How are cached Windows credentials stored on the local machine?

Solution 1:

"Cached credentials"

Cached credentials for an AD domain are actually salted double hashes of the password and stored in the HKLM\Security hive. The file location of the hive is: %systemroot%\System32\config\SECURITY

Only the "system" user has access to the registry keys:
HKLM\Security\Cache\NL$n where n is an index 1 to the maximum number of cached credentials.

Susceptibility to Attacks

WinNT to WinXP used "Lan Manager" hashes for local accounts, which are easily broken on modern hardware. Cracking usually takes several minutes (I recently did 3 passwords in 00:08:06) with just a "normal" desktop computer. Lan Manager hashes are not salted, so there are publicly available rainbow tables too.

Vista and later use NT hashes for local accounts. Windows 2000 and later use NT hashes for domain accounts as well. NT hashes are salted double-MD4 hashes. The per-entry salt prevents the use of rainbow tables, but MD4 can be executed very fast on modern hardware: about 6 compute-years for a 60-bit password. With luck and a 6 GPU cluster a cracker can break this sort of password in ~6 months. Taking that to the cloud, about $35k on Amazon EC2 GPU - depending on availability, it could be hours.

Solution 2:

The credentials aren't actually cached on the local machine. See this excerpt from MS:

Security of cached domain credentials

The term cached credentials does not accurately describe how Windows caches logon information for domain logons. In Windows 2000 and in later versions of Windows, the username and password are not cached. Instead, the system stores an encrypted verifier of the password. This verifier is a salted MD4 hash that is computed two times. The double computation effectively makes the verifier a hash of the hash of the user password. This behavior is unlike the behavior of Microsoft Windows NT 4.0 and earlier versions of Windows NT.

http://support.microsoft.com/kb/913485