grjitdept
asked on
How to delete cached XP login credential
Hi,
I'm trying to find out if there is any way to delete the domain account login credentials that Windows XP caches. I understand that the default is up to 10 previous login account details are cached.
I don't want to turn off caching, and know that this can be done using Group Policy.
However we have a lot of laptops that have in the past been logged onto with the Domain Administrator account, and in the interests of security, I'd like to remove the Domain Administrator account details from the cache of our laptops. We only have a few so this can be a manual process if required...
My question is therefore how to do this:
- Manually edit registry? How?
- Flush all cached credentials? How?
- Use a utility - any suggestions?
Suggestions welcome!
I'm trying to find out if there is any way to delete the domain account login credentials that Windows XP caches. I understand that the default is up to 10 previous login account details are cached.
I don't want to turn off caching, and know that this can be done using Group Policy.
However we have a lot of laptops that have in the past been logged onto with the Domain Administrator account, and in the interests of security, I'd like to remove the Domain Administrator account details from the cache of our laptops. We only have a few so this can be a manual process if required...
My question is therefore how to do this:
- Manually edit registry? How?
- Flush all cached credentials? How?
- Use a utility - any suggestions?
Suggestions welcome!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Brian Pierce
I did make reference to exactly the same solution in my first post r-k, but I don't think that will work, It works for credentials used to connect to shares but since the cached logon credentials are stored in a different location it won't work with them. I think you will have to do as I suggested.
Have you tried simply deleting the DA profile from the Properties of System>Advanced?
Removing profiles this way also cleans out a lot of registry fluff too.
Removing profiles this way also cleans out a lot of registry fluff too.
ASKER
r-k:
I looked in the registry where you suggested but could not see any contents... WOUld that be because I was logged in as administrator not system? If the data is only accessible by the system account how would I go about logging in as system?
I looked in the registry where you suggested but could not see any contents... WOUld that be because I was logged in as administrator not system? If the data is only accessible by the system account how would I go about logging in as system?
Actually that was KCTS who suggested that (and he is usually right). To see if the problem is that you don't have System level access, you can use the method suggested in this link to login as "System" then run Regedit:
http://www.askstudent.com/hacking/demonstration-of-windows-xp-privilege-escalation-exploit/
http://www.askstudent.com/hacking/demonstration-of-windows-xp-privilege-escalation-exploit/
Sweet link r-k.......
Yes, I like it too :)
This isn't much of an exploit any more, since these days access to the AT command is restricted to Administrators, but it can be handy when you need access as the "system" user (or more correctly, "Local System"). Also, it is not true that System has more access than Administrator, just to some things. Administrator can do other things that System cannot. Interestingly, on Vista, even Administrators are denied access to the AT command, though I'm sure there is a workaround somewhere.
This isn't much of an exploit any more, since these days access to the AT command is restricted to Administrators, but it can be handy when you need access as the "system" user (or more correctly, "Local System"). Also, it is not true that System has more access than Administrator, just to some things. Administrator can do other things that System cannot. Interestingly, on Vista, even Administrators are denied access to the AT command, though I'm sure there is a workaround somewhere.
ASKER
Yep that did it - launched explorer as System account and there the registry entires were - deleted 1 to 10 (left control) and Domain Admin could no longer log on if machine was off domain. Thanks for your help guys!
ASKER
A further point for anyone who tries this solution.
Firstly to view the cache registry entries, you need to launch regedit as system.
Log on as an admin, load up a command prompt and type:
at xx:xx /interactive "regedit.exe"
where xx:xx is a time a few minutes in the future. at that time regedit will launch under the system account. you can then go to HKEY_LOCAL_MACHINE\SECURIT
To remove the cached credentials DO NOT delete the values NL$1 through NL$10 as Windows will not cache any credentials at all! Also DO NOT delete the NLControl value. I learnt this the hard way! Instead simply overwrite the data in NL$1 to 10 with zeroes.
Firstly to view the cache registry entries, you need to launch regedit as system.
Log on as an admin, load up a command prompt and type:
at xx:xx /interactive "regedit.exe"
where xx:xx is a time a few minutes in the future. at that time regedit will launch under the system account. you can then go to HKEY_LOCAL_MACHINE\SECURIT
To remove the cached credentials DO NOT delete the values NL$1 through NL$10 as Windows will not cache any credentials at all! Also DO NOT delete the NLControl value. I learnt this the hard way! Instead simply overwrite the data in NL$1 to 10 with zeroes.