4

I'm troubleshooting cached credentials on Windows 7, specifically Smart Card logins, and I would like to know how I can find out which users currently have their credentials cached on the machine.

I have read How are cached Windows credentials stored on the local machine?

and can see the HKLM/Security/cache registry keys, but they are just hash values.

Community
  • 1
MathewC
  • 6,877
  • 9
  • 38
  • 53
  • 1
    Take a look at the user profiles in System Properties. Any user profiles that exist for users that aren't currently logged in have cached credentials (in most cases). – joeqwerty Jun 17 '15 at 22:22
  • @joeqwerty You mean look at the [25 most recent profiles](https://support.microsoft.com/en-us/kb/172931)... Unless the system has been modified from the default number to cache. – jscott Jun 17 '15 at 23:31
  • @jscott: Right. That's why I said in most cases, but I should have provided more details (laziness got the better of me). I'm assuming there won't have been more than a handful of users that have logged in. I'm pretty sure the default is 10 though, not 25. – joeqwerty Jun 18 '15 at 00:03
  • The domain systems only allow for two accounts to have cached credentials. Smart card logins count separately, so I'm hoping to use this information to help troubleshoot how and when smart card credentials are being cached. – MathewC Jun 22 '15 at 13:45

1 Answers1

1

I'm not sure that there is an officially supported technique or API for this.

One method of getting this info (be ready to trigger the antivirus software on your computer) would be to use Mimikatz.

mimikatz # lsadump::cache

Ryan Ries
  • 55,011
  • 9
  • 138
  • 197
  • 1
    I'm pretty sure it's not an official way ;) Do not forget to run it as SYSTEM, or as Administrator with: privilege::debug token::elevate then lsadump::cache – Gentil Kiwi Jun 18 '15 at 00:29