5

I want to clear a users stored credentials on a remote machine. Without having to have the user login and open the Cred manager GUI or run CMDKEY with them logged in.

Is there a place on the file system under the user's profile with the stored creds? Can I just delete them off the file system that way to clear the cached creds of another user?

red888
  • 4,069
  • 16
  • 58
  • 104

1 Answers1

11

Have a look at vaultcmd.exe:

vaultcmd

There are my credential vaults on the file system.

But I am not sure whether it's supported to just delete the vault from the file system, or if it'll leave the user's credential vault in a broken state. Also have a look at vaultcmd /deletecreds:

vaultcmd /deletecreds:"Web Credentials" /credtype:{3CCD5499-87A8-4B10-A215-608888DD3B55} /identity:TestCred /resource:Server /sid:<package sid>

For whatever reason, the feature set was reduced in Windows 8 and onwards. On Windows 7, you could load and unload external vault files. But they took that ability away in current versions of Windows.

Here's an article that alludes to some of the credential vault API functions that could get you started on something that could load the vault, delete the creds from it, then unload the vault, since just deleting the files off the disk seems kind of crude. But maybe that's the answer.

Other places to look:

C:\Users\<user>\AppData\Roaming\Microsoft\Credentials C:\Users\<user>\AppData\Local\Microsoft\Credentials

There are files in there too, but I'm not really sure how they relate to the vault location described above. Just going to have to test it out for yourself.

Ryan Ries
  • 55,011
  • 9
  • 138
  • 197
  • Hmm read that article, but one thing I'm confused about, will running vaultcmd.exe /list show me the cached creds of all users on the machine or just the logged on user? – red888 Apr 17 '16 at 19:26
  • Just your own as far as I can tell. Try wiping out the files with the test user logged off, then log back in with the test user and see that they can still save new credentials. – Ryan Ries Apr 17 '16 at 19:41