Re: Protected Storage System Provider - Registry Data
From: gnu valued customer (tlviewer_at_yahoo.com)
Date: Tue, 11 May 2004 07:12:05 GMT
"dman78" <email@example.com> wrote in message news:firstname.lastname@example.org...
> Hi All.
> I have a question regarding the Protected Storage Area of the Windows
> Its located in the 2k registry at :
> HKEY_CURRENT_USER\Software\Microsoft\Protected Storage System Provider\
> Browsing down through the subtree there are keys for each pop account etc
> and the corresponding password is encrypted - and I am not sure by what
> For each account there is a value called "Item Data" which stores a block of
> approximately 80 bytes. From comparing the data it seems to follow a
> - First four bytes always 0x00000002 (2)
> - Second four bytes describes the length of the following hex string, always
> 0x00000018 (24 bytes)
> - Next 24 bytes unknown, perhaps a key or hash?
> - Next 4 bytes describes the length of the following hex string, variable
> based on the length of the password thats been encrypted. In most examples
> 0x00000028 (40 bytes)
> - Next x bytes unknown - length determined by previous 4 bytes.
> I do not know much about encryption but I do know everything needed to
> decrypt this string should be stored here in this data.
> An inital thought was that maybe the 24 bytes could be three separate 64 bit
> (56 bit padded) keys of a triple des key and the next block of data was
> password encrypted with that key. Unfortunately I do not know enough about
> encryption explore or test this theory.
> Does this type of encryption sound familiar to anyone? Any assistance is
> greatly appreciated.
try looking in the SDK (Wincrypt.h) at
Session keys are automatically formed within these DPAPI, based
on users login credentials -- you don't have to make any decisions
about deriving keys. See: