Windows Credential Manager allows saving credentials (usernames and passwords) to access network resources, websites, and apps. With Windows Credential Manager, you can connect to remote resources automatically without entering your password. Apps can access Credential Manager themselves and use saved passwords.
Using Credential Manager to Store Passwords in Windows
The Credential Manager appeared in Windows 7 and is positioned as quite a safe place to keep your passwords.
The Credential Manager on Windows 10 can keep the following account types:
- Windows Credentials – credentials to log on Windows or to access remote computers, saved passwords for RDP connections, passwords for websites with the integrated Windows authentication support, etc;Windows Credential Manager does not store credentials for automatic login Windows or domain Cached Credentials.
- Certificate-Based Credentials – to authenticate using smart cards;
- Generic Credentials – are used by third-party apps compatible with the Credential Manager;
- Web Credentials – saved passwords in Edge and IE, Microsoft apps (MS Office, Teams, Outlook, Skype, etc.).
For example, if you enable the “Save Password” option when accessing a shared network folder, the password you enter will be saved in the Credential Manager.
In the same way, a password to connect to a remote RDP/RDS host is saved in the Remote Desktop Connection (mstsc.exe) client.
You can access the Credential Manager in Windows 10 from the classic Control Panel (Control Panel\User Accounts\Credential Manager).
As you can see, there are two passwords in the Credential Manager we saved earlier.
TERMSRV\hostname format. Here you can add a saved credential, edit it (you cannot view a saved password in the graphic interface), or delete any of the entries.
Also, you can use the classic interface of Stored User Names and Passwords, to manage saved passwords. To call it, run the command below:
rundll32.exe keymgr.dll,KRShowKeyMgr
Here you can also manage saved credentials, and it has some backup and restore features for the Credential Manager (you can use them to transfer a Credential Manager database to another computer).
The vaultcmd tool is used to manage the Credential Manager from the command prompt. For example, to display a list of saved Windows Credentials, run this command:
vaultcmd /listcreds:"Windows Credentials"
Credential schema: Windows Domain Password Credential Resource: Domain:target=mun-dc01 Identity: RESDOM\j.brion Hidden: No Roaming: No Property (schema element id,value): (100,3) Property (schema element id,value): (101,SspiPfAc)
The following command will delete all saved RDP passwords from the Credential Manager:
For /F "tokens=1,2 delims= " %G in ('cmdkey /list ^| findstr "target=TERMSRV"') do cmdkey /delete %H
All saved passwords are stored in the Windows Vault. Windows Vault is a protected store to keep secrets, passwords, and other sensitive user information. In Windows Vault, data are structured and look like a set of entries that belong to a Vault scheme. The set of encryption keys for Windows Vault entries is stored in the Policy.vpol file.
For the domain users, it is located in %userprofile%\AppData\Roaming\Microsoft\Vault.
For the local users, you can find it in %userprofile%\AppData\Local\Microsoft\Vault.
The VaultSvc service must be running when using the Credential Manager:
Get-Service VaultSvc
If the service is disabled, you will see the following error when trying to access the Credential Manager:
Credential Manager Error The Credential Manager Service is not running. You can start the service manually using the Services snap-in or restart your computer to start the service. Error code: 0x800706B5 Error Message: The interface is unknown.
If you want to prevent users from saving network passwords in the Credential Manager, enable the Network access: Do not allow storage of passwords and credentials for network authentication GPO option under Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options.
Then if a user tries to save the password to the Windows Vault store, they will see the following error:
Credential Manager Error Unable to save credentials. To save credentials in this vault, check your computer configuration. Error code: 0x80070520 Error Message: A specified logon session does not exist. It may already have been terminated.
Accessing Windows Credential Manager from PowerShell
Windows don’t have built-in cmdlets to access the PasswordVault store from PowerShell. But you can use the CredentialManager module from the PowerShell gallery.
Install the module:
Install-Module CredentialManager
You can display a list of cmdlets in the CredentialManager module:
Get-Command -module CredentialManager
The module has only 4 cmdlets:
Get-StoredCredential– to get credentials from the Windows Vault;Get-StrongPassword– to generate a random password;New-StoredCredential– to add credentials;Remove-StoredCredential– to remove credentials.
In order to add new credentials to the Windows Credential Manager, run this command:
New-StoredCredential -Target 'woshub' -Type Generic -UserName 'maxbak@woshub.com' -Password 'Pass321-b' -Persist 'LocalMachine'
To make sure if any saved user credentials exist in the Credential Manager:
Get-StoredCredential -Target woshub
You can use saved passwords from the Credential Manager in your PowerShell scripts. For example, I can get a saved name and password from the Windows Vault as a PSCredential object and connect to Exchange Online from PowerShell:
$psCred = Get-StoredCredential -Target "woshub"
Connect-MSolService -Credential $psCred
To remove credentials from Windows Vault, run this command:
Remove-StoredCredential -Target woshub
You cannot display passwords as plain text using built-in CLI tools. But, you can use Mimikatz-like utilities to get saved passwords from credman as plain text (see the example here).
12 comments
You can convert the credential object password to plaintext by using the following.
$cred = Get-StoredCredential -Target Test1
[System.Runtime.InteropServices.Marshal]::PtrToStringAuto([System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($cred.Password))
You can get stored Credential Objects and Passwords by
Get-StoredCredential -AsCredentialObject
Where do you run this command at? Powershell or CMD line? I’ve tried it in both and does not return anything but errors.
Command Prompt returns this: “‘Get-StoredCredential’ is not recognized as an internal or external command,
operable program or batch file.”
Powershell returns this in deep red on black background “The term ‘Get StoredCredential’ is not recognized as the name of a mdlet, function, script file, or operable program. ….”
Okay, I’ve gone to the top of this article and installed the module.
The commands work, but the password characters are all tiny squares with dots in them.
Have you tried converting the credential object to a plain text password like this?
$cred =Get-StoredCredential -Target test2[System.Runtime.InteropServices.Marshal]::PtrToStringAuto([System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($cred.Password))
In my case, it gets the full plaintext password from the generic credential object.
Still no Passwords shown.
Any help?
Another fantastic article, as usual.
Extra thanks for mentioning the Microsoft SecretManagement and SecretStore modules. I had forgotten about those! Definitely prefer a first-party solution, and these appear to be well supported.
Thanks again!
You are welcome
as you have mentioned that the windows credentials are not visible in garphics interface. so can i see that password from command interface, if yes ! then how ?
Once stored, cred manage passwords are not displayed.
how?
This is so tantalizingly close to getting me what I need. I have an interactive application that needs to run as a specific user. If I allow Windows to save the entered credentials in Credential Manager when prompted on first run, it works. But I’m scripting the deployment of these workstations to be fully automated. If I (or someone else) has to manually type a password after deployment, it’s not fully automated, and I won’t be around to do this every time. So I’m trying to script it.
The issue is with the “target” value, which corresponds to both the display name and the “Internet or network address:” values displayed in Credential Manager. If I allow Windows to save this for me by manually going through the process of initially launching the program and typing the password, the “Target” and “Internet or network address:” values displayed in Credential Manager are in the format of “domain\username (Interactive logon)”. But if I use New-StoredCredential or cmdkey /add: to try to automate this, the target displayed in Credential Manager does not match that exact format. As a result, when I launch the program, it does not recognize/match to the stored credentials, and prompts for the password anyway. I get tripped up in CredentialManager either by the backslash in “domain\username”, or by the parentheses in “(Interactive logon)’. If I use cmdkey, I get tripped up by the spaces in the target name, even when single or double-quoted.
I keep thinking there MUST be a way to get this into credential manager in a programmatic way, but I can’t figure out the syntax on this one.
Anyone want to tackle this one?