This PowerShell script retrieves and decrypts credentials stored in a Veeam Backup & Replication (VBR) configuration database. It supports both MSSQL and PostgreSQL backends and handles credentials encrypted in v12 as well as v12.1 and later, which use an encryption salt. It is based on information found in the Veeam KB article "How to Recover Account Credentials From the Veeam Backup & Replication Database" (https://www.veeam.com/kb4349). Also, see my blog about this script: https://blog.workinghardinit.work/2025/08/10/revised-script-for-decrypting-datacenter-credentials-from-the-veeam-backup-replication-database/
- 🔎 Retrieves stored credentials from MSSQL or PostgreSQL database
- 🔐 Detects and supports both:
- v12 and earlier: base64 + DPAPI-encrypted strings starting with
A - v12.1+: base64 + encryption salt, prefixed with
V
- v12 and earlier: base64 + DPAPI-encrypted strings starting with
- 🧂 Automatically retrieves encryption salt from the registry
- 🧾 Optional filtering by username (
-Username) - 💾 Optional suppression of file export (
-NoExport) - 🧵 Single-pass logic (no recursion or redundant processing)
- 💡 Informative output with emoji + color coding
- 📋 Clean export formatting (if enabled)
- If omitted, the script processes all available credentials.
- If provided, only credentials for the specified user are processed.
- If empty or whitespace, the script halts with a warning.
- If used, the script does not export results to a file.
- If not specified, results are written to a file:
%USERPROFILE%\Desktop\Veeam_Credentials.txt
In Veeam Backup & Replication, the database info lives in the registry
- The Veeam database info in the registry lives here and is retrieved by the script as needed:
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Veeam\Veeam Backup and Replication\DatabaseConfigurations\
In Veeam Backup & Replication v12.1 and later, encrypted passwords use an additional salt to protect the data.
This script:
- Automatically retrieves the encryption salt from the registry:
HKLM:\SOFTWARE\Veeam\Veeam Backup and Replication\Data
- Applies the salt when decrypting passwords that begin with
V(v12.1+ format)
No manual configuration is needed.
# Decrypt all credentials and export to Desktop
.\DecryptVeeamEncryptedPasswords.ps1
# Decrypt a specific user and export results
.\DecryptVeeamEncryptedPasswords.ps1 -Username 'DOMAIN\veeamservice'
# Decrypt a specific user without exporting
.\DecryptVeeamEncryptedPasswords.ps1 -Username 'DOMAIN\dbadmin' -NoExport--- User #1 ---
🔍 Username: DOMAIN\backupadmin 🔐 Format: v12.1 and up (with encryption salt)
🔒 Encrypted password: V2lZQU1Da...==
✅ Decrypted password: P@ssword123!
If a password is missing or can't be decrypted:
--- User #2 ---
🔍 Username: DOMAIN\tempuser ⚠️ No password stored.
If -Username is specified but no match is found:
⚠️ No credentials found for user 'DOMAIN\ghostuser'
- PowerShell 5.1 or PowerShell Core (7+)
- Local admin privileges
- Access to the Veeam registry hive
- For PostgreSQL: Npgsql.dll or ODBC PostgreSQL driver
- The script does not modify any data or credentials.
- Passwords are decrypted locally using Windows DPAPI.
- All sensitive data is handled in memory only unless you choose to export.
- The script includes fallback to ODBC if the Npgsql .NET assembly is not available.
If export is enabled (default behavior), the output file will contain entries like:
Veeam Credentials Export
Date: 2025-08-03 14:23:57
Executed by: administrator
VBR Server: VEEAM-BR01
----------------------------------------
User #1
Username : DOMAIN\svc.veeam
Encrypted password : AASD8fjs9asdf...
Decrypted password : MySecureP@ss!
**************************************
User #2
Username : DOMAIN\testuser
Encrypted password : VzdsSDFKKSDS...
Decrypted password : SuperStrongPassword!
**************************************
You can run the script directly in PowerShell:
.\DecryptVeeamEncryptedPasswords.ps1 -Username 'veeamadmin' -NoExportTo prevent the script from closing immediately (when run interactively), it will pause if executed in the console host.
Script maintained by WorkingHardInIT
Contributions welcome!