Was this page helpful?
Your feedback about this content is important. Let us know what you think.
Additional feedback?
1500 characters remaining
Collapse the table of content
Expand the table of content

CryptUnprotectMemory function

The CryptUnprotectMemory function decrypts memory that was encrypted using the CryptProtectMemory function.


BOOL WINAPI CryptUnprotectMemory(
  _Inout_ LPVOID pData,
  _In_    DWORD  cbData,
  _In_    DWORD  dwFlags


pData [in, out]

A pointer to the block of memory to decrypt. The cbData parameter specifies the number of bytes that the function will attempt to decrypt. If the data contained in the memory space is smaller than the number of bytes specified, the function will attempt to decrypt data outside of the intended block. If it is larger than cbData bytes, then only the first cbData bytes will be decrypted.

cbData [in]

Number of bytes of memory pointed to by the pData parameter to decrypt. The number of bytes must be a multiple of the CRYPTPROTECTMEMORY_BLOCK_SIZE constant defined in Wincrypt.h.

dwFlags [in]

This parameter can be one of the following flags. You must specify the same flag when encrypting and decrypting the memory.


Encrypt and decrypt memory in the same process. An application running in a different process will not be able to decrypt the data.


Encrypt and decrypt memory in different processes. An application running in a different process will be able to decrypt the data.


Use the same logon credentials to encrypt and decrypt memory in different processes. An application running in a different process will be able to decrypt the data. However, the process must run as the same user that encrypted the data and in the same logon session.


Return value

If the function succeeds, the function returns TRUE.

If the function fails, it returns FALSE. For extended error information, call GetLastError.


Using CryptProtectMemory and CryptUnprotectMemory for password encryption is not secure because the data exists as plaintext in memory before it is encrypted and at any time the caller decrypts it for use.

You must encrypt and decrypt the memory during the same boot session. If the computer is restarted before you call the CryptUnprotectMemory function, you will not be able to decrypt the data.

You must pass the same flag to CryptUnprotectMemory and CryptProtectMemory. If you pass different flags, the CryptUnprotectMemory function succeeds; however, the result is unpredictable.

When you have finished using the sensitive information, clear it from memory by calling the SecureZeroMemory function.


The following example calls the CryptUnprotectMemory function to decrypt data that is in memory. The example assumes the variable pEncryptedText points to a string that has been encrypted using the CryptProtectMemory function.

#include <windows.h>
#include <stdio.h>
#include <Wincrypt.h>
#include <strsafe.h>
#pragma comment(lib, "crypt32.lib")

void main()
    LPWSTR pEncryptedText;  // contains the encrypted text
    DWORD cbEncryptedText;  // number of bytes to which 
	                        // pEncryptedText points

    if (CryptUnprotectMemory(pEncryptedText, cbEncryptedText, 
        // Use the decrypted string.
        wprintf(L"CryptUnprotectMemory failed: %d\n", 

    // Clear and free memory after using
    // the decrypted string or if an error occurs. 
    SecureZeroMemory(pEncryptedText, cbEncryptedText);
    pEncryptedText = NULL;


Minimum supported client

Windows Vista [desktop apps only]

Minimum supported server

Windows Server 2003 [desktop apps only]


Wincrypt.h on Windows Server 2008 R2, Windows 7, Windows Server 2008, Windows Vista, and Windows Server 2003





See also




Community Additions

© 2015 Microsoft