Windows OS Hub
  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu
  • Home
  • About

Windows OS Hub

  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu

 Windows OS Hub / Windows 10 / Managing Saved Passwords Using Windows Credential Manager

August 18, 2021 PowerShellWindows 10Windows Server 2019

Managing Saved Passwords Using Windows Credential Manager

Windows Credential Manager allows saving credentials (usernames and passwords) to access network resources, websites, and apps. With Windows Credential Manager, you can connect to remote resources automatically without entering your password. Apps can access Credential Manager themselves and use saved passwords.

Contents:
  • Using Credential Manager to Store Passwords in Windows
  • Accessing Windows Credential Manager from PowerShell

Using Credential Manager to Store Passwords in Windows

The Credential Manager appeared in Windows 7 and is positioned as quite a safe place to keep your passwords.

The Credential Manager on Windows 10 can keep the following account types:

  • Windows Credentials – credentials to log on Windows or to access remote computers, saved passwords for RDP connections, passwords for websites with the integrated Windows authentication support, etc;
    Windows Credential Manager does not store credentials for automatic login Windows or domain Cached Credentials.
  • Certificate-Based Credentials – to authenticate using smart cards;
  • Generic Credentials – are used by third-party apps compatible with the Credential Manager;
  • Web Credentials – saved passwords in Edge and IE, Microsoft apps (MS Office, Teams, Outlook, Skype, etc.).

For example, if you enable the “Save Password” option when accessing a shared network folder, the password you enter will be saved in the Credential Manager.

save credentials to access network shared in windows credential manager

In the same way, a password to connect to a remote RDP/RDS host is saved in the Remote Desktop Connection (mstsc.exe) client.

save RDP password to Windows Credential Manager

Also, the Credential Manager keeps user passwords if they are saved using the runas /savecred command.

You can access the Credential Manager in Windows 10 from the classic Control Panel (Control Panel\User Accounts\Credential Manager).

As you can see, there are two passwords in the Credential Manager we saved earlier.

list saved credential in windows

A saved password for an RDP connection is specified in the TERMSRV\hostname format.

Here you can add a saved credential, edit it (you cannot view a saved password in the graphic interface), or delete any of the entries.

Also, you can use the classic interface of Stored User Names and Passwords, to manage saved passwords. To call it, run the command below:

rundll32.exe keymgr.dll,KRShowKeyMgr

Stored User Names and Passwords on Windows 10

Here you can also manage saved credentials, and it has some backup and restore features for the Credential Manager (you can use them to transfer a Credential Manager database to another computer).

The vaultcmd tool is used to manage the Credential Manager from the command prompt. For example, to display a list of saved Windows Credentials, run this command:

vaultcmd /listcreds:"Windows Credentials"

vaultcmd - manage saved windows credentials command prompt

Credential schema: Windows Domain Password Credential
Resource: Domain:target=mun-dc01
Identity: RESDOM\j.brion
Hidden: No
Roaming: No
Property (schema element id,value): (100,3)
Property (schema element id,value): (101,SspiPfAc)

The following command will delete all saved RDP passwords from the Credential Manager:

For /F "tokens=1,2 delims= " %G in ('cmdkey /list ^| findstr "target=TERMSRV"') do cmdkey /delete %H

All saved passwords are stored in the Windows Vault. Windows Vault is a protected store to keep secrets, passwords, and other sensitive user information. In Windows Vault, data are structured and look like a set of entries that belong to a Vault scheme. The set of encryption keys for Windows Vault entries is stored in the Policy.vpol file.

For the domain users, it is located in %userprofile%\AppData\Roaming\Microsoft\Vault.

For the local users, you can find it in %userprofile%\AppData\Local\Microsoft\Vault.

Policy.vpol - Windows Vault Policy File

The VaultSvc service must be running when using the Credential Manager:

Get-Service VaultSvc

If the service is disabled, you will see the following error when trying to access the Credential Manager:

Credential Manager Error
The Credential Manager Service is not running. You can start the service manually using the Services snap-in or restart your computer to start the service.
Error code: 0x800706B5
Error Message: The interface is unknown.

If you want to prevent users from saving network passwords in the Credential Manager, enable the Network access: Do not allow storage of passwords and credentials for network authentication GPO option under Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options.

GPO: Network access: Do not allow storage of passwords and credentials for network authentication

Then if a user tries to save the password to the Windows Vault store, they will see the following error:

Credential Manager Error
Unable to save credentials. To save credentials in this vault, check your computer configuration.
Error code: 0x80070520
Error Message: A specified logon session does not exist. It may already have been terminated.

Accessing Windows Credential Manager from PowerShell

Windows don’t have built-in cmdlets to access the PasswordVault store from PowerShell. But you can use the CredentialManager module from the PowerShell gallery.

Install the module:

Install-Module CredentialManager

You can display a list of cmdlets in the CredentialManager module:

Get-Command -module CredentialManager

CredentialManager powershell module

The module has only 4 cmdlets:

  • Get-StoredCredential – to get credentials from the Windows Vault;
  • Get-StrongPassword – to generate a random password;
  • New-StoredCredential – to add credentials;
  • Remove-StoredCredential – to remove credentials.

In order to add new credentials to the Windows Credential Manager, run this command:

New-StoredCredential -Target 'woshub' -Type Generic -UserName '[email protected]' -Password 'Pass321-b' -Persist 'LocalMachine'

Create a credential object for PowerShell automation using New-StoredCredential

To make sure if any saved user credentials exist in the Credential Manager:

Get-StoredCredential -Target woshub

You can use saved passwords from the Credential Manager in your PowerShell scripts. For example, I can get a saved name and password from the Windows Vault as a PSCredential object and connect to Exchange Online from PowerShell:

$psCred = Get-StoredCredential -Target "woshub"
Connect-MSolService -Credential $psCred

Also, note a new PowerShell Secret Management module you can use to securely store passwords in Windows. It supports a number of password vaults: KeePass, LastPass, HashiCorp Vault, Azure Key Vault, Bitwarden.

To remove credentials from Windows Vault, run this command:

Remove-StoredCredential -Target woshub

You cannot display passwords as plain text using built-in CLI tools. But, you can use Mimikatz-like utilities to get saved passwords from  credman as plain text (see the example here).

12 comments
5
Facebook Twitter Google + Pinterest
previous post
Kill a Windows Service That Stucks on Stopping or Starting
next post
PowerShell: Get Folder Sizes on Disk in Windows

Related Reading

How to Use Ansible to Manage Windows Machines

September 25, 2023

Installing Language Pack in Windows 10/11 with PowerShell

September 15, 2023

Configure Email Forwarding for Mailbox on Exchange Server/Microsoft...

September 14, 2023

How to View and Change BIOS (UEFI) Settings...

September 13, 2023

How to Create UEFI Bootable USB Drive to...

September 11, 2023

Categories

  • Active Directory
  • Group Policies
  • Exchange Server
  • Microsoft 365
  • Azure
  • Windows 11
  • Windows 10
  • Windows Server 2022
  • Windows Server 2019
  • Windows Server 2016
  • PowerShell
  • VMWare
  • Hyper-V
  • Linux
  • MS Office

Recent Posts

  • How to Use Ansible to Manage Windows Machines

    September 25, 2023
  • Installing Language Pack in Windows 10/11 with PowerShell

    September 15, 2023
  • Configure Email Forwarding for Mailbox on Exchange Server/Microsoft 365

    September 14, 2023
  • How to View and Change BIOS (UEFI) Settings with PowerShell

    September 13, 2023
  • How to Create UEFI Bootable USB Drive to Install Windows

    September 11, 2023
  • Redirect HTTP to HTTPS in IIS (Windows Server)

    September 7, 2023
  • Add an Additional Domain Controller to an Existing AD Domain

    September 6, 2023
  • How to Install an SSL Certificate on IIS (Windows Server)

    September 5, 2023
  • Managing Windows Firewall Rules with PowerShell

    August 31, 2023
  • Fixing ‘The Network Path Was Not Found’ 0x80070035 Error Code on Windows

    August 30, 2023

Follow us

  • Facebook
  • Twitter
  • Telegram
Popular Posts
  • Configuring Port Forwarding in Windows
  • Manage Windows Updates with PSWindowsUpdate PowerShell Module
  • Start Menu or Taskbar Search Not Working in Windows 10/11
  • Get-ADUser: Find Active Directory User Info with PowerShell
  • Adding Drivers into VMWare ESXi Installation Image
  • How to Hide Installed Programs in Windows 10 and 11
  • Configuring SFTP (SSH FTP) Server on Windows
Footer Logo

@2014 - 2023 - Windows OS Hub. All about operating systems for sysadmins


Back To Top