When running into Bitlocker recovery issues I always used the tools PCPTool (written by Stefan Thom) and Win7PCRv2 (actually I couldn’t figure out who coded this one) to dump the TPM PCR registers. On some devices with newer Win 10 builds (1709 onwards) the tools were throwing errors. PCPTool complained about a too small buffer size while Win7PCRv2 came up with some System.Management errors. Additionally, it is a pain that Win7PCRv2 is compiled against .NET 2.0, which forces you to install .NET 3.5 on Win 10 clients first.

That’s why I decided to re-write the PCR dump functions of those tools and combine them into one executable. PCPTool utilizes ncrypt.dll to get the PCR values while Win7PCRv2 relies on TPM base service (tbs.dll), which is also available in Win7. I gave a bigger buffer to the NCryptGetProperty call and I forced the WMI functions to use more current Management classes to query the TPM spec version. Still I have no idea why a byte[24*20] is not enough buffer for 24 TPM registers with 20 bytes each. So the ncrypt way my return incorrect values in rare cases.

The result of it all is a new executable, which can query the PCR registers in two different ways. Also, it uses .NET 4.0 so there’s no need to install ancient frameworks.
At the moment, the command understands 3 parameters:

  • ncrypt: forces the tool to query the PCR values using the NCryptGetProperty function of the ncrypt.dll (only available in Windows 10).
  • tbs: forces the tool to query the PCR values using the Tbsip_Submit_Command function of the tbs.dll.
  • getpcr: uses both methods. If the result is different, you can use the -ncrypt -show48 parameters to dump the next 24 * 20 bytes. Show48 is for debug purposes only.

Use PCRDump -? to get a usage output. Note that you must run the tool in an elevated command prompt.






Leave a Reply