{
	"id": "3d98f0e0-4aa3-4f3c-9686-62fadfb3bc09",
	"created_at": "2026-04-06T00:20:07.316702Z",
	"updated_at": "2026-04-10T03:21:34.19869Z",
	"deleted_at": null,
	"sha1_hash": "696cc836450d081a08800a96a078b6cca6cb0526",
	"title": "The Windows Vaults | Malwarebytes Labs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 176326,
	"plain_text": "The Windows Vaults | Malwarebytes Labs\r\nBy Pieter Arntz\r\nPublished: 2016-01-10 · Archived: 2026-04-02 11:37:09 UTC\r\nThe Credential Manager in Windows is a relatively unknown feature, even though a lot of people are using it\r\nwithout being aware of its existence. Windows stores credentials in special folders that they call “vaults” to help\r\nusers login to websites and other computers. The Credential Manager as such is introduced with Windows 7.\r\nOperation\r\nReviewing and manually adding credentials can be done by clicking the “Credential Manager” entry on the “User\r\nAccounts and Family Safety” tab of the Control Panel.\r\nThere are a few categories. Which ones you have at your disposal depends on your Windows version, but the most\r\ncommon options are:\r\nCertificate(-Based) Credentials, for SSL authentication\r\nDomain Credentials, can be shared between applications\r\nWindows Credentials, only used by Windows and its services\r\nWeb Credentials, used by Internet Explorer\r\nGeneric Credentials, when Credential Manager does not recognize the type as one of the above\r\nPlaintext Password Credentials, these are very unsafe to use and should be avoided\r\nLocation\r\nhttps://blog.malwarebytes.com/101/2016/01/the-windows-vaults/\r\nPage 1 of 5\n\nBy default Windows stores the credentials in this location:\r\n%Systemdrive%Users{Username}AppDataLocalMicrosoftCredentials\r\nIf you are having trouble finding it, you have to set “Show hidden files, folders, and drives” and uncheck “Hide\r\nprotected operating system files (Recommended)” under the “Folder and Search options” to find the folder and see\r\nthe content.\r\nBackup and Restore\r\nFor those of us that had no idea how this feature works, it will be a pleasant surprise to learn that you can take\r\nyour credentials with you when you get a new computer or have to start from scratch with the current one. Here’s\r\nhow it works:\r\nClick the Credential Manager entry.\r\nClick the “Back up vault” (for Windows 7) or “Back up Credentials” (for Windows 8 and Windows 10) to\r\nopen the wizard that will help you with backing up or restoring of your credentials:\r\nClick the “Back up…” button and use the “Browse” button to choose a name and location for the backup of\r\nyour credentials:\r\nhttps://blog.malwarebytes.com/101/2016/01/the-windows-vaults/\r\nPage 2 of 5\n\nClick “Next”, and then you are prompted to switch to the secure desktop by using Ctrl-Alt-Del.\r\nOnce you have done that, you can protect the backup file with a password:\r\nhttps://blog.malwarebytes.com/101/2016/01/the-windows-vaults/\r\nPage 3 of 5\n\nClick “Next”, remove the “Removable Media” you stored the backup on and click “Finish” to close the\r\nwizard.\r\nRestoring the credentials works pretty much the same: Start the wizard, point to the location of the .crd file, switch\r\nto secure desktop, enter your password and click “Finish”.\r\nNote that restoring from a .crd file removes any other credentials you may have had in your vault.\r\nPros and Cons\r\nThe ability to store credentials on a computer is a time-saver for the owner or authorized computer users; however,\r\nthe same can be said for unauthorized users. Based on the simple procedure we have outlined above, stealing your\r\ncredentials is equally simple. Backing them up to a USB stick or uploading them to the cloud is a piece of cake.\r\nOnce thieves get hold of the backup, it is not as difficult as you might expect to abuse the credentials. Once they\r\nhave restored the credentials on another computer or Virtual Machine, they can use “vaultcmd” commands to\r\nfigure out what they have gained access to.\r\nAs an example, I created this hypothetical credential for server 1.2.3.4—\r\nhttps://blog.malwarebytes.com/101/2016/01/the-windows-vaults/\r\nPage 4 of 5\n\n—and used the command vaultcmd /listcreds:”Windows Credentials” in a command prompt. This provides an\r\noverview of all the credentials stored under “Windows Credentials” as shown below:\r\nAnd if these thieves feel it is interesting enough, they can use password recovery software to get hold of the\r\npassword as well, although that is not really necessary, since they will be able to login with your credentials\r\nanyway.\r\nIf you think the worst thing that could happen if you leave your computer unattended were embarrassing\r\nFacebook posts, think again. It would take a professional only seconds to steal your credentials, and after that,\r\nthey have all the time to figure out what they can do with them.\r\nOnline sources:\r\nWhat is credential manager?\r\nSaving Credentials on Windows Computers\r\nCredential Manager – Where Windows Stores Passwords \u0026 Login Details\r\nPieter Arntz\r\nAbout the author\r\nWas a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich\r\nmahogany and leather-bound books.\r\nSource: https://blog.malwarebytes.com/101/2016/01/the-windows-vaults/\r\nhttps://blog.malwarebytes.com/101/2016/01/the-windows-vaults/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://blog.malwarebytes.com/101/2016/01/the-windows-vaults/"
	],
	"report_names": [
		"the-windows-vaults"
	],
	"threat_actors": [],
	"ts_created_at": 1775434807,
	"ts_updated_at": 1775791294,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/696cc836450d081a08800a96a078b6cca6cb0526.pdf",
		"text": "https://archive.orkl.eu/696cc836450d081a08800a96a078b6cca6cb0526.txt",
		"img": "https://archive.orkl.eu/696cc836450d081a08800a96a078b6cca6cb0526.jpg"
	}
}