Problem solve Get help with specific problems with your technologies, process and projects.

Clear cached credentials with the cmdkey and PowerShell

Cached credentials make users' lives easier, but they can be a security issue in Windows if a device falls into the wrong hands. IT can manage them on a large scale with PowerShell.

Users like cached credentials because they are convenient and keep them from having to type in their login information...

every time they access their devices. For IT, however, cached credentials are problematic if the credential and the actual password are out of sync or if the computer is lost or stolen.

Cached credentials are securely stored on a computer, but if a determined person wants the information badly enough, he could find a way to translate encrypted credentials into cleartext passwords.

As a result, IT administrators must know how to clear cached credentials from Windows machines. Doing so manually requires logging into the console of each computer individually, going to the Credential Manager in the Control Panel and removing each credential one at a time. The process would be extremely time-consuming for IT pros to do across a large number of computers. They can simplify the process with the cmdkey utility and automate the entire procedure with PowerShell.

Get to know the cmdkey utility

IT can manage or clear cached credentials in a few ways, but the easiest method is to use the command-line cmdkey utility. IT can use the cmdkey tool to list cached credentials, as well as add or remove them. Although cmdkey is not PowerShell, IT can use PowerShell to create a wrapper around it to make the process a little easier.

On its own, the syntax for the cmdkey utility is fairly straightforward. Just use C:\> cmdkey /? to create, display and delete stored usernames and passwords.

The syntax of the command is:

CMDKEY [{/add | /generic}:targetname {/smartcard | /user:username {/pass{:password}}} | /delete{:targetname | /ras} | /l

  To list available credentials:
     cmdkey /list
  cmdkey /list:targetname

  To create domain credentials:
     cmdkey /add:targetname /user:username /pass:password
  cmdkey /add:targetname /user:username /pass
  cmdkey /add:targetname /user:username
  cmdkey /add:targetname /smartcard

  To create generic credentials:
     The /add switch may be replaced by /generic to create generic credentials.

  To delete existing credentials:
    cmdkey /delete:targetname

  To delete remote access server (RAS) credentials:
     cmdkey /delete /ras

Bring PowerShell into the mix

It is even easier to use cmdkey with PowerShell. IT can build a small wrapper script that can manage cached credentials on one remote computer at a time and perform the action just as quickly on multiple computers at once.

The following example uses a PowerShell module called PSCredentialManager. IT pros can download the module from the PowerShell Gallery by running Install-Module.

PS> Install-Module -Name PSCredentialManager

Build a Windows automation foundation with PowerShell objects

Once they install the module, they now have all of the commands available inside of it. To query all the locally cached credentials on a computer, simply run Get-CachedCredential, for example. IT pros can also enumerate cached credentials on a remote computer with Get-CachedCredential -ComputerName FOO. This also works for lots of computers at once. Instead of passing a single computer name to the ComputerName parameter, an IT pro can add as many as he'd like separated by a comma:

PS> Get-CachedCredential -ComputerName FOO,BAR,BAZ

The same general method also applies to Remove-CachedCredential, which IT can use to clear cached credentials, as well as the Add-CachedCredential command. All the commands have the same general parameters.

Next Steps

Boost cybersecurity with identity management

What open source identity management options are there?

Four common identity management mistakes to avoid

Dig Deeper on Unified endpoint management

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

What do you see as the biggest threat cached credentials present?
The term 'Remove-CachedCredential' is not recognized as the name 
of a cmdlet, function, script file, or operable program.

PS C:\WINDOWS\system32> Import-Module PSCredentialManager -Verbose
VERBOSE: Loading module from path 'C:\Program Files\WindowsPowerShell\Modules\PSCredentialMan
VERBOSE: Importing function 'Get-CachedCredential'.
VERBOSE: Importing function 'New-CachedCredential'.

Is there a way to just clear everything? There can be 10-20 outlook cached creds in ceds manager. I cant really predict what it will be because to me they look like jibberish.
Yeah. When you pipe all of your credentials through a variable in shell, you can call on that variable with a for loop. it works for registry and network file shares, as you can cast/splat an array or hash table to the variable and if you use a parameter. but obviously, you have to store the credentials through powershell first so you can load/unload using the variable you defined. as for general CMDKEY, no, you have to use strict batch/switch interpretations to clear and THEN, you can use pscredential to store the splat table.

You probably figured that out by now but figured anybody else who sees this might be able to put it to good use.
I know this is from three years ago, but someone told me about this discussion when they came across me on GitHub.

Simple batch file to do what mcc85s is talking about.