/// <summary>
/// Backup a user's credentials.
/// </summary>
/// <param name="token">The user's token.</param>
/// <param name="key">The key for the data, typically a unicode password. Optional</param>
/// <param name="key_encoded">True if the key is already encoded.</param>
/// <remarks>Caller needs SeTrustedCredmanAccessPrivilege enabled.</remarks>
public static byte[] Backup(NtToken token, byte[] key, bool key_encoded)
{
string target_path = Path.GetTempFileName();
IntPtr ptr = IntPtr.Zero;
try
{
int length = (key?.Length * 2) ?? 0;
if (length > 0)
{
ptr = Marshal.AllocHGlobal(key.Length);
Marshal.Copy(key, 0, ptr, key.Length);
}
if (!SecurityNativeMethods.CredBackupCredentials(token.Handle, target_path,
ptr, length, key_encoded ? 1 : 0))
{
Win32Utils.GetLastWin32Error().ToNtException();
}
return(ProtectedData.Unprotect(File.ReadAllBytes(target_path),
null, DataProtectionScope.CurrentUser));
}
finally
{
if (ptr != IntPtr.Zero)
{
Marshal.FreeHGlobal(ptr);
}
File.Delete(target_path);
}
}
