Share via

USMT 4.0 Store Compression and Encryption Explanations

  • Article

The User State Migration Tool supports encrypting a compressed store file. This article seeks to explain some of the more common questions around the architecture of this encryption.

What is USMT 4.0's store compression algorithm?

USMT uses MS-proprietary algorithms to compress the USMT.MIG store file. The file cannot be opened using commercial compression tools, as the algorithm does not follow a public method. A list of files in the store can be generated during scanstate with the parameter /listfiles:fileName.

How does USMT 4.0 encrypt the store file?

Files are read buffer by buffer, encrypted in memory and written to the destination, again using an MS-proprietary algorithm. No portion of a file is written anywhere in an unencrypted form (not even in a temporary file). The source computer files are, of course, still unencrypted so the encryption methodology is largely irrelevant: encryption exists only for transportation and storage between the phases of scanstate and loadstate. This encryption behavior has nothing to do with EFS-encrypted files either, those files are copied in a raw form and are always encrypted end-to-end.

How can you tell what encryption algorithm is supported by the computers that will be using USMT?

Use USMTUTILS.EXE /EC to see what cipher suites are available on a source or destination computer. All OSes that support USMT 4 (XP, Vista, 7) inherently support all of the encryption suites supported by /encrypt and /decrypt (AES, AES 128-bit, AES 192-bit, AES 256-bit, 3DES, and 3DES 112-bit), However, certain versions of Windows might have one or more of those cipher suites removed due to export restrictions.

What USMT encryption types does Windows XP Support?

Windows XP - which internally does support AES - only supports 3DES and 3DES_112 store encryption due to a limitation in USMT itself.

When running USMTUTILS.EXE /EC on a Windows XP computer, the following error is expected:

Failed to acquire AES Encryption provider context (MS_ENH_RSA_AES_PROV). The following error occurred: The keyset is not defined.. Using default (MS_ENHANCED_PROV)
**
**When running SCANSTATE.EXE C:\store /auto /encrypt:AES /key:foobar on a Windows XP computer, the following error is expected:

Failed.
** A Windows Win32 API error occurred.
  Windows error 2148073480 description: invalid algorithm specified.
 See the log file for more information.

Scanstate return code: 71
**