3-a209-bd31e00da431
        Type           : AT_KEYEXCHANGE (0x00000001)
        Exportable key : YES
        Key size       : 2048

CNG keys :

But perhap's you meant "/local_machine" ? Because "Remote Desktop" is not reported when I use "crypto::stores" (defaulting to "crypto::stores /systemstore:current_user" I presume?). It is reported when I use "crypto;:stores /systemstore:local_machine".

Whatever, I get this result with "/local_machine":

mimikatz # crypto::keys /local_machine
 * Store         : 'user'
 * Provider      : 'MS_ENHANCED_PROV' ('Microsoft Enhanced Cryptographic Provider v1.0')
 * Provider type : 'PROV_RSA_FULL' (1)
 * CNG Provider  : 'Microsoft Software Key Storage Provider'

CryptoAPI keys :
    0. user
    f58155b4b1d5a524ca0261c3ee99fb50_19480def-5288-43f3-a209-bd31e00da431
ERROR kuhl_m_crypto_l_keys_capi ; CryptGetUserKey (0x8009000d)

CNG keys :
    0. Microsoft Connected Devices Platform device certificate
    de7cf8a7901d2ad13e5c67c29e5d1662_19480def-5288-43f3-a209-bd31e00da431
        Exportable key : YES
        Key size       : 256

Strange thing since I run this as administrator. And I checked in CERTSRV.MSC : there is a certificate for Remote Desktop, and by double-clicking in it, I can read "You have a private key that corresponds to this certificate". Of course, if I try to export it, the "Yes, export the private key" is grayed out. That's why mimikatz would be helpful...

[minzak]

Same issues, any solution are present?