ERROR mimikatz_doLocal ; "cipher" command of "standard" module not found !

[phlave]

Hi, I'm trying to follow a couple of guides on how to restore some encrypted data from before reinstalling Windows (https://tinyapps.org/docs/decrypt-efs-without-cert-backup.html; https://github.com/gentilkiwi/mimikatz/wiki/howto-%7E-decrypt-EFS-files) but I am running into a problem at the first step: when I input the line with > cipher /c I get this error:

ERROR mimikatz_doLocal ; "cipher" command of "standard" module not found !

Being at my absolute first time trying this, I am using the release version of Mimikatz, and to be sure I tried a couple of those, since they have different names and I am not sure what they do specifically. Is there a specific version I should get to make this work?

Thanks in advance for your time.

[Beercow]

cipher is a Windows command line utility. https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/cipher

[phlave]

Thanks for your reply. So, do I need to use that line in cmd and then import the results in mimikatz?

[Beercow]

Yes. You need the certificate thumbprint to export the certificate and public key with mimikatz.

[phlave]

Ok, so, the command in cmd didn't work, but I was able to input the certificate thumbprint by hand and export it.

Now, some steps later, I'm trying to decrypt my masterkey. Problem is: I don't exactly remember which of my passwords I used to use on my old local account, but none of my passwords seem to work.

I always end up with "ERROR kuhl_m_dpapi_masterkey ; kull_m_dpapi_unprotect_masterkey_with_password"

Let me ask something, though. I'm following this guide https://github.com/gentilkiwi/mimikatz/wiki/howto-%7E-decrypt-EFS-files because I formatted my pc and reinstalled Windows without remembering to decrypt a couple of folders, so I'm using certificates from the Windows.old folder. Is it possible it lacks important data for this process? For example, the SID folder inside Protect is empty.

I'm getting kinda resigned for none of this to work. Should I just quit and stop wasting time?

Thanks again for the reply.

[ashepp]

I'm experiencing a similar situation to @phlave and wondering if there's any additional guidance to help with retrieving a local accounts password. I've tried all the options I think are viable and get the same error. "ERROR kuhl_m_dpapi_masterkey ; kull_m_dpapi_unprotect_masterkey_with_password"