Viewing cached credentials and clearing cached credentials in Windows 10

Archive for the ‘Active Directory’ Category

Viewing cached credentials and clearing cached credentials in Windows 10

Posted by

This article applies to Windows 10 Anniversary Update (Version 1607). For previous versions of Windows, please see the earlier article.

What are cached credentials?

Windows 10 caches and stores usernames and passwords for Active Directory domains, other computers, apps like Outlook, websites, and FTP sites. This makes it easier to authenticate as you don’t have to type in the username and password every single time. But it does pose a risk of those credentials getting misused.

Where are Windows 10 credentials stored?

Active Directory credentials. Domain credentials (usernames and passwords are stored on the local computer’s registry as salted hashes. This is under HKEY_LOCAL_MACHINE\Security\Cache, found in the %systemroot%\System32\config\SECURITY file.

Generic credentials. You can view Website and Windows credentials by launching the Credential Manager (credwiz.exe).

Internet credentials. You can view Internet usernames and passwords in the Internet Control Panel (inetcpl.cpl). Run inetcpl.cpl, go to Content, scroll to Autocomplete, click Settings, and click on Manage Passwords.

When do Windows 10 cached domain credentials expire?

Unfortunately, Windows domain credentials don’t expire in the cache. Within Active Directory, expiration is set on the user object. But if the credential is still valid in Active Directory, the cached copy will still work.

It is possible to control how many credentials are cached using the group policy: Interactive logon: Number of previous logons to cache (in case domain controller is not available)


Designing CyberSecurity | Weekly Blog Series

Designing and architecting security? Join our weekly conversation on what hackers can learn from artists and designers.


How to reset Windows 10 credentials? How to remove Windows 10 credentials?

Active Directory credentials. Open the registry to HKEY_LOCAL_MACHINE\Security\Cache, grant your user account read/write access. Close and reopen the registry to have the access control take effect. Zeroing out the NL$x binary value will clear the cached credential.

Generic credentials. Open the Credential Manager (credwiz.exe to view Website and Windows credentials. Select and remove the passwords you wish to clear.

Internet credentials. Open the Internet Control Panel (inetcpl.cpl), go to Content, scroll to Autocomplete, click Settings, and click on Manage Passwords. Select and remove the passwords you wish to clear.

Outlook email. To view and clear Outlook passwords on Windows 10, first use the Credential Manager instructions above. Then, download the SaveCredentials.exe tool and follow the directions here.

Windows Live Essentials. To view and clear Windows Live Essentials passwords on Windows, first use the Credential Manager instructions above. Find the SSO_POP_Device. This credential provides Single Sign-On (SSO) access for the Post Office Protocol (POP) when accessing a variety of Microsoft email platforms (@hotmail.com, @msn.com, @outlook.com, etc).

Why bother clearing Windows 10 credentials?

The main reason people follow this article is to troubleshoot cached Windows credentials, Active Directory credentials, domain issues, or problems with apps like Internet Explorer and Outlook. Removing the passwords from Windows allows it to reset and fix authentication issues.

The other reason? Well, security. A common tactic from penetration testers to red teamers to criminals is to gain access to cached credentials. From there, they may be replayed to connect to IT systems, or cracked and reused as part of a larger attack. To prevent this, minimize the data stored on your computer and minimize the likelihood of it being stolen or copied.

Replication and Transfering Operations Master Roles

Posted by

Replication must be up-to-date before transferring operation master roles. If replication has not converged, then several symptoms may occur. The role may take significantly longer to transfer, or it may not transfer at all. Likewise, the new operations master may not receive changes that were initially sent to the original operations master. This could result in an inconsistent Active Directory. Thus all replications must be completed before beginning the process.

Check the replication status first. If necessary, follow the article below to resolve any replication issues.

Active Directory Operations Overview: Troubleshooting Active Directory Replication Problems
http://technet.microsoft.com/en-us/library/bb727057.aspx

Once replication has synchronized end-to-end, and Active Directory has converged, the roles can be transferred. Follow the article below to transfer the role in question.

How to view and transfer FSMO roles in Windows Server 2003
http://support.microsoft.com/kb/324801

The risk of Active Directory becoming inconsistent is higher if the role is seized rather than transferred. For that reason, Microsoft recommends you let a full replication cycle elapse between any changes before attempting a seizure.

Domain controller holds the last replica

Posted by

Error when demoting an Active Directory domain controller: This domain controller holds the last replica of the following application directory partitions: DC=MSTAPI,DC=yourdomain,DC=com

Active Directory has the following partitions: Application partition, Configuration partition, Domain partition, and Schema partition. The Application partition is used to store data from Active Directory-integrated software. This error indicates that an Application partition exists on this DC. There are two possibilities: this is the last DC in the domain or it is not.

If this is the last DC in the domain, and the domain information is no longer needed, then it is safe to delete the replica.

If this is not the last DC and you require the Application partition, you must remove the DC from the Application partition’s replica set. Use ADSIEdit and consult Microsoft’s help to perform this operation.

Troubleshooting Active Directory replication

Posted by

Some tips on troubleshooting Active Directory replication:

You may notice that objects in the directory are not the same across all domain controllers, or that people and computers are not receiving their group policy settings, or that the SYSVOL share is not synchronized across the domain. These are symptoms of replication failures.

To troubleshoot replication failures, begin with the basics. Are all the replication links up? Are all the domain controllers synchronized to the same date and time? Then, run Dcdiag.exe to get status of the domain controllers. Run Netdiag.exe to get a report on the network connectivity. Address any issues that these utilities find. Then run Repadmin.exe and validate the connections, site links, and queues. Once everything is validated, run Repadmin.exe and force a synchronization of AD objects. To synchronize group policy settings and the SYSVOL, use Ntfrsutil.exe to troubleshoot and re-replicate the files.

Viewing cached credentials, clearing cached credentials, preventing cached credentials

Posted by

Microsoft Windows caches domain credentials. This article applies to Windows 7 and 8. Click here for the Windows 10 version of this article.

Windows caches domain credentials (usernames and passwords). See Microsoft article KB913485 for details. These credentials are stored on the local computer’s registry.

Viewing cached credentials: In the registry, grant your user account full permission to HKEY_LOCAL_MACHINE\Security. By default, only the System account has permission to the Security key. Refresh Regedit (you may need to close and relaunch Regedit.) Then open the key. You can view the cached credentials under HKEY_LOCAL_MACHINE\Security \Cache. Up to ten credentials can be cached, and these are stored in the values NL$1 thru NL$10.

Clearing cached credentials: Zeroing out the NL$x binary value will clear the cached credential.

Preventing cached credentials: Deleting the NL$1-NL$10 binary values will prevent credentials from being cached.


Designing CyberSecurity | Weekly Blog Series

Designing and architecting security? Join our weekly conversation on what hackers can learn from artists and designers.