Windows Vault, in Windows 7, is the new name for Stored User Names and Passwords in Vista and Windows XP. In this article, I will explain what kinds of passwords are stored in the Windows Vault and in my next post I will describe how you can disable password caching.
Credential Manager ^
You can access the Windows Vault through the Credential Manager. The easiest way is by just typing “Credential Manager” in the Windows 7 Start Menu search prompt. You can also access the Credential Manager through the Control Panel: -> User Accounts -> User Accounts. The link to the Credential Manager can be found in the left navigation bar.
Stored User Names and Passwords ^
In Vista and Windows XP, to access Stored Usernames and Passwords, you have to run “control userpasswords2” from the command prompt, then click on Advanced, and then on Manage Passwords. In Vista you can also launch the tool via the Control Panel: User Accounts -> User Accounts, and then click on “Manage your network passwords” in the left navigation bar.
Windows Vault storage location ^
Windows 7 stores the Windows Vault files in c:\users\[UserName]\AppData\Roaming\Microsoft\Credentials if the computer is an Active Directory domain member, and in c:\users\[UserName]\AppData\Local\Microsoft\Credentials. If you want to get rid of all your stored credentials you can simply delete the encrypted files in these locations.
New features in Windows 7 ^
With Vista, Microsoft introduced a new backup feature that allows you to save your stored password to a .crd file. New in Windows 7 is the term “Windows Vault”, for the password storage, and “Credential Manager”, the user interface.
Stored credentials in Windows Vault ^
The Credential Manager in Windows now separates the three password types that Windows stores for network connections: Windows Credentials, Certificate-Based Credentials, and Generic Credentials.
Windows Credentials are user names and passwords used to log on to network shares, websites (Windows Integrated Authentication), and Remote Desktop Connections (Terminal Server). Certificate-Based Credentials are for smart cards, and Generic Credentials are for third party applications that manage authorization without using the credentials of the logged on account.
What these credentials have in common is that they can be stored in the Windows Vault to allow you to automatically log on to a remote site without being prompted to provide a user name and password.
However, the Windows Vault doesn’t store all the credentials that can be cached by Windows. For example, the cache domain logon password hash, which I discussed in my last article, is not stored in the Windows Vault. Neither does the Windows Vault save the passwords of the Internet Explorer autocomplete feature (topic of another post).
In my next article, I will discuss the security risks of stored Windows passwords and how you can disable Windows password caching.