NirSoft has released EncryptedRegView, a free tool which finds, decrypts and displays Registry data protected by Windows’ DPAPI encryption scheme.
DPAPI isn’t widely used, even by Microsoft products, but the program managed to find Outlook passwords, Microsoft Edge details and a few other interesting items on our test PC.
The program is straightforward to use. Run it as an administrator if possible, click OK on the opening dialog and watch as EncryptedRegView scans your Registry.
The program displays every DPAPI-protected item it finds, with columns for Registry path, original and decrypted values, hash and encryption values, and more.
Most of these items won’t mean anything to the average user. You’ll see a path like “HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{60782261-81D18-4323-9C64-10DE93176363}”, with a cryptic hex dump, and nothing else at all.
Other items could be more interesting. Our test system had several value names of “POP3 Password” with actual email passwords as the “Decrypted Value”. Each of these had a Registry path including “Microsoft\Office\16.0\Outlook\Profiles”, so we could see they were Outlook passwords.
This could well be useful, but the program doesn’t directly tell you which password belongs to which Outlook account. You would have to explore the profile path in the Registry to understand that.
Fortunately, if there is a lot to do, you’re able to save the selected items as a text, csv or html report for later study.
You can also run an advanced search at any time (Options > Advanced Search) to scan Registry files on an external hard drive, perhaps from some other PC. Note that you’ll only be able to see user-encrypted data if you have that user’s logon password.
Overall, EncryptedRegView won’t appeal to the average user, but if you’re interested in computer forensics it could give you some handy clues about your target system.
EncryptedRegView is a free tool for Windows XP and later.
Your Comments & Opinion