Windows Vault

Michael PietroforteMVP By Michael Pietroforte - Wed, June 2, 2010 - 4 comments google+ icon

Michael Pietroforte is the founder and editor of 4sysops. He is a Microsoft Most Valuable Professional (MVP) with more than 30 years of experience in system administration.

Articles in this series

Stored Windows Passwords

Windows Vault, in Windows 7, is the new name for Stored User Names and Passwords in Vista and Windows XP. In this article, I will explain what kinds of passwords are stored in the Windows Vault and in my next post I will describe how you can disable password caching.

Windows Credential Manager

Credential Manager

You can access the Windows Vault through the Credential Manager. The easiest way is by just typing “Credential Manager” in the Windows 7 Start Menu search prompt. You can also access the Credential Manager through the Control Panel: -> User Accounts -> User Accounts. The link to the Credential Manager can be found in the left navigation bar.

Stored User Names and Passwords

In Vista and Windows XP, to access Stored Usernames and Passwords, you have to run “control userpasswords2″ from the command prompt, then click on Advanced, and then on Manage Passwords. In Vista you can also launch the tool via the Control Panel: User Accounts -> User Accounts, and then click on “Manage your network passwords” in the left navigation bar.

Stored_User_Names_and_Passwords

Windows Vault storage location

Windows 7 stores the Windows Vault files in c:\users\[UserName]\AppData\Roaming\Microsoft\Credentials if the computer is an Active Directory domain member, and in c:\users\[UserName]\AppData\Local\Microsoft\Credentials. If you want to get rid of all your stored credentials you can simply delete the encrypted files in these locations.

New features in Windows 7

With Vista, Microsoft introduced a new backup feature that allows you to save your stored password to a .crd file. New in Windows 7 is the term “Windows Vault”, for the password storage, and “Credential Manager”, the user interface.

Stored credentials in Windows Vault

The Credential Manager in Windows now separates the three password types that Windows stores for network connections: Windows Credentials, Certificate-Based Credentials, and Generic Credentials.

Windows Credentials are user names and passwords used to log on to network shares, websites (Windows Integrated Authentication), and Remote Desktop Connections (Terminal Server). Certificate-Based Credentials are for smart cards, and Generic Credentials are for third party applications that manage authorization without using the credentials of the logged on account.

What these credentials have in common is that they can be stored in the Windows Vault to allow you to automatically log on to a remote site without being prompted to provide a user name and password.

However, the Windows Vault doesn’t store all the credentials that can be cached by Windows. For example, the cache domain logon password hash, which I discussed in my last article, is not stored in the Windows Vault. Neither does the Windows Vault save the passwords of the Internet Explorer autocomplete feature (topic of another post).

In my next article, I will discuss the security risks of stored Windows passwords and how you can disable Windows password caching.

Series NavigationCached domain logon - Manage stored Windows passwords

-1+1 - Rate this post
Loading ... Loading ...
Disclaimer
Your question wasn't answered? Please ask in the new 4sysops forum!

4 Comments- Leave a Reply

  1. anonymous says:

    In XP, Credential Manager syntax accepts the \* syntax which allowed users to wildcard all passwords in a domain so you could connect to any resource in the domain using the stored credential set. This no longer works in Vista. You either have to specify the full server
    Fully Qualified Domain Name (FQDN) or create entries for NetBIOS-named servers. Windows 7 Vault accepts the old syntax again. Shows how Vista was broken in many places.

  2. I have read about this wildcard syntax, but this never worked for me in XP. Could you specify the syntax more detailed?

  3. Cyrus Ho says:

    For example:
    svr01.company.com

    Then you may use:
    *.company.com

  4. Shining says:

    I can see my ID and passward was in manage your credentials, but when opening a new website, it will still need to input passward.
    Can you please help resolve this.
    Windows 7.

Please share your thoughts in a comment!

Login

Lost your password?