Re: CryptAcquireContext with CRYPT_NEWKEYSET return Access Denied

You're right. I managed to write a test to know if DPAPI works or not.

See reference for the code.
In ms provider, it works while in my custom authentication package, it
So I implemented the fully LsaApLogonUserEx2 and found that populating
allows DPAPI to works again.

But I've another problem.
Without feeding the password field, if I create a certificate with
private key with MS authentication package(1),
I can export it.
If I do the same with my custom authentication package(2), I can
create and export another private key.
But I can't export the private key (created with 2) beeing logged with
(1) (2->1) and I can't do the reverse (1->2)
It's like I've two different accounts on the same computer !

Feeding the password field with my password in clear text make them
works. But I didn't write an authentication package
to still use my password !
I've tried a workaround : breaking into the sam and getting the NTHash
and using the PRIMARY_CRED_OWF_PASSWORD flag.
But lsa crash.
As seen in kernel debugger, msv1_0 returns my clear password with the

Are there anyway to make my custom authentication package works ?
Anybody knows a way to update the DPAPI master key ?
(I've seen the flag CRYPTPROTECT_CRED_SYNC)
I've read in a post that when MS does smart card logon (and then
password logon are still allowed), the DPAPI master key are stored on
the disk encrypted with the certificate public key.
Any idea ?

Thanks in advance for your comments

Vincent Le Toux

BYTE *pbDataInput =(BYTE *)"Hello world of data protection.";
DWORD cbDataInput = strlen((char *)pbDataInput)+1;
DataIn.pbData = pbDataInput;
DataIn.cbData = cbDataInput;

if(CryptProtectData( &DataIn,L"This is the description string.",
NULL, NULL, NULL, 0, &DataOut))
MessageBox(0,_T("Works", _T("Encryption"),0);
MessageBox(0,_T("Don't Works", _T("Encryption"),0);