EncryptedRegView is a tiny portable tool which scans the Registry of the local system (or a file on an external drive), locates data encrypted with DPAPI (Data Protection API), decrypts and displays it.
This won't find much on most systems, but it can occasionally turn up something interesting. On our test system it found the passwords for our Outlook accounts, for instance, and displayed them in decrypted plain-text form.
The program is straightforward to use. Run it as an administrator if you can (not compulsory, but you might find more system-encrypted data), click OK on the opening dialog and watch as EncryptedRegView scans your Registry, decrypting any DPAPI-protected details it finds.
EncryptedRegView displays this data in a table, including the Registry path, original and decrypted values, hash and encryption values, and more.
This isn't the way any application expects you to access its data, so you'll need to do some work to even begin to figure out what it means.
We saw some value names of "POP3 Password" with actual email passwords as the "Decrypted Value", for instance, and checking "Registry Path" showed these were stored under "Microsoft\Office\16.0\Outlook\Profiles". That could well be useful, but the program doesn't directly tell you which password belongs with which profile. You'll need to do more research with the original Registry Path to understand that.
Fortunately, if there is a lot to do, you're able to save the selected items as a text, csv or html report for later study.
You can also run an advanced search at any time (Options > Advanced Search) to scan Registry files on an external hard drive. Note that you'll only be able to see user-encrypted data if you have that user's logon password.
Fixed the lower pane to switch focus when pressing tab key.