Same here, crypto::cng patching stopped working since I updated my Windows 10 to build 1909

Does this work on build 1909 for anyone?

Hi @raduci68, I have submitted a PR which fixes this for my copy of Win10 1909, try applying this patch #362 or clone mimikatz from https://github.com/hubert3/mimikatz

@hubert3
Any chance you can upload a PR for windows version 21H2(build 19044)? How can I find out which patch sequence is needed for KeyIso service (ncryptprov.dll)?
I tried PTRN_W10_1809_SPCryptExportKey and PTRN_W10_1607_SPCryptExportKey, but both won't work.
Thx for help.

@juxeii I just updated my fork so crypto::cng works on 20H2 (2009 / 19041), I will take a look at 21H2 next

@juxeii my PR #362 was merged today, this should make it work on 21H2 x64.

I found that PTRN_W10_1607_SPCryptExportKey is the correct patch for this version when I tested it on a new 21H2 vm today (but also a #define for this Windows build version was missing in globals.h)

If it's still not working for you let me know.

Has this failure to patch returned with 21H2 19044? I'm getting ERROR kull_m_patch_genericProcessOrServiceFromBuild ; kull_m_patch (0x00000000) on crypto::cng, but on a 21H2 machine with 19041 it's working as intended.

@Proplex Please send me the output of mimikatz 'version' and the DLL version of the Windows ncryptprov.dll file on the system where it's not working?

According to the table on https://en.wikipedia.org/wiki/Windows_10_version_history 19041 is 20H2 and 19044 is 21H2, so I'm a bit confused by "21H2 machine with 19041"

Thanks @pineman, my 21H2 test system on OS build 19044.1826 still had ncryptprov.dll 10.0.19041.1620, I have not seen your version of the DLL before

The new version may or may not require a different patch but Mimikatz code will have to be updated either way, I'll look into it

@pineman I ran Windows update on my Windows 10 Pro 21H2 64-bit vm and have ended up with OS build 19044.2251 (newer than yours) but my ncryptprov.dll is still an older version than yours (10.0.19041.2193)

Not sure how to get my system updated to the DLL version you have, or which KB update updates it - What edition of Windows 10 are you running?

Can you send me a link to your DLL binary?

@juxeii @pineman @Proplex Try this build, it may work https://ci.appveyor.com/project/gentilkiwi/mimikatz/builds/45524049/job/kh17wjuqhk7uq27q/artifacts

If not please apply any outstanding Windows updates and send me your windows\system32\ncryptprov.dll

@hubert3 It worked with ncryptprov.dll 10.0.19041.2193! Thank you!!

mimikatz # privilege::debug
Privilege '20' OK

mimikatz # crypto::cng
"KeyIso" service patched

Issue still persists with latest Win 10. Also tried the fork by @hubert3 but still the same.

I am not good enough to do it with a pull request, I will do it as soon as I figure out how to... In the meantime:

BYTE PTRN_W11_24H2_SPCryptExportKey[]       = {0xf6, 0x41, 0x24, 0x02, 0x75, 0x40};

{KULL_M_WIN_BUILD_11_24H2,  {sizeof(PTRN_W11_24H2_SPCryptExportKey),PTRN_W11_24H2_SPCryptExportKey},{sizeof(PATC_WALL_SPCryptExportKey_EXPORT), PATC_WALL_SPCryptExportKey_EXPORT}, {4}}, //ncryptprov.dll 10.0.26100.1591 and maybe others