Open Taly01 opened 2 years ago
Hello: Microsoft Account login doesn't keep the real user password because is re-encrypted.Of course you you know the NTLM of the login password but not the "real NTLM of the encrypted password for the MA you use for login". You can try with CREDHIST tool from nirsoft.And try to catch the real NTLM so you can decrypt the masterkey. Can takes time ...
It's super strange the real NTLM situation is not mentioned anywhere but still kinda makes sense
For me, in my testing machine nirsoft's CredHistView or CredHistView+MadPassExt didn't work at all
Hello I am trying to gain access to some encrypted files from before reinstalling windows. I am following this tutorial: https://github.com/gentilkiwi/mimikatz/wiki/howto-~-decrypt-EFS-files
I am stuck at Decrypting the masterkey
I know the password. It is the same user account and password I am using currently.
But yet with the command:
dpapi::masterkey /in:"Protect\SID\guidMasterKey" /password:correctPassword
I get the error:
Even with /protected and I get:
I also tried the same command but with NTLM instead.
dpapi::masterkey /in:"Protect\SID\guidMasterKey" /hash:correctPasswordInNTLM
I get this error instead:
As far as I know, I have the correct:
The User Account that encrypted the data was a Microsoft Account and is the same one I am currently using.
The error seems to indicate that I am inputting the incorrect password, but I am sure I am using the correct password.
Is there anything I can do to recover my data? I have access to the old "ProgramData", and "Users" folders from before I reinstalled windows.
Any help would be very much appreciated Thank you