How does the Task Scheduler save passwords on Windows 7?

If I save a password for a scheduled task, or in a service's logon credentials, is it safe?

It seems to me that Windows saves this password encrypted somehow, but since Windows has to decipher it, so can anyone with offline access to the computer.

Is it true? Are there tools available to recover these passwords?


With Task Scheduler 2.0 (Vista and newer) passwords are saved using the Windows Credential manager:

Task Scheduler in Windows Vista supports a new credential manager that forms part of the security isolation model. In this model, each set of tasks that runs in a specific security context starts in a separate session. Passwords are now stored in the Credentials Manager (CredMan) service. You can use encryption interfaces with CredMan to prevent malware from stealing stored passwords.

Technically, the Credential Manager ("Credential Locker" in newer Windows Versions) is storing the passwords on the local disk:

Users may choose to save passwords in Windows by using an application or through the Credential Manager Control Panel applet. These credentials are stored on the hard disk drive and protected by using the Data Protection Application Programming Interface (DPAPI). Any program running as that user will be able to access credentials in this store.

(emphasis added)

Although Credential Manager improves encryption methods and the security architecture over the deprecated Protected Storage (PStore) service used with the earlier version of Task Scheduler, what growse had written is still valid: whatever is saved can be retrieved, no matter if tools are publicly available for this task yet.


My understanding is that the passwords are stored in DPAPI. So yes, they're stored locally, but they're not stored in plaintext and require the correct encryption key to be able to recall / decrypt them. From distant memory in working with this stuff, the encryption key is derived from the credentials of the current logged in user who is storing the information, so, in theory, only that user can pull the data out and decrypt it.

In the case of the task scheduler, I imagine the data is stored by the account that the task scheduler runs as, so anyone who can impersonate this account (might be SYSTEM by default) can retrieve the data.

"Is it safe" is an entirely subjective question. Unless you encrypt data on disk and keep the key well away from disk, it can, theoretically, be retrieved.


Yes, there are tools to extract credentials stored for a Scheduled Task. These tools require elevated privileges, much like other tools for credential extraction.

For example:

  • Download psexec
  • Download nirsoft's netpass
  • Use psexec to launch netpass in SYSTEM's context

So! If psexec is in my PATH, and netpass.exe is in C:\, I could run this:

psexec -i -s -d C:\netpass.exe

This will open netpass, where you will see credentials for scheduled tasks with a runas account. I've tested this with standard domain accounts, on Windows Server 2008 R2 and Window Server 2012 R2. There may be limitations in newer operating systems, or with certain types of accounts.

Cheers!