/// <summary> /// Backup a user's credentials. /// </summary> /// <param name="token">The user's token.</param> /// <param name="key">The key for the data, typically a unicode password. Optional</param> /// <param name="key_encoded">True if the key is already encoded.</param> /// <remarks>Caller needs SeTrustedCredmanAccessPrivilege enabled.</remarks> public static byte[] Backup(NtToken token, byte[] key, bool key_encoded) { string target_path = Path.GetTempFileName(); IntPtr ptr = IntPtr.Zero; try { int length = (key?.Length * 2) ?? 0; if (length > 0) { ptr = Marshal.AllocHGlobal(key.Length); Marshal.Copy(key, 0, ptr, key.Length); } if (!SecurityNativeMethods.CredBackupCredentials(token.Handle, target_path, ptr, length, key_encoded ? 1 : 0)) { Win32Utils.GetLastWin32Error().ToNtException(); } return(ProtectedData.Unprotect(File.ReadAllBytes(target_path), null, DataProtectionScope.CurrentUser)); } finally { if (ptr != IntPtr.Zero) { Marshal.FreeHGlobal(ptr); } File.Delete(target_path); } }