UnprotectStreamAsync | unprotectStreamAsync method

DataProtectionProvider.UnprotectStreamAsync | unprotectStreamAsync method

Asynchronously decrypts a data stream.


dataProtectionProvider.unprotectStreamAsync(src, dest).done( /* Your success and error handlers */ );



Type: IInputStream

Stream to decrypt.


Type: IOutputStream

Decrypted stream.

Return value

Type: IAsyncAction

Represents an asynchronous action.


You must call the DataProtectionProvider() constructor before calling this method.

For security descriptors and SDDL strings, you must set the enterprise authentication capability in the manifest. The enterprise authentication capability is restricted to Windows Store apps built with company accounts, and is subject to additional onboarding validation. You should avoid the enterprise authentication capability unless it is absolutely necessary. For more information, see Registering for a Windows Store developer account.

For example, the following SID and SDDL providers require the enterprise authentication capability:

  • "SID=S-1-5-21-4392301 AND SID=S-1-5-21-3101812"
  • "SDDL=O:S-1-5-5-0-290724G:SYD:(A;;CCDC;;;S-1-5-5-0-290724)(A;;DC;;;WD)"

These providers do not require the enterprise authentication capability:

  • "LOCAL=user"
  • "LOCAL=machine"
  • "WEBCREDENTIALS=MyPasswordName"
  • "WEBCREDENTIALS=MyPasswordName,myweb.com"


The following example shows how to decrypt static data that was previously protected by using the ProtectStreamAsync function.

public async Task<String> SampleDataUnprotectStream(
    IBuffer buffProtected,
    BinaryStringEncoding encoding)
    // Create a DataProtectionProvider object.
    DataProtectionProvider Provider = new DataProtectionProvider();

    // Create a random access stream to contain the encrypted message.
    InMemoryRandomAccessStream inputData = new InMemoryRandomAccessStream();

    // Create a random access stream to contain the decrypted data.
    InMemoryRandomAccessStream unprotectedData = new InMemoryRandomAccessStream();

    // Retrieve an IOutputStream object and fill it with the input (encrypted) data.
    IOutputStream outputStream = inputData.GetOutputStreamAt(0);
    DataWriter writer = new DataWriter(outputStream);
    await writer.StoreAsync();
    await outputStream.FlushAsync();

    // Retrieve an IInputStream object from which you can read the input (encrypted) data.
    IInputStream source = inputData.GetInputStreamAt(0);

    // Retrieve an IOutputStream object and fill it with decrypted data.
    IOutputStream dest = unprotectedData.GetOutputStreamAt(0);
    await Provider.UnprotectStreamAsync(source, dest);
    await dest.FlushAsync();

    // Write the decrypted data to an IBuffer object.
    DataReader reader2 = new DataReader(unprotectedData.GetInputStreamAt(0));
    await reader2.LoadAsync((uint)unprotectedData.Size);
    IBuffer buffUnprotectedData = reader2.ReadBuffer((uint)unprotectedData.Size);

    // Convert the IBuffer object to a string using the same encoding that was
    // used previously to conver the plaintext string (before encryption) to an
    // IBuffer object.
    String strUnprotected = CryptographicBuffer.ConvertBinaryToString(encoding, buffUnprotectedData);

    // Return the decrypted data.
    return strUnprotected;

Requirements (Windows 10 device family)

Device family

Universal, introduced version 10.0.10240.0

API contract

Windows.Foundation.UniversalApiContract, introduced version 1.0


Windows::Security::Cryptography::DataProtection [C++]



Requirements (Windows 8.x and Windows Phone 8.x)

Minimum supported client

Windows 8

Minimum supported server

Windows Server 2012

Minimum supported phone

Windows Phone 8.1 [Windows Runtime apps only]


Windows::Security::Cryptography::DataProtection [C++]



See also




© 2016 Microsoft