Home About   

Windows Server  Active Directory  Windows Clients  Virtualization  PowerShell Exchange Cloud  Linux 

 Windows OS Hub / Windows 10 / Using Credential Manager on Windows: Ultimate Guide

March 15, 2024 PowerShell Windows 10 Windows 11 Windows Server 2019

Using Credential Manager on Windows: Ultimate Guide CATEGORIES

Windows Credential Manager allows you to securely store credentials (usernames and passwords) used to access
network resources, websites, and apps. You can use the credentials stored in Credential Manager to connect to network  Active Directory
resources that support Windows authentication (NTLM or Kerberos), certificate-based authentication, or basic authentication
without entering a password.  Group Policies

 Exchange Server

Contents:
 Microsoft 365

How to Open Credential Manager on Windows

 Azure
Manage User Credentials on Windows with CMD

Accessing Windows Credential Manager from PowerShell  Windows 11

How to Extract Saved Passwords from Windows Credential Manager

 Windows 10

 Windows Server 2022

How to Open Credential Manager on Windows  Windows Server 2019

Credential Manager is built into Windows and allows you to securely store the following types of credentials:
 Windows Server 2016

Windows Credentials – credentials to access resources that support Windows authentication (NTLM or Kerberos).
 PowerShell
This could be credentials for mapping network drives or shared SMB folders, NAS devices, saved passwords for RDP
connections, passwords for sites that support Windows authentication, etc;
 VMWare

Windows Credential Manager does not store credentials for automatic login Windows or cached domain
 Hyper-V
credentials.

 Linux

Certificate-Based Credentials – to access resources using certificates (from the Personal section of the Certificate
 MS Office
Manager) and for smart cards;

Generic Credentials – credentials for accessing third-party apps that are compatible with Credential Manager and
support Basic authentication;
RECENT POSTS
Web Credentials – saved passwords in Edge and Internet Explorer browsers, Microsoft apps (MS Office, Teams,
Outlook, Skype, etc.).

How to Read Outlook

For example, if you enable the Save Password option when accessing a shared network folder, the password you enter will be
Emails with PowerShell
saved in the Credential Manager.
April 24, 2024

Hide Library and Special

Folders from File Explorer
on Windows
April 19, 2024

Installing Windows 11
without Network and
Internet Connection
April 18, 2024

Set up SSH Key-Based

Authentication on VMware
Similarly, CredManager will store an RDP host connection password that you have saved in the Remote Desktop Connection ESXi
client ( mstsc.exe ). April 11, 2024

Prevent Server Manager

from Starting at Logon on
Windows Server
April 11, 2024


 How to Enable and
Windows Server  Active Directory  Windows Clients  Virtualization  PowerShell Exchange Cloud
Configure Linux
Wake-on-LAN
 
(WoL) in Windows
April 1, 2024

Monitoring Website SSL/TLS

Certificate Expiration with
Zabbix
March 21, 2024

Fix: Remote Desktop (RDP)

Session Freezes
(Disconnects) on Windows
March 18, 2024

How to Create, Delete, and

Manage System Restore
Points on Windows 10/11
March 14, 2024

The Credential Manager also stores user passwords that were added with the runas /savecred command and used

to run programs as a different user. Upgrading to Windows 11

on Unsupported Hardware
March 6, 2024
You can access Credential Manager in Windows 10 and 11:

from the classic Control Panel ( Control Panel\User Accounts\Credential Manager );

from the command line: control /name Microsoft.CredentialManager

FOLLOW US

As you can see, there are two passwords in the Credential Manager that we saved earlier.

Your email address:

SUBSCRIBE

The saved passwords for the RDP connections are specified in the format TERMSRV\hostname .

Here you can add a saved credential, edit it (you cannot view a saved password in the graphic interface), or delete any of the
entries.

In addition, you can use the classic interface of Stored User Names and Passwords to manage saved credentials on
Windows. Open in with the command below:

rundll32.exe keymgr.dll,KRShowKeyMgr


 Windows Server  Active Directory  Windows Clients  Virtualization  PowerShell Exchange Cloud  Linux 

Here you can also manage your saved credentials, and backups or restores of entries in the Credential Manager (this feature
can be used to move the stored credentials database to another computer).

Manage User Credentials on Windows with CMD

You can add, remove, and view saved credentials in Credential Manager from the command prompt using the cmdkey tool.

Add new credentials to access the FS01 file server:

cmdkey /add:FS01 /user:w.brandt /pass:Pa2sw0rd11

If you need to save the credentials for a domain user account:

cmdkey /add:fs01.woshub.local /user:[email protected] /pass:Pa2sw0rd11

Save the credentials for connecting to the RDP (RDS) host:

cmdkey /generic:termsrv/MUNRDS1 /user:w.brandt /pass:Pa2sw0rd11

To access a shared folder anonymously, you need to add a guest account without a password to Credential

Manager:

cmdkey /add:192.168.100.25 /user:guest

To manage the hypervisor remotely from the Hyper-V Manager console, you must save the Hyper-V administrator
password:

cmdkey /add:hv19 /user:Administrator /pass:HypVpaSS22

List saved credentials:

cmdkey /list

List saved credentials for a specific computer:

cmdkey /list:fs01.woshub.local

Delete previously saved credentials:

cmdkey /delete:FS01

Remove any RDP passwords stored in the Credential Manager:

For /F "tokens=1,2 delims= " %G in ('cmdkey /list ^| findstr "target=TERMSRV"') do cmdkey /delete %H

Clear all stored passwords in Credential Manager with the following on-liner:
Windows Server  Active Directory  Windows Clients  Virtualization  PowerShell Exchange Cloud  Linux 
for /F "tokens=1,2 delims= " %G in ('cmdkey /list ^| findstr Target') do cmdkey /delete %H

This command allows you to quickly delete old stored passwords that can cause a user account to be permanently

locked out in AD.

You can also manage stored credentials with vaultcmd command. List the stored credentials of type Windows Credentials:
vaultcmd /listcreds:"Windows Credentials"

All saved passwords are stored in the secure Windows Vault. You can get the path to the Windows Credentials vault as
follows:

vaultcmd /list

By default, this is %userprofile%\AppData\Local\Microsoft\Vault . The encryption key is stored in the Policy.vpol file.
Passwords in .vcrd files are decrypted using the encryption key.

The VaultSvc service must be running for the Credential Manager to work:

Get-Service VaultSvc

If the service is disabled, you will receive an error when you try to access Credential Manager:

Credential Manager Error

The Credential Manager Service is not running. You can start the service manually using the Servi
ces snap-in or restart your computer to start the service.
Error code: 0x800706B5
Error Message: The interface is unknown.

If you want to prevent users from saving network passwords in the Credential Manager, enable the Network access: Do
not allow storage of passwords and credentials for network authentication GPO option under Computer
Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options.

If the user attempts to save the password to the Windows password vault, an error will now be displayed:


 Credential ManagerWindows
Error Server  Active Directory  Windows Clients  Virtualization  PowerShell Exchange Cloud  Linux 
Unable to save credentials. To save credentials in this vault, check your computer configuration.
Error code: 0x80070520
Error Message: A specified logon session does not exist. It may already have been terminated.

Accessing Windows Credential Manager from PowerShell

There are no built-in Windows cmdlets for accessing the Credential Manager vault from PowerShell. However, you can use the
CredentialManager module from the PowerShell Gallery.

Install the module:

Install-Module CredentialManager

There are only 4 cmdlets in the module:

Get-StoredCredential – used to get credentials from the Windows Vault;

Get-StrongPassword – to generate a random password;

New-StoredCredential – to add new credentials;

Remove-StoredCredential – to remove credentials.

To add new credentials to the Windows Credential Manager, run this command:

New-StoredCredential -Target 'woshub' -Type Generic -UserName '[email protected]' -Password 'Pass321-b' -Persist

'LocalMachine'

Check for stored user credentials in the vault:

Get-StoredCredential -Target woshub

You can use saved passwords from Credential Manager in your PowerShell scripts. For example, I can get the saved
username and password as a PSCredential object from the Windows Vault and use it to connect to Exchange Online from
PowerShell.

$psCred = Get-StoredCredential -Target "woshub"

Connect-MSolService -Credential $psCred

You can also use the Get-StoredCredential cmdlet to securely retrieve saved credentials in Task Scheduler jobs.

You can also take a look at the Secret Management PowerShell module, which can be used to securely store

passwords and other secrets on Windows. It supports a range of password vaults including KeePass, LastPass,

HashiCorp Vault, Azure Key Vault, and Bitwarden.

To remove saved credentials from Windows Vault using PowerShell:

Remove-StoredCredential -Target woshub

How to Extract Saved Passwords from Windows Credential Manager

You can use the Get-StoredCredential PowerShell cmdlet to extract the plain-text password stored in Credential Manager.

List the saved credentials:

cmdkey.exe /list

Copy the Target value for the object whose password you want to extract and paste it into the following command:
$cred = Get-StoredCredential -Target LegacyGeneric:target=termsrv/MUNRDS1 
[System.Runtime.InteropServices.Marshal]::PtrToStringAuto([System.Runtime.InteropServices.Marshal]::SecureStringToBSTR(
Windows Server  Active Directory  Windows Clients  Virtualization  PowerShell Exchange Cloud  Linux 
$cred.Password))

These commands display the user’s stored password in clear text.

You can also use tools such as Mimikatz to retrieve stored passwords from Credman in plain text (see the example

here).

 16 comments 5    

previous post next post

Kill a Windows Service That Stucks on Stopping or PowerShell: Get Folder Size on Windows
Starting

RELATED READING

How to Read Outlook Emails with PowerShell Hide Library and Special Folders from File Installing Windows 11 without Network and
Explorer... Internet Connection
April 24, 2024
April 19, 2024 April 18, 2024

16 COMMENTS

ERIC Reply
 October 16, 2021 - 5:07 pm

You can convert the credential object password to plaintext by using the following.
$cred = Get-StoredCredential -Target Test1
[System.Runtime.InteropServices.Marshal]::PtrToStringAuto([System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($cred.Password))

OLEG Reply
 November 11, 2021 - 8:45 am

You can get stored Credential Objects and Passwords by

Get-StoredCredential -AsCredentialObject

DATASTORM Reply
 February 11, 2023 - 9:54 pm

Where do you run this command at? Powershell or CMD line? I’ve tried it in both and does not return
anything but errors.
Command Prompt returns this: “‘Get-StoredCredential’ is not recognized as an internal or external


 command,
Windows Server  Active Directory  Windows Clients  Virtualization  PowerShell Exchange Cloud  Linux 
operable program or batch file.”
Powershell returns this in deep red on black background “The term ‘Get StoredCredential’ is not
recognized as the name of a mdlet, function, script file, or operable program. ….”

DATASTORM Reply
 February 11, 2023 - 10:00 pm

Okay, I’ve gone to the top of this article and installed the module.
The commands work, but the password characters are all tiny squares with dots in them.

ADMIN
 February 21, 2023 - 5:05 pm

Have you tried converting the credential object to a plain text password like this?
$cred =Get-StoredCredential -Target test2
[System.Runtime.InteropServices.Marshal]::PtrToStringAuto([System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($
In my case, it gets the full plaintext password from the generic credential object.

IAN Reply
 June 25, 2022 - 12:55 pm

Still no Passwords shown.

Any help?

HECTIC CHARMANDER Reply

 October 15, 2022 - 8:29 am

Another fantastic article, as usual.

Extra thanks for mentioning the Microsoft SecretManagement and SecretStore modules. I had forgotten about
those! Definitely prefer a first-party solution, and these appear to be well supported.
Thanks again!

ADMIN Reply
 October 16, 2022 - 5:43 am

You are welcome

AVI Reply
 October 19, 2022 - 12:09 pm

as you have mentioned that the windows credentials are not visible in garphics interface. so can i see that
password from command interface, if yes ! then how ?

ADMIN Reply
 October 21, 2022 - 12:46 pm

Once stored, cred manage passwords are not displayed.

JAYSON Reply
 December 11, 2022 - 10:24 am

how?

BJL Reply
 March 11, 2023 - 1:30 am

This is so tantalizingly close to getting me what I need. I have an interactive application that needs to run as a
specific user. If I allow Windows to save the entered credentials in Credential Manager when prompted on first
run, it works. But I’m scripting the deployment of these workstations to be fully automated. If I (or someone
else) has to manually type a password after deployment, it’s not fully automated, and I won’t be around to do
this every time. So I’m trying to script it.
The issue is with the “target” value, which corresponds to both the display name and the “Internet or network
address:” values displayed in Credential Manager. If I allow Windows to save this for me by manually going
through the process of initially launching the program and typing the password, the “Target” and “Internet or
network address:” values displayed in Credential Manager are in the format of “domain\username (Interactive
logon)”. But if I use New-StoredCredential or cmdkey /add: to try to automate this, the target displayed in 
 Credential Manager does not match that exact format. As a result, when I launch the program, it does not
Windows Server  Active Directory  Windows Clients  Virtualization  PowerShell Exchange Cloud  Linux 
recognize/match to the stored credentials, and prompts for the password anyway. I get tripped up in
CredentialManager either by the backslash in “domain\username”, or by the parentheses in “(Interactive logon)’.
If I use cmdkey, I get tripped up by the spaces in the target name, even when single or double-quoted.
I keep thinking there MUST be a way to get this into credential manager in a programmatic way, but I can’t
figure out the syntax on this one.
Anyone want to tackle this one?

JOHN SMITH Reply

 December 18, 2023 - 8:47 pm

Thank you so much @ERIC for your input it works perfectly!

You can convert the credential object password to plaintext by using the following.
$cred = Get-StoredCredential -Target Test1
[System.Runtime.InteropServices.Marshal]::PtrToStringAuto([System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($cred.Password))

JSHAW Reply
 January 24, 2024 - 6:52 am

How do I fix error below after entering $cred = Get-StoredCredential -Target Domain:target=xxxxx
“Unable to convert Credential object without username or password to PSCredential object”

NICK Reply
 April 12, 2024 - 3:00 pm

When you run the “cmdkey /list” command, you can only retrieve the passwords saved as a “Generic”
type in the credential manager. If you add a credential in under the generic type, then the commands
in this post work.

JPSO Reply
 April 10, 2024 - 5:03 pm

Hello,
Thx a lot for sharing your knowledge, very good post.
Here is some PowerShell code I use to get CredentialManager module working on every PC on which I’m running
my scripts :
Write-Host ” – Checking ‘CredentialManager’ module : ” -NoNewLine
if (Get-Module -ListAvailable -Name CredentialManager) {
Write-Host “OK” -ForegroundColor Green
} else {
Write-Host “NOK” -ForegroundColor Red
Write-Host ” – Installing ‘CredentialManager’ module … ” -NoNewLine
try {
Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Scope CurrentUser -Force -Confirm:$false |
Out-Null
Install-Module CredentialManager -Scope CurrentUser -Force -Confirm:$false | Out-Null
Import-Module CredentialManager | Out-Null
Write-Host “OK” -ForegroundColor Green
} catch {
Write-Host “NOK” -ForegroundColor Red
Write-Host ” – Error : $($_.Exception.Message)” -ForegroundColor Red
}
}

LEAVE A COMMENT

Your Comment

Name* Email* Website

NOTIFY ME OF FOLLOWUP COMMENTS VIA E-MAIL. YOU CAN ALSO SUBSCRIBE WITHOUT COMMENTING.

 POST COMMENT
Windows Server  Active Directory  Windows Clients  Virtualization  PowerShell Exchange Cloud  Linux 

 FACEBOOK  TWITTER  TELEGRAM

Popular Posts
Install and Manage Windows Updates with PowerShell (PSWindowsUpdate)

How to Download Offline Installer (APPX/MSIX) for Microsoft Store App

Configuring Port Forwarding in Windows

Start Menu or Taskbar Search Not Working in Windows 10/11

Get-ADUser: Find Active Directory User Info with PowerShell

@2014 - 2023 - Windows OS Hub. All about operating systems for sysadmins
Adding Drivers into VMWare ESXi Installation Image
 How to Hide Installed Programs in Windows 10 and 11
BACK TO TOP