<

Go Premium for a chance to win a PS4. Enter to Win

x

How to DELETE Windows Local & Domain Cached Credentials

Published on
83,091 Points
79,291 Views
8 Endorsements
Last Modified:
Hallo!

I guess almost every Windows Administrator must have got stumped with this question "Where does WINDOWS store a users cached credentials?
Every user who had once logged onto a Server/Desktop while it was connected to the domain could still login even when the Domain was not available. We all know that this is possible because Windows is still able to authenticate the user with the help of credentials which are cached in its registry.

To delete locally cached credentials you could type the following command in the 'Run' prompt:

CONTROLUSERPASSWORDS2 or rundll32.exe keymgr.dll,KRShowKeyMgr

Not many of us would have come across the interfaces which get launched after executing the above mentioned commands. Browse to Advanced>Manage Passwords, and you'll see all the credentials which are locally cached. You could Add/Delete them, bear in mind that you need to run this command as an Administrator.

Now, coming to an interesting part which I recently came across; where do we look out for user credentials cached at the domain level??
If you launch Windows registry with SYSTEM level privilege and browse to "HKEY_LOCAL_MACHINE\SECURITY\CACHE", you will find a total of 10 entries starting from NL$1 to NL$10. These binary entries contain users cached credentials at the domain level.
By default Windows allows a total of 10 credentials to be cached and if all 10 entries are full, any new credential to be cached will be overwritten by the Value Date in the oldest NL$ entry.
Also, to know how many free entries are left, simply count the number of entries whose binary value data is full of '0'.

For those who wish to know how to gracefully clear the domain cached credentials, this cannot be achieved by deleting these entries.
If you delete the NL$ entries, Windows will never cache any users credentials in the future.
Simply edit the "Value Data" in each NL$ entry and replace the data with '0' (ZERO). This will clear all the existing cached credentials.

A key thing to note over here is:
Windows Registry with SYSTEM level privilege cannot be launched by simply executing REGEDIT.EXE from the RUN prompt. You will need to launch it as follows:

at xx:xx /interactive "regedit.exe"

Where XX:XX is the time in the FUTURE when you would want to launch the registry. Suppose if the system time on your Server/Desktop shows 23:50 then you could type
at 23:51 /interactive "regedit.exe
This would launch the registry with SYSTEM level privilege when your server/desktop clocks 23:51.

Again, you will succeed to launch this only if you are logged onto the system as an Administrator.
This works with Windows XP/2000/2003 and may also work with 2008 but I have not tried it there.

Needless to say, if at all you mess up with your Systems registry, it could cost you a fortune. Hence always back up your registry before you start playing with it.

Hope this was useful.

#wyn
8
Comment
Author:ashwynr
4 Comments
 
LVL 15

Expert Comment

by:Giovanni Heward
For those interested in preventing Windows from storing credentials in general, run the following from the command line.

reg add "HKLM\System\CurrentControlSet\Control\Lsa" /v DisableDomainCreds /t REG_DWORD /d 1 /f

Open in new window

0
 

Expert Comment

by:harryoneill
On Server2008, try using "schtasks.exe" - this will schedule the task.
0
 
LVL 12

Expert Comment

by:zalazar
On Windows 7, 2008 and higher
Download PsExec
https://technet.microsoft.com/en-us/sysinternals/bb897553.aspx

From a Command Prompt (cmd.exe) with Administrative permissions
psexec -s -i c:\windows\regedit.exe

Open in new window


From a RDP session it might be necessary to specify your session ID
qwinsta
psexec -s -i <session id> c:\windows\regedit.exe

Open in new window

0
 

Expert Comment

by:John Alex
Most important step while getting rid of windows 10 cache is cleaning of temp files. Just press windows key + r and in the run command box just enter %temp% and hit enter delete all the files in the folder. Similarly enter temp in the run box and hit enter and go to the folder and delete all the files there.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Join & Write a Comment

Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month