Firstly, let's be more explicit about "data loss":
- if you do nothing before calling CryptProtectData with the
CRYPTPROTECT_CRED_REGENERATE flag, then any data already encrypted in
LocalSystem context WILL be irretrievable
- I'm not familiar with the CRYPTPROTECT_CRED_REGENERATE flag, but I
gather that it wipes out existing keys (DPAPI Master Key, RSA
keypairs) and generates new ones
- unless you do something special beforehand, therefore, all
previously-encrypted data will be encrypted with keys that no longer
MSDN documents the much more common behaviours of DPAPI. In fact,
I've never encountered any recommended uses for the
CRYPTPROTECT_CRED_REGENERATE flag before, so I gather that no existing
applications use this flag under any known circumstances.
Yes, MSDN documents "regular" master key refresh, where the older
Master Key is encrypted with the new Master Key, so that all previous
Master Keys are (a) preserved and (b) transparently recoverable (DPAPI
will decrypt as many of the previous Master Keys in the chain as it
needs to be able to decrypt existing RSA private keys).
The only circumstances under which you should expect to lose the
ability to decrypt "machine-encrypted data" would be if (a) the
machine's profile is wiped out (e.g. reinstall the OS), (b) critical
files where these keys are stored are corrupted (e.g. disk corruption)
or (c) the SYSKEY becomes corrupted or unrecoverable on your system.