Managing Saved Passwords Using Windows Credential Manager

Windows Credential Manager allows saving credentials (usernames and passwords) to access network resources, websites, and apps. With Windows Credential Manager, you can connect to remote resources automatically without entering your password. Apps can access Credential Manager themselves and use saved passwords.

Using Credential Manager to Store Passwords in Windows

The Credential Manager appeared in Windows 7 and is positioned as quite a safe place to keep your passwords.

The Credential Manager on Windows 10 can keep the following account types:

• Windows Credentials – credentials to log on Windows or to access remote computers, saved passwords for RDP connections, passwords for websites with the integrated Windows authentication support, etc;
  Windows Credential Manager does not store credentials for automatic login Windows or domain Cached Credentials.
• Certificate-Based Credentials – to authenticate using smart cards;
• Generic Credentials – are used by third-party apps compatible with the Credential Manager;
• Web Credentials – saved passwords in Edge and IE, Microsoft apps (MS Office, Teams, Outlook, Skype, etc.).

For example, if you enable the “Save Password” option when accessing a shared network folder, the password you enter will be saved in the Credential Manager.

In the same way, a password to connect to a remote RDP/RDS host is saved in the Remote Desktop Connection (mstsc.exe) client.

You can access the Credential Manager in Windows 10 from the classic Control Panel (Control Panel\User Accounts\Credential Manager).

As you can see, there are two passwords in the Credential Manager we saved earlier.

Here you can add a saved credential, edit it (you cannot view a saved password in the graphic interface), or delete any of the entries.

Also, you can use the classic interface of Stored User Names and Passwords, to manage saved passwords. To call it, run the command below:

rundll32.exe keymgr.dll,KRShowKeyMgr

Here you can also manage saved credentials, and it has some backup and restore features for the Credential Manager (you can use them to transfer a Credential Manager database to another computer).

The vaultcmd tool is used to manage the Credential Manager from the command prompt. For example, to display a list of saved Windows Credentials, run this command:

vaultcmd /listcreds:"Windows Credentials"

Credential schema: Windows Domain Password Credential
Resource: Domain:target=mun-dc01
Identity: RESDOM\j.brion
Hidden: No
Roaming: No
Property (schema element id,value): (100,3)
Property (schema element id,value): (101,SspiPfAc)

The following command will delete all saved RDP passwords from the Credential Manager:

For /F "tokens=1,2 delims= " %G in ('cmdkey /list ^| findstr "target=TERMSRV"') do cmdkey /delete %H

All saved passwords are stored in the Windows Vault. Windows Vault is a protected store to keep secrets, passwords, and other sensitive user information. In Windows Vault, data are structured and look like a set of entries that belong to a Vault scheme. The set of encryption keys for Windows Vault entries is stored in the Policy.vpol file.

For the domain users, it is located in %userprofile%\AppData\Roaming\Microsoft\Vault.

For the local users, you can find it in %userprofile%\AppData\Local\Microsoft\Vault.

The VaultSvc service must be running when using the Credential Manager:

Get-Service VaultSvc

If the service is disabled, you will see the following error when trying to access the Credential Manager:

Credential Manager Error
The Credential Manager Service is not running. You can start the service manually using the Services snap-in or restart your computer to start the service.
Error code: 0x800706B5
Error Message: The interface is unknown.

If you want to prevent users from saving network passwords in the Credential Manager, enable the Network access: Do not allow storage of passwords and credentials for network authentication GPO option under Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options.

Then if a user tries to save the password to the Windows Vault store, they will see the following error:

Credential Manager Error
Unable to save credentials. To save credentials in this vault, check your computer configuration.
Error code: 0x80070520
Error Message: A specified logon session does not exist. It may already have been terminated.

Accessing Windows Credential Manager from PowerShell

Windows don’t have built-in cmdlets to access the PasswordVault store from PowerShell. But you can use the CredentialManager module from the PowerShell gallery.

Install the module:

Install-Module CredentialManager

You can display a list of cmdlets in the CredentialManager module:

Get-Command -module CredentialManager

The module has only 4 cmdlets:

• Get-StoredCredential – to get credentials from the Windows Vault;
• Get-StrongPassword – to generate a random password;
• New-StoredCredential – to add credentials;
• Remove-StoredCredential – to remove credentials.

In order to add new credentials to the Windows Credential Manager, run this command:

New-StoredCredential -Target 'woshub' -Type Generic -UserName 'maxbak@woshub.com' -Password 'Pass321-b' -Persist 'LocalMachine'

To make sure if any saved user credentials exist in the Credential Manager:

Get-StoredCredential -Target woshub

You can use saved passwords from the Credential Manager in your PowerShell scripts. For example, I can get a saved name and password from the Windows Vault as a PSCredential object and connect to Exchange Online from PowerShell:

$psCred = Get-StoredCredential -Target "woshub"
Connect-MSolService -Credential $psCred

To remove credentials from Windows Vault, run this command:

Remove-StoredCredential -Target woshub

You cannot display passwords as plain text using built-in CLI tools. But, you can use Mimikatz-like utilities to get saved passwords from  credman as plain text (see the example here).