Hello
I am trying to gain access to some encrypted files from before reinstalling windows.
I am following this tutorial:
https://github.com/gentilkiwi/mimikatz/wiki/howto-~-decrypt-EFS-files

I am stuck at Decrypting the masterkey

I know the password.
It is the same user account and password I am using currently.

But yet with the command:
dpapi::masterkey /in:"Protect\SID\guidMasterKey" /password:correctPassword

I get the error:

[masterkey] with password: correctPassword (normal user)
ERROR kuhl_m_dpapi_masterkey ; kull_m_dpapi_unprotect_masterkey_with_password

Even with /protected and I get:

[masterkey] with password: correctPassword (protected user)
ERROR kuhl_m_dpapi_masterkey ; kull_m_dpapi_unprotect_masterkey_with_password

I also tried the same command but with NTLM instead.
dpapi::masterkey /in:"Protect\SID\guidMasterKey" /hash:correctPasswordInNTLM

I get this error instead:

[masterkey] with hash: correctPasswordInNTLM (ntlm type)
ERROR kuhl_m_dpapi_masterkey ; kull_m_dpapi_unprotect_masterkey_with_userHash

As far as I know, I have the correct:

• SID
• guidMasterKey
• Cleartext password / Password hashed in NTLM

The User Account that encrypted the data was a Microsoft Account and is the same one I am currently using.

The error seems to indicate that I am inputting the incorrect password, but I am sure I am using the correct password.

Is there anything I can do to recover my data?
I have access to the old "ProgramData", and "Users" folders from before I reinstalled windows.

Any help would be very much appreciated
Thank you

Hello:
Microsoft Account login doesn't keep the real user password because is re-encrypted.Of course you you know the NTLM of the login password but not the "real NTLM of the encrypted password for the MA you use for login".
You can try with CREDHIST tool from nirsoft.And try to catch the real NTLM so you can decrypt the masterkey.
Can takes time ...