Overview#Cached and Stored Credentials describes how credentials are formed in Microsoft Windows and how the operating system manages them.
Cached Credentials#Windows logon cached password verifiers CANNOT be presented to another computer for authentication, and they can only be used to locally verify a credential.
Cached and Stored Credentials are stored in the Security Account Manager (SAM) in the registry on the local computer and provide credentials validation when a domain-joined computer CANNOT connect to Microsoft Active Directory during a user’s logon.
Stored Credentials#The following sections describe where credentials are stored in Windows Client operating Systems. Windows credentials are composed of a combination of an account name and the authenticator. These are stored and retrieved from the following locations depending on the status of the user’s session, which might be active or inactive, and local or networked.
- Security Account Manager (SAM)
- Local Security Authority Subsystem Service (LSASS)
- Local Security Authority (LSA)
- Microsoft Active Directory
Credential Manager store#Users may choose to save passwords in Windows by using an application or through the Credential Manager Control Panel applet. These credentials are stored on the hard disk drive and protected by using the Data Protection Application Programming Interface (DPAPI). Any program running as that user will be able to access credentials in this store.
Credential Manager can obtain its information in two ways:
- Explicit creation When users enter a user name and password for a target computer or domain, that information is stored and used when the users attempt to log on to an appropriate computer. If no stored information is available and users supply a user name and password, they can save the information. If the user decides to save the information, Credential Manager receives and stores it.
- System population When the operating system attempts to connect to a new computer on the network, it supplies the current user name and password to the computer. If this is not sufficient to provide access, Credential Manager attempts to supply the necessary user name and password. All stored user names and passwords are examined, from most specific to least specific as appropriate to the resource, and the connection is attempted in the order of those user names and passwords. Because user names and passwords are read and applied in order, from most to least specific, no more than one user name and password can be stored for each individual target or domain.
Credential Manager uses the Credential Locker, formerly known as Windows Vault, for secure storage of user names and passwords.