{
	"id": "37ca6312-8181-4cfe-be17-103bde965866",
	"created_at": "2026-04-06T00:12:46.110767Z",
	"updated_at": "2026-04-10T03:21:06.03424Z",
	"deleted_at": null,
	"sha1_hash": "00404852f4793ee7ef265390c3dc9840b16c3deb",
	"title": "CryptUnprotectData function (dpapi.h) - Win32 apps",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 69637,
	"plain_text": "CryptUnprotectData function (dpapi.h) - Win32 apps\r\nBy GrantMeStrength\r\nArchived: 2026-04-05 18:41:16 UTC\r\nThe CryptUnprotectData function decrypts and does an integrity check of the data in a DATA_BLOB structure.\r\nUsually, the only user who can decrypt the data is a user with the same logon credentials as the user who\r\nencrypted the data. In addition, the encryption and decryption must be done on the same computer. For\r\ninformation about exceptions, see the Remarks section of CryptProtectData.\r\nSyntax\r\nDPAPI_IMP BOOL CryptUnprotectData(\r\n [in] DATA_BLOB *pDataIn,\r\n [out, optional] LPWSTR *ppszDataDescr,\r\n [in, optional] DATA_BLOB *pOptionalEntropy,\r\n PVOID pvReserved,\r\n [in, optional] CRYPTPROTECT_PROMPTSTRUCT *pPromptStruct,\r\n [in] DWORD dwFlags,\r\n [out] DATA_BLOB *pDataOut\r\n);\r\nParameters\r\n[in] pDataIn\r\nA pointer to a DATA_BLOB structure that holds the encrypted data. The DATA_BLOB structure's cbData\r\nmember holds the length of the pbData member's byte string that contains the text to be encrypted.\r\n[out, optional] ppszDataDescr\r\nA pointer to a string-readable description of the encrypted data included with the encrypted data. This parameter\r\ncan be set to NULL. When you have finished using ppszDataDescr, free it by calling the LocalFree function.\r\n[in, optional] pOptionalEntropy\r\nA pointer to a DATA_BLOB structure that contains a password or other additional entropy used when the data was\r\nencrypted. This parameter can be set to NULL; however, if an optional entropy DATA_BLOB structure was used\r\nin the encryption phase, that same DATA_BLOB structure must be used for the decryption phase. For information\r\nabout protecting passwords, see Handling Passwords.\r\npvReserved\r\nhttps://docs.microsoft.com/en-us/windows/desktop/api/dpapi/nf-dpapi-cryptunprotectdata\r\nPage 1 of 4\n\nThis parameter is reserved for future use and must be set to NULL.\r\n[in, optional] pPromptStruct\r\nA pointer to a CRYPTPROTECT_PROMPTSTRUCT structure that provides information about where and when\r\nprompts are to be displayed and what the content of those prompts should be. This parameter can be set to NULL.\r\n[in] dwFlags\r\nA DWORD value that specifies options for this function. This parameter can be zero, in which case no option is\r\nset, or the following flag.\r\nValue Meaning\r\nCRYPTPROTECT_UI_FORBIDDEN\r\nThis flag is used for remote situations where the user\r\ninterface (UI) is not an option. When this flag is set and\r\nUI is specified for either the protect or unprotect\r\noperation, the operation fails and GetLastError returns\r\nthe ERROR_PASSWORD_RESTRICTION code.\r\nCRYPTPROTECT_VERIFY_PROTECTION\r\nThis flag verifies the protection of a protected BLOB. If\r\nthe default protection level configured of the host is\r\nhigher than the current protection level for the BLOB,\r\nthe function returns\r\nCRYPT_I_NEW_PROTECTION_REQUIRED to\r\nadvise the caller to again protect the plaintext contained\r\nin the BLOB.\r\n[out] pDataOut\r\nA pointer to a DATA_BLOB structure where the function stores the decrypted data. When you have finished using\r\nthe DATA_BLOB structure, free its pbData member by calling the LocalFree function.\r\nReturn value\r\nIf the function succeeds, the function returns TRUE.\r\nIf the function fails, it returns FALSE.\r\nThe CryptProtectData function creates a session key when the data is encrypted. That key is derived again and\r\nused to decrypt the data BLOB.\r\nThe Message Authentication Code (MAC) hash added to the encrypted data is used to detect whether the\r\nencrypted data was altered in any way. However, the specific error code returned when tampering is detected may\r\nvary depending on the nature of the corruption. The function may return ERROR_INVALID_DATA,\r\nERROR_INVALID_PARAMETER, or in some cases may succeed with corrupted output. Applications should not\r\nhttps://docs.microsoft.com/en-us/windows/desktop/api/dpapi/nf-dpapi-cryptunprotectdata\r\nPage 2 of 4\n\nrely on a specific error code to detect data tampering. For robust tamper detection, consider implementing\r\nadditional integrity checks at the application level.\r\nWhen you have finished using the DATA_BLOB structure, free its pbData member by calling the LocalFree\r\nfunction. Any ppszDataDescr that is not NULL must also be freed by using LocalFree.\r\nWhen you have finished using sensitive information, clear it from memory by calling the SecureZeroMemory\r\nfunction.\r\nExamples\r\nThe following example shows decrypting encrypted data in a DATA_BLOB structure. This function does the\r\ndecryption by using a session key that the function creates by using the user's logon credentials. For another\r\nexample that uses this function, see Example C Program: Using CryptProtectData.\r\n// Decrypt data from DATA_BLOB DataOut to DATA_BLOB DataVerify.\r\n//--------------------------------------------------------------------\r\n// Declare and initialize variables.\r\nDATA_BLOB DataOut;\r\nDATA_BLOB DataVerify;\r\nLPWSTR pDescrOut = NULL;\r\n//--------------------------------------------------------------------\r\n// The buffer DataOut would be created using the CryptProtectData\r\n// function. If may have been read in from a file.\r\n//--------------------------------------------------------------------\r\n// Begin unprotect phase.\r\nif (CryptUnprotectData(\r\n \u0026DataOut,\r\n \u0026pDescrOut,\r\n NULL, // Optional entropy\r\n NULL, // Reserved\r\n NULL, // Here, the optional\r\n // prompt structure is not\r\n // used.\r\n 0,\r\n \u0026DataVerify))\r\n{\r\n printf(\"The decrypted data is: %s\\n\", DataVerify.pbData);\r\n printf(\"The description of the data was: %s\\n\",pDescrOut);\r\n LocalFree(DataVerify.pbData);\r\n LocalFree(pDescrOut);\r\n}\r\nhttps://docs.microsoft.com/en-us/windows/desktop/api/dpapi/nf-dpapi-cryptunprotectdata\r\nPage 3 of 4\n\nelse\r\n{\r\n printf(\"Decryption error!\");\r\n}\r\nRequirements\r\nRequirement Value\r\nMinimum supported client Windows XP [desktop apps | UWP apps]\r\nMinimum supported server Windows Server 2003 [desktop apps | UWP apps]\r\nTarget Platform Windows\r\nHeader dpapi.h\r\nLibrary Crypt32.lib\r\nDLL Crypt32.dll\r\nSee also\r\nCryptProtectData\r\nCryptUnprotectMemory\r\nData Encryption and Decryption Functions\r\nLocalFree\r\nMicrosoft Base Cryptographic Provider\r\nSource: https://docs.microsoft.com/en-us/windows/desktop/api/dpapi/nf-dpapi-cryptunprotectdata\r\nhttps://docs.microsoft.com/en-us/windows/desktop/api/dpapi/nf-dpapi-cryptunprotectdata\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://docs.microsoft.com/en-us/windows/desktop/api/dpapi/nf-dpapi-cryptunprotectdata"
	],
	"report_names": [
		"nf-dpapi-cryptunprotectdata"
	],
	"threat_actors": [],
	"ts_created_at": 1775434366,
	"ts_updated_at": 1775791266,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/00404852f4793ee7ef265390c3dc9840b16c3deb.pdf",
		"text": "https://archive.orkl.eu/00404852f4793ee7ef265390c3dc9840b16c3deb.txt",
		"img": "https://archive.orkl.eu/00404852f4793ee7ef265390c3dc9840b16c3deb.jpg"
	}
}