This major release adds 14 new PowerShell cmdlets focused on DPAPI-NG / CNG DPAPI data decryption and DNS record / DNSSEC signing key export, along with several bug fixes.
Notable Changes
- Added the Protect-DpapiNgData, Unprotect-DpapiNgData, and Get-DpapiNgData cmdlets for encrypting, decrypting, and parsing DPAPI-NG protected blobs.
- Added the New-DpapiNgNamedDescriptor, Get-DpapiNgNamedDescriptor, and Remove-DpapiNgNamedDescriptor cmdlets for managing named DPAPI-NG protection descriptors.
- Added the Get-DpapiNgPfxCertificate and Unprotect-DpapiNgPfxCertificate cmdlets for extracting and decrypting SID-based DPAPI-NG certificate password protectors from PFX files, either online or offline with -KdsRootKey.
- Added the Get-DpapiNgSidKeyIdentifier, Save-DpapiNgSidKey, and Clear-DpapiNgSidKeyCache cmdlets for managing the local cache of KDS root key derived DPAPI-NG group keys, enabling offline decryption.
- Added the Save-DnsServerResourceRecord cmdlet for exporting DNS records to zone files.
- Added the Get-ADSIKdsRootKey cmdlet for reading KDS root keys through LDAP.
- Added the Get-ADSIServiceAccount cmdlet for reading gMSAs and dMSAs through LDAP with passwords derived from KDS root keys.
- Fixed intermittent "CRC check failed." errors during replication caused by RPC session key renegotiation mid-replication.
See the Changelog for a more detailed list of new features.
DSInternals PowerShell Module
- The module is available in the PowerShell Gallery.
- As an alternative, the attached
DSInternals_v7.0.zipfile can be used for offline module installation. - The module is also available as a Chocolatey package.
NuGet Packages
Official binary packages are available in the NuGet Gallery.