Where does Credential Manager store credentials on the file system?

I want to clear a users stored credentials on a remote machine. Without having to have the user login and open the Cred manager GUI or run CMDKEY with them logged in.

Is there a place on the file system under the user's profile with the stored creds? Can I just delete them off the file system that way to clear the cached creds of another user?

Solution 1:

Have a look at vaultcmd.exe:

There are my credential vaults on the file system.

But I am not sure whether it's supported to just delete the vault from the file system, or if it'll leave the user's credential vault in a broken state. Also have a look at vaultcmd /deletecreds:

vaultcmd /deletecreds:"Web Credentials" /credtype:{3CCD5499-87A8-4B10-A215-608888DD3B55} /identity:TestCred /resource:Server /sid:<package sid>

For whatever reason, the feature set was reduced in Windows 8 and onwards. On Windows 7, you could load and unload external vault files. But they took that ability away in current versions of Windows.

Here's an article that alludes to some of the credential vault API functions that could get you started on something that could load the vault, delete the creds from it, then unload the vault, since just deleting the files off the disk seems kind of crude. But maybe that's the answer.

Other places to look:

C:\Users\<user>\AppData\Roaming\Microsoft\Credentials C:\Users\<user>\AppData\Local\Microsoft\Credentials

There are files in there too, but I'm not really sure how they relate to the vault location described above. Just going to have to test it out for yourself.