Manipulate stored credentials

This is more of a note to self so I dont forget the nifty cmd line tool included in 2k3 by default.


Low-level Credentials Management Functions

The following are low-level credentials management functions.

Function Description
CredDelete Delete a credential from a user’s credentials set.
CredEnumerate List the credentials in a user’s credentials set.
CredFindBestCredential Searches the Credentials Management (CredMan) database for the set of generic credentials that are associated with the current logon session and that best match the specified target resource.
CredFree Free the memory used for a buffer returned by any of the credentials management functions.
CredGetSessionTypes Retrieve the maximum persistence supported by the current logon session.
CredGetTargetInfo Retrieve all known target name information for a named resource.
CredIsProtected Specifies whether the specified credentials are encrypted by a previous call to the CredProtect function.
CredMarshalCredential Transform a credential into a text string.
CredPackAuthenticationBuffer Converts a string user name and password into an authentication buffer.
CredProtect Encrypts the specified credentials so that only the current security context can decrypt them.
CredRead Read a credential from a user’s credentials set.
CredReadDomainCredentials Read the domain credentials from a user’s credentials set.
CredRename Rename a credential from a user’s credentials set.
CredUnmarshalCredential Transform a marshaled credential string back into its nonmarshaled form.
CredUnPackAuthenticationBuffer Converts an authentication buffer returned by a call to the CredUIPromptForWindowsCredentials function into a string user name and password.
CredUnprotect Decrypts credentials that were previously encrypted by using the CredProtect function.
CredWrite Create a new credential or modify an existing credential in a user’s credentials set.
CredWriteDomainCredentials Write domain credentials to a user’s credentials set.




C:\WINDOWS\system32>cmdkey /?

Creates, displays, and deletes stored user names and passwords.

The syntax of this command is:

CMDKEY [{/add | /generic}:targetname {/smartcard | /user:username {/pass{:passw
rd}}} | /delete{:targetname | /ras} | /list{:targetname}]


  To list available credentials:
     cmdkey /list
     cmdkey /list:targetname

  To create domain credentials:
     cmdkey /add:targetname /user:username /pass:password
     cmdkey /add:targetname /user:username /pass
     cmdkey /add:targetname /user:username
     cmdkey /add:targetname /smartcard

  To create generic credentials:
     The /add switch may be replaced by /generic to create generic credentials

  To delete existing credentials:
     cmdkey /delete:targetname

  To delete RAS credentials:
     cmdkey /delete /ras



Comments (4)

  1. Are credentials those things that are found via cmdkey or the Control Panel operation (Stored User Names and Passwords) or does it include the normal Windows acct. password and that stored in Active Directory?

  2. SpatDSG says:

    Im not sure I understand the question, but it seems to revolve around "What are credentials?"

    But, that doesnt sound right. So maybe it is – "What does the cmdkey store or list?" If so, then it is the control panel operation you mentioned.


  3. ddas says:

    Any idea how to store & manipulate credential information through my application on Windows 2000?

    Simply put, what you can do with the credui.dll in Windows XP, is there any way Windows 2000?

  4. Saurabh says:

    Thansk ….. Spat … thank you very much … for cmdkey

    Cheers !