• Greg Zejer

Windows Desktop – Credential Manager CLI

If you armanage-your-blog-from-your-live-sitee like me, I’m not a big fan of credential manager. User accounts always get locked out because of this feature, especially when they change their password. If I can disable Credential Manager, I do via GPO.

If disabling credential manager does not work for the client, managing it becomes cumbersome.

There is a CLI users can use in order to manage it: rundll32.exe keymgr.dll,KRShowKeyMgr





This command doesn’t capture everything though. There is another option, POWERSHELL to the rescue! Well, sort of a hybrid solution.

You can use cmdkey to get a list of all saved password, both for the user and machine:



Once you have the list, you can use it with a ForEach-Object powershell combination in order to delete them all:

cmdkey /list | ForEach-Object{if($_ -like “*Target:*”){cmdkey /delete:($_ -replace ” “,”” -replace “Target:”,””)}}




Adding this command to the user login script GPO works wonders. Does it upset people that they have to type their password all the time, sure, but it’s a more secure solution so this doesn’t happen to you:


https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation

26 views0 comments