Clear cached credentials with the cmdkey and PowerShell

Cached credentials make users' lives easier, but they can be a security issue in Windows if a device falls into the wrong hands. IT can manage them on a large scale with PowerShell.

Users like cached credentials because they are convenient and keep them from having to type in their login information every time they access their devices. For IT, however, cached credentials are problematic if the credential and the actual password are out of sync or if the computer is lost or stolen.

Cached credentials are securely stored on a computer, but if a determined person wants the information badly enough, he could find a way to translate encrypted credentials into cleartext passwords.

As a result, IT administrators must know how to clear cached credentials from Windows machines. Doing so manually requires logging into the console of each computer individually, going to the Credential Manager in the Control Panel and removing each credential one at a time. The process would be extremely time-consuming for IT pros to do across a large number of computers. They can simplify the process with the cmdkey utility and automate the entire procedure with PowerShell.

Get to know the cmdkey utility

IT can manage or clear cached credentials in a few ways, but the easiest method is to use the command-line cmdkey utility. IT can use the cmdkey tool to list cached credentials, as well as add or remove them. Although cmdkey is not PowerShell, IT can use PowerShell to create a wrapper around it to make the process a little easier.

On its own, the syntax for the cmdkey utility is fairly straightforward. Just use C:\> cmdkey /? to create, display and delete stored usernames and passwords.

The syntax of the command is:

CMDKEY [{/add | /generic}:targetname {/smartcard | /user:username {/pass{:password}}} | /delete{:targetname | /ras} | /l

  To list available credentials:
     cmdkey /list
  cmdkey /list:targetname

  To create domain credentials:
     cmdkey /add:targetname /user:username /pass:password
  cmdkey /add:targetname /user:username /pass
  cmdkey /add:targetname /user:username
  cmdkey /add:targetname /smartcard

  To create generic credentials:
     The /add switch may be replaced by /generic to create generic credentials.

  To delete existing credentials:
    cmdkey /delete:targetname

  To delete remote access server (RAS) credentials:
     cmdkey /delete /ras

Bring PowerShell into the mix

It is even easier to use cmdkey with PowerShell. IT can build a small wrapper script that can manage cached credentials on one remote computer at a time and perform the action just as quickly on multiple computers at once.

The following example uses a PowerShell module called PSCredentialManager. IT pros can download the module from the PowerShell Gallery by running Install-Module.

PS> Install-Module -Name PSCredentialManager

Build a Windows automation foundation with PowerShell objects

Once they install the module, they now have all of the commands available inside of it. To query all the locally cached credentials on a computer, simply run Get-CachedCredential, for example. IT pros can also enumerate cached credentials on a remote computer with Get-CachedCredential -ComputerName FOO. This also works for lots of computers at once. Instead of passing a single computer name to the ComputerName parameter, an IT pro can add as many as he'd like separated by a comma:

PS> Get-CachedCredential -ComputerName FOO,BAR,BAZ

The same general method also applies to Remove-CachedCredential, which IT can use to clear cached credentials, as well as the Add-CachedCredential command. All the commands have the same general parameters.

Next Steps

Boost cybersecurity with identity management

What open source identity management options are there?

Four common identity management mistakes to avoid

Dig Deeper on Unified endpoint management

Virtual Desktop