System Service: Allow Admins to Impersonate User for Recovery

Hi All,

I'm working with a suite which allows users to work with encrypted
data. The data is encrypted under a key which is encrypted with DPAPI
(ie, tied to a user's account). So the user calls CryptUnprotectData
to retrieve their bulk encryption key, and then performs bulk
encryption using that key.

The software needs to allow an administrator to recover the encrypted
data. I believe that means an administrator needs to be able to call
CryptUnprotectData under a user's context to recover the key.

Is there an API call which allows a System Service to impersonate a
user *without* the user's password? Or do I need to look to other
functions/methods for the recovery effort?

Thanks in advance,

Relevant Pages

  • Re: shred or scrub
    ... very expensive hardware probing to recover the data". ... Encryption uses keys, not passwords. ... decrypt a bulk data confidentiality key. ... As well as supporting passphrase revocation (supposing the encrypted ...
  • Re: cannot retrive documents
    ... Go to the security tab and click advanced. ... Take Ownership of a File or Folder in Windows XP ... To recover encrypted files you will need the original ... encryption certificate or a Recovery Agent from the installation under which ...
  • Re: Is encrypting twice much more secure?
    ... of beneficiaries will have the ability to recover this data. ... source code of the decryption program. ... like the encryption being cracked. ...
  • Re: Unable to Decrypt Encrypted files
    ... Since the original account information in unavailable, there is no way to recover any of your encryption certificates. ... keys his data is gone. ...
  • Re: File Encryption
    ... If you did not back-up the encryption key or the Recovery Agent and ... > reinstall winXP. ... > preciously encrypted files to decrypt. ... > How do i decrypt the files and recover them. ...