Where to find keys? about decryptesd HOT 7 CLOSED

It obtains the crypto-key through Windows Update at the same time you get the ESD normally.

This wasn't always true for internal ESDs, like the well-known ones you have (I saw your post on BA). In these cases, the crypto-key was pre-shared internally and added to the registry. Normally, you'd only get served that ESD because WU detects the presence of the Crypto-key registry entry.

These days, things are better secured and ESDs never get pushed to public WU.

from decryptesd.

Ok. These ESDs come from the caching system of a decommisionned proxy server. I have 72 of them. Some are from known builds but some are from unknown builds: 9833, 10034, 10144, 10152. Are they also "well-known" (strangely, googling their names lead to no result... same for the one I posted on BA)?

from decryptesd.

Yes.

And by "well-known", I mean by anyone who actually cares to investigate such things. That necessarily excludes most of BA and means finding info on Google probably won't return much. Such things are rarely discussed in public.

There's these four and then about 10 other "unleaked" builds that were uploaded to public WU. No way to get CryptoKey for any of them without info from someone on the Windows team.

from decryptesd.

But, when you say "well-known", does it mean you also have the ESD files? Indeed, for example, the ESD of build 9833 can be decoded by your tool.

Thanks for your information about the fact this build comes from WU I searched information for the whole day and I think we need the Update ID to grab the key. I found the Revision ID (not Revision Number) of my builds but I don't know how to obtain/derive the Update ID for this Revision ID... of course, they don't appear on catalog.update.microsoft.com...

from decryptesd.

I do have the files.

The Update ID is not enough to retrieve the key. As I alluded to, these builds rely on pre-shared Crypto Keys. All that's stored on WU is a detectoid that picked up whether you had the key (which was stored in the registry) by comparing the last four base64 characters. The full key was distributed another way internally.

These days, they do it differently anyway, but to unlock these keys, you'll probably need someone who was on the team at the time.

from decryptesd.

I trust your information, thanks for them.

At that time, it was the only way to do it because both the WU agent and the WU server's API were not ready for ESD key delivery. Both have since been updated (probably for the Windows 10 upgrade) and the WU agent can directly request the ESD key to the WU server's API. I imagine you know that... ;)

Hence the fact that I'm interested in the UpdateID of one of these undecryptable builds. I can't imagine the people at Microsoft registering these builds into the WU server's database without saving the decryption key along with it. It probably was saved in the WU server's database but was just not requestable at that time; hence the fact that it was delivered by anohter way. It was also convenient to check if the computer was eligible. Of course, I speculate but it's not totaly stupid and cost nothing to try.

from decryptesd.

At that time, it was the only way to do it because both the WU agent and the WU server's API were not ready for ESD key delivery. Both have since been updated (probably for the Windows 10 upgrade) and the WU agent can directly request the ESD key to the WU server's API. I imagine you know that... ;)

When was WUSP ever not ready for ESD key delivery? Since TH1 the process was mainly to request DecryptionKey along with FileUrl attribute to GetExtendedUpdateInfo2, which will check the MSA token in SOAP's header to ensure your eligibility for getting the content (Although more attributes play role now into getting appropriate authorization, which were added along with UUP). You may be able to get the update GUID from SyncUpdates but you still need proper token for GetExtendedUpdateInfo2 to get filepath and key.

Basically, even if the keys were there (which I doubt they kept them anyway), whatever you do you cannot get them without proper MSA token that is properly registered to an internal ring at Microsoft.

from decryptesd.