July 20, 2008 01:47am pdt

1. KCTS 697,138
2. LauraEHu... 436,244
3. Chris-Dent 272,390
4. tigermatt 269,727
5. Jay_Jay70 204,564
6. oBdA 193,545
7. toniur 135,882
8. henjoh09 124,881
9. martin_b... 120,001
10. ChiefIT 112,732
11. Netman66 104,050
12. ryansoto 100,434
13. RobSampson 95,070
14. Sembee 91,144
15. mattee76 90,780

1. KCTS 1,470,211
2. LauraEHu... 1,090,229
3. Jay_Jay70 569,387
4. Chris-Dent 494,988
5. oBdA 457,999
6. toniur 447,020
7. Sembee 386,223
8. tigermatt 364,658
9. Netman66 341,908
10. leew 234,028
11. Pber 185,760
12. TechSoEasy 185,330
13. kamalgopi 183,846
14. aissim 165,710
15. ChiefIT 157,782

05.27.2007 at 09:11AM PDT, ID: 22597159

	[x] Attachment Details

[x]

The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

The Grade of the Solution
The Zone Rank of the Expert Providing the Solution
The Number of Author and Expert Comments
The Number of Experts Contributing
The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!

9.0

How to delete cached XP login credential

Zones: Active Directory, Windows Network Security Questions, PC Laptops

Tags: cached, credentials, xp, delete

Hi,
I'm trying to find out if there is any way to delete the domain account login credentials that Windows XP caches. I understand that the default is up to 10 previous login account details are cached.

I don't want to turn off caching, and know that this can be done using Group Policy.

However we have a lot of laptops that have in the past been logged onto with the Domain Administrator account, and in the interests of security, I'd like to remove the Domain Administrator account details from the cache of our laptops. We only have a few so this can be a manual process if required...

My question is therefore how to do this:
- Manually edit registry? How?
- Flush all cached credentials? How?
- Use a utility - any suggestions?

Suggestions welcome!

Start your free trial to view this solution

Question Stats

Zone: OS

Question Asked By: grjitdept

Solution Provided By: KCTS

Participating Experts: 4

Solution Grade: A

Translate:

Loading Advertisement...

Microsoft

Internet Protocols
Applications

Development
OS

Hardware
Windows Security

Apple

Operating Systems
Hardware

Programming
Networking

Software

Internet

Search Engines
File Sharing
WebTrends / Stats
Spy / Ad Blockers

Web Browsers
New Net Users
Web Development
Chat / IM

Anti Spam
Web Servers
Anti-Virus
Email Clients

Gamers

Tips
Online / MMORPG
Puzzle
Emulators

Action / Adventure
Role Playing
Consoles
Game Programming

Strategy
Sports
Misc
Computer Games

Digital Living

Hardware
Automotive
New Net Users
New Users

Software
Digital Music
Gaming World
Home Security

Apple
Networking Hardware

Virus & Spyware

Vulnerabilities
IDS
Encryption
Anti-Virus

Operating Systems Security
Software Firewalls
WebApplications
Cell Phones

Operating Systems
Internet
Hardware Firewalls

Hardware

Displays / Monitors
Handhelds / PDAs
Components
Peripherals
Laptops/Notebooks

Servers
Misc
Apple
Embedded Hardware
Networking Hardware

Storage
Desktops
New Users

Software

System Utilities
Industry Specific
Network Management
Photos / Graphics
Page Layout
VMware
Misc
Web Development

OS
CYGWIN
Voice Recognition
Virtualization
Message Queue
Quality Assurance
Security
Firewalls

MultiMedia Applications
Development
Database
Office / Productivity
Business Management
OS/2 Apps
Server Software
Internet / Email

ITPro

OS
Storage
Encryption
Operating Systems Security
Apple Hardware
Laptops & Notebooks
Servers
Networking Hardware
Peripherals
Devices

Displays / Monitors
WebTrends / Stats
Search Engines
Firewalls
Web Computing
WebApplications
IDS
Vulnerabilities
Email Clients
File Sharing

Spy / Ad Blockers
Web Browsers
Web Servers
Networking
Anti-Virus
Consulting
Chat / IM
Anti Spam

Developer

Web Servers
Web Browsers
Game Programming
Dev Tools
Industry Specific
Office / Productivity

Database
CYGWIN
Web Development
Search Engines
File Sharing
WebTrends / Stats

Programming
Content Management
Application Servers
Protocols

Storage

Removable Backup Media
Storage Technology
Servers

Grid
Remote Access
Backup / Restore

Misc
Hard Drives

Miscellaneous
Security
Development
Linux
VMware

MainFrame OS
Unix
Apple
OS / 2
AS / 400

BeOS
Microsoft
VMS / OpenVMS

Database

Oracle
Miscellaneous
MySQL
Software
Sybase
Contact Management
PostgreSQL
Data Manipulation
Clarion
InterSystems Cache

Siebel
MUMPS
OLAP
SQLBase
SAS
GIS & GPS
4GL
Berkeley DB
DB2
Informix

Interbase / Firebird
FoxPro
Reporting
LDAP
Filemaker Pro
MS SQL Server
dBase
MS Access

Security

Misc
Web Browsers
Software Firewalls
Operating Systems Security
File Sharing

Spy / Ad Blockers
Vulnerabilities
WebApplications
IDS
Anti-Virus

Encryption
Anti Spam
Email Clients
VPN
Chat / IM

Programming

Editors IDEs
Installation
Handhelds / PDAs
Multimedia Programming
System / Kernel
Automation

Algorithms
Game
Signal Processing
Project Management
Open Source
Database

Misc
Languages
Processor Platforms
Theory

Web Development

Scripting
Blogs
Web Servers
Software
Search Engines
Web Graphics
Web Services

Images
Internet Marketing
Images and Photos
Components
Document Imaging
Web Languages/Standards
Illustration

WebApplications
Fonts
WebTrends / Stats
Authoring
Digital Camera Software
Miscellaneous

Networking

Protocols
Apple Networking
Network Management
Message Queue
Application Servers
Content Management
File Servers
Email Servers
Misc
Java Editors & IDEs

Wireless
Networking Hardware
Backup / Restore
System Utilities
ISPs & Hosting
Web Servers
Storage Technology
Removable Backup Media
Servers
Web Computing

Broadband
Grid
OS / 2
Novell Netware
Unix Networking
Windows Networking
Security
Telecommunications
Operating Systems
Linux Networking

Other

Lounge
Business Travel
Community Support
New Net Users

Philosophy / Religion
Math / Science
Miscellaneous
URLs

Expert Lounge
Politics
Puzzles / Riddles
Automotive

Community Support

Suggestions
New to EE
New Topics
CleanUp

Announcements
General
Feedback

Input
EE Bugs

05.27.2007 at 09:29AM PDT, ID: 19164635

Rank: Genius

KCTS:

The Start>Run>control userpasswords2>Advanced>Manage Passwords optiion can be used to delete locally cached credentials but it won'r clear the domain cached credentials. These are stored as hashes in the local systems registry at the values HKEY_LOCAL_MACHINE\SECURITY\CACHE\NL$1 through NL$10 and you can delete these id tou want. Note (Unless you change the security you require SYSTEM level privileges to access)

Accepted Solution

05.27.2007 at 10:57AM PDT, ID: 19164867

Rank: Wizard

r-k:

Hmm... I don't have a way to test this right now, but this earlier thread:

http://www.experts-exchange.com/Security/Operating_Systems_Security/Windows/Q_22099337.html

implies that the suggestion by KCTS should work.

A quicker way to reach the same place:

Start -> Run -> rundll32.exe keymgr.dll, KRShowKeyMgr -> OK

Assisted Solution

05.27.2007 at 11:56AM PDT, ID: 19165001

Rank: Genius

KCTS:

I did make reference to exactly the same solution in my first post r-k, but I don't think that will work, It works for credentials used to connect to shares but since the cached logon credentials are stored in a different location it won't work with them. I think you will have to do as I suggested.

05.28.2007 at 05:40AM PDT, ID: 19167100

Rank: Wizard

Netman66:

Have you tried simply deleting the DA profile from the Properties of System>Advanced?

Removing profiles this way also cleans out a lot of registry fluff too.

05.29.2007 at 01:56AM PDT, ID: 19170829

grjitdept:

r-k:

I looked in the registry where you suggested but could not see any contents... WOUld that be because I was logged in as administrator not system? If the data is only accessible by the system account how would I go about logging in as system?

05.29.2007 at 12:04PM PDT, ID: 19174626

Rank: Wizard

r-k:

Actually that was KCTS who suggested that (and he is usually right). To see if the problem is that you don't have System level access, you can use the method suggested in this link to login as "System" then run Regedit:

http://www.askstudent.com/hacking/demonstration-of-windows-xp-privilege-escalation-exploit/

05.30.2007 at 03:34PM PDT, ID: 19184081

Rank: Master

johnb6767:

Sweet link r-k.......

05.30.2007 at 04:12PM PDT, ID: 19184322

Rank: Wizard

r-k:

Yes, I like it too :)

This isn't much of an exploit any more, since these days access to the AT command is restricted to Administrators, but it can be handy when you need access as the "system" user (or more correctly, "Local System"). Also, it is not true that System has more access than Administrator, just to some things. Administrator can do other things that System cannot. Interestingly, on Vista, even Administrators are denied access to the AT command, though I'm sure there is a workaround somewhere.

05.31.2007 at 01:09AM PDT, ID: 19186216

grjitdept:

Yep that did it - launched explorer as System account and there the registry entires were - deleted 1 to 10 (left control) and Domain Admin could no longer log on if machine was off domain. Thanks for your help guys!

06.01.2007 at 01:28PM PDT, ID: 19197877

grjitdept:

A further point for anyone who tries this solution.

Firstly to view the cache registry entries, you need to launch regedit as system.

Log on as an admin, load up a command prompt and type:

at xx:xx /interactive "regedit.exe"

where xx:xx is a time a few minutes in the future. at that time regedit will launch under the system account. you can then go to HKEY_LOCAL_MACHINE\SECURITY\CACHE

To remove the cached credentials DO NOT delete the values NL$1 through NL$10 as Windows will not cache any credentials at all! Also DO NOT delete the NLControl value. I learnt this the hard way! Instead simply overwrite the data in NL$1 to 10 with zeroes.

20080236-EE-VQP-29