Windows OS Hub
  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu
  • Home
  • About

Windows OS Hub

  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu

 Windows OS Hub / Windows 10 / Managing Saved Passwords Using Windows Credential Manager

August 9, 2021 PowerShellWindows 10Windows Server 2019

Managing Saved Passwords Using Windows Credential Manager

Windows Credential Manager allows saving credentials (usernames and passwords) to access network resources, websites, and apps. With Windows Credential Manager, you can connect to remote resources automatically without entering your password. Apps can access Credential Manager themselves and use saved passwords.

Contents:
  • Using Credential Manager to Store Passwords in Windows
  • Accessing Windows Credential Manager from PowerShell

Using Credential Manager to Store Passwords in Windows

The Credential Manager appeared in Windows 7 and is positioned as quite a safe place to keep your passwords.

The Credential Manager on Windows 10 can keep the following account types:

  • Windows Credentials – credentials to log on Windows or to access remote computers, saved passwords for RDP connections, passwords for websites with the integrated Windows authentication support, etc;
    Windows Credential Manager does not store credentials for automatic login Windows or domain Cached Credentials.
  • Certificate-Based Credentials – to authenticate using smart cards;
  • Generic Credentials – are used by third-party apps compatible with the Credential Manager;
  • Web Credentials – saved passwords in Edge and IE, Microsoft apps (MS Office, Teams, Outlook, Skype, etc.).

For example, if you enable the “Save Password” option when accessing a shared network folder, the password you enter will be saved in the Credential Manager.

save credentials to access network shared in windows credential manager

In the same way, a password to connect to a remote RDP/RDS host is saved in the Remote Desktop Connection (mstsc.exe) client.

save RDP password to Windows Credential Manager

Also, the Credential Manager keeps user passwords if they are saved using the runas /savecred command.

You can access the Credential Manager in Windows 10 from the classic Control Panel (Control Panel\User Accounts\Credential Manager).

As you can see, there are two passwords in the Credential Manager we saved earlier.

list saved credential in windows

A saved password for an RDP connection is specified in the TERMSRV\hostname format.

Here you can add a saved credential, edit it (you cannot view a saved password in the graphic interface), or delete any of the entries.

Also, you can use the classic interface of Stored User Names and Passwords, to manage saved passwords. To call it, run the command below:

rundll32.exe keymgr.dll,KRShowKeyMgr

Stored User Names and Passwords on Windows 10

Here you can also manage saved credentials, and it has some backup and restore features for the Credential Manager (you can use them to transfer a Credential Manager database to another computer).

The vaultcmd tool is used to manage the Credential Manager from the command prompt. For example, to display a list of saved Windows Credentials, run this command:

vaultcmd /listcreds:"Windows Credentials"

vaultcmd - manage saved windows credentials command prompt

Credential schema: Windows Domain Password Credential
Resource: Domain:target=mun-dc01
Identity: RESDOM\j.brion
Hidden: No
Roaming: No
Property (schema element id,value): (100,3)
Property (schema element id,value): (101,SspiPfAc)

The following command will delete all saved RDP passwords from the Credential Manager:

For /F "tokens=1,2 delims= " %G in ('cmdkey /list ^| findstr "target=TERMSRV"') do cmdkey /delete %H

All saved passwords are stored in the Windows Vault. Windows Vault is a protected store to keep secrets, passwords, and other sensitive user information. In Windows Vault, data are structured and look like a set of entries that belong to a Vault scheme. The set of encryption keys for Windows Vault entries is stored in the Policy.vpol file.

For the domain users, it is located in %userprofile%\AppData\Roaming\Microsoft\Vault.

For the local users, you can find it in %userprofile%\AppData\Local\Microsoft\Vault.

Policy.vpol - Windows Vault Policy File

The VaultSvc service must be running when using the Credential Manager:

Get-Service VaultSvc

If the service is disabled, you will see the following error when trying to access the Credential Manager:

Credential Manager Error
The Credential Manager Service is not running. You can start the service manually using the Services snap-in or restart your computer to start the service.
Error code: 0x800706B5
Error Message: The interface is unknown.

If you want to prevent users from saving network passwords in the Credential Manager, enable the Network access: Do not allow storage of passwords and credentials for network authentication GPO option under Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options.

GPO: Network access: Do not allow storage of passwords and credentials for network authentication

Then if a user tries to save the password to the Windows Vault store, they will see the following error:

Credential Manager Error
Unable to save credentials. To save credentials in this vault, check your computer configuration.
Error code: 0x80070520
Error Message: A specified logon session does not exist. It may already have been terminated.

Accessing Windows Credential Manager from PowerShell

Windows don’t have built-in cmdlets to access the PasswordVault store from PowerShell. But you can use the CredentialManager module from the PowerShell gallery.

Install the module:

Install-Module CredentialManager

You can display a list of cmdlets in the CredentialManager module:

Get-Command -module CredentialManager

CredentialManager powershell module

The module has only 4 cmdlets:

  • Get-StoredCredential – to get credentials from the Windows Vault;
  • Get-StrongPassword – to generate a random password;
  • New-StoredCredential – to add credentials;
  • Remove-StoredCredential – to remove credentials.

In order to add new credentials to the Windows Credential Manager, run this command:

New-StoredCredential -Target 'woshub' -Type Generic -UserName 'maxbak@woshub.com' -Password 'Pass321-b' -Persist 'LocalMachine'

Create a credential object for PowerShell automation using New-StoredCredential

To make sure if any saved user credentials exist in the Credential Manager:

Get-StoredCredential -Target woshub

You can use saved passwords from the Credential Manager in your PowerShell scripts. For example, I can get a saved name and password from the Windows Vault as a PSCredential object and connect to Exchange Online from PowerShell:

$psCred = Get-StoredCredential -Target "woshub"
Connect-MSolService -Credential $psCred

Also, note a new PowerShell Secret Management module you can use to securely store passwords in Windows. It supports a number of password vaults: KeePass, LastPass, HashiCorp Vault, Azure Key Vault, Bitwarden.

To remove credentials from Windows Vault, run this command:

Remove-StoredCredential -Target woshub

You cannot display passwords as plain text using built-in CLI tools. But, you can use Mimikatz-like utilities to get saved passwords from  credman as plain text (see the example here).

8 comments
5
Facebook Twitter Google + Pinterest
previous post
Kill a Windows Service That Stucks on Stopping or Starting
next post
PowerShell: Get Folder Sizes on Disk in Windows

Related Reading

Configure User’s Folder Redirection with Group Policy

February 3, 2023

Disable Built-in PDF Viewer in Microsoft Edge

February 3, 2023

Join a Windows Computer to an Active Directory...

February 2, 2023

Using Previous Command History in PowerShell Console

January 31, 2023

How to Install the PowerShell Active Directory Module...

January 31, 2023

8 comments

Eric October 16, 2021 - 5:07 pm

You can convert the credential object password to plaintext by using the following.

$cred = Get-StoredCredential -Target Test1
[System.Runtime.InteropServices.Marshal]::PtrToStringAuto([System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($cred.Password))

Reply
Oleg November 11, 2021 - 8:45 am

You can get stored Credential Objects and Passwords by
Get-StoredCredential -AsCredentialObject

Reply
Ian June 25, 2022 - 12:55 pm

Still no Passwords shown.
Any help?

Reply
Hectic Charmander October 15, 2022 - 8:29 am

Another fantastic article, as usual.

Extra thanks for mentioning the Microsoft SecretManagement and SecretStore modules. I had forgotten about those! Definitely prefer a first-party solution, and these appear to be well supported.

Thanks again!

Reply
admin October 16, 2022 - 5:43 am

You are welcome

Reply
avi October 19, 2022 - 12:09 pm

as you have mentioned that the windows credentials are not visible in garphics interface. so can i see that password from command interface, if yes ! then how ?

Reply
admin October 21, 2022 - 12:46 pm

Once stored, cred manage passwords are not displayed.

Reply
jayson December 11, 2022 - 10:24 am

how?

Reply

Leave a Comment Cancel Reply

Categories

  • Active Directory
  • Group Policies
  • Exchange Server
  • Microsoft 365
  • Azure
  • Windows 11
  • Windows 10
  • Windows Server 2022
  • Windows Server 2019
  • Windows Server 2016
  • PowerShell
  • VMWare
  • Hyper-V
  • Linux
  • MS Office

Recent Posts

  • Configure User’s Folder Redirection with Group Policy

    February 3, 2023
  • Using Previous Command History in PowerShell Console

    January 31, 2023
  • How to Install the PowerShell Active Directory Module and Manage AD?

    January 31, 2023
  • Finding Duplicate E-mail (SMTP) Addresses in Exchange

    January 27, 2023
  • How to Delete Old User Profiles in Windows?

    January 25, 2023
  • How to Install Free VMware Hypervisor (ESXi)?

    January 24, 2023
  • How to Enable TLS 1.2 on Windows?

    January 18, 2023
  • Allow or Prevent Non-Admin Users from Reboot/Shutdown Windows

    January 17, 2023
  • Fix: Can’t Extend Volume in Windows

    January 12, 2023
  • Wi-Fi (Internet) Disconnects After Sleep or Hibernation on Windows 10/11

    January 11, 2023

Follow us

woshub.com
  • Facebook
  • Twitter
  • RSS
Popular Posts
  • Configuring Port Forwarding in Windows
  • Installing RSAT Administration Tools on Windows 10 and 11
  • Manage Windows Updates with PSWindowsUpdate PowerShell Module
  • Get-ADUser: Find Active Directory User Info with PowerShell
  • Start Menu or Taskbar Search Not Working in Windows 10/11
  • How to Hide Installed Programs in Windows 10 and 11?
  • Adding Drivers into VMWare ESXi Installation Image
Footer Logo

@2014 - 2023 - Windows OS Hub. All about operating systems for sysadmins


Back To Top