Export private keys marked as not-exportable on Windows

Does not work on Windows 11

Initial testing suggests that this does not work on Windows 11. Further testing is needed and user feedback is appreciated.

During certificate import, Windows marks private keys as non-exportable by default:

This will prevent everyone (attackers & legitimate users) from exporting the private key in the future.

Prerequisites

You will need to download mimikatz which your endpoint security software will most likely flag as malicious or dangerous. Prevent this from happening by temporarily excluding your download folder from scans. Please refer to the appropriate documentation of your endpoint security software on how to achieve this. Here is Microsoft’s documentation for Defender.

Download the current release (usually called mimikatz_trunk.zip) of mimikatz to the directory that you previously excluded from security scans. Extract the archive.

Exporting private keys

Open a command shell (press Win+R, enter cmd and press Enter).

Run with Administrator rights

You may need a shell with elevated right. To start such a shell press Win+R, enter cmd and press Ctrl+Shift+Enter

Change into the directory that contains mimikatz and run x64\mimikatz.exe:

cd %HOMEPATH%\Downloads\mimikatz_trunk
.\x64\mimikatz.exe

Enter these commands to export all certificates and keys (see the mimikatz wiki for details):

crypto::capi
privilege::debug
crypto::cng
crypto::certificates /export

The exported certificates and keys are in the current directory; the password is mimikatz.

Cleanup

Remove mimikatz and re-enable on-access scanning.