1

I am using the CredRead() and CredWrite() functions from the Windows Credential Manager API to store and retrieve user passwords, as outlined in this StackOverflow answer.

However, I have read that it is possible to disable the Credential Manager by setting a Group Policy, or simply by stopping/disabling the Credential Manager service. In this case, I would like to update my application's UI to reflect that Credential storage is not currently available.

Is there a reliable way to determine programmably whether or not the Credential Manager has been disabled?

Remy Lebeau
  • 555,201
  • 31
  • 458
  • 770
Josh Doebbert
  • 542
  • 4
  • 16
  • 1
    What happens to the API functions when you apply the policy? Do they fail with a specific error? – Anders Mar 30 '18 at 11:39
  • `Cred*` api worked even with disabled Credential Manager service - independ from it – RbMm Mar 30 '18 at 12:31

2 Answers2

3

in windows exist VaultSvc (friendly name Credentials Service) which support different vault types. exist util VaultCmd.exe with which we can enumerate different credential schemas and loaded vaults. for example:

vaultcmd /listschema
Global Schemas

Credential schema: Windows Secure Note
Schema guid: 2F1A6504-0641-44CF-8BB5-3612D865F2E5

Credential schema: Windows Web Password Credential
Schema guid: 3CCD5499-87A8-4B10-A215-608888DD3B55

Credential schema: Windows Credential Picker Protector
Schema guid: 154E23D0-C644-4E6F-8CE6-5069272F999F

Currently loaded credentials schemas:

Vault: Web Credentials
Vault Guid:4BF4C442-9B8A-41A0-B380-DD4A704DDB28

Credential schema: Windows Web Password Credential
Schema guid: 3CCD5499-87A8-4B10-A215-608888DD3B55

Vault: Windows Credentials
Vault Guid:77BC582B-F0A6-4E15-4E80-61736B6F3B29

Credential schema: Windows Domain Certificate Credential
Schema guid: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC

Credential schema: Windows Domain Password Credential
Schema guid: 3E0E35BE-1B77-43E7-B873-AED901B6275B

Credential schema: Windows Extended Credential
Schema guid: 3C886FF3-2669-4AA2-A8FB-3F6759A77548

and 

vaultcmd /list
Currently loaded vaults:
        Vault: Web Credentials
        Vault Guid:4BF4C442-9B8A-41A0-B380-DD4A704DDB28
        Location: C:\Users\*\AppData\Local\Microsoft\Vault\4BF4C442-9B8A-41A0-B380-DD4A704DDB28

        Vault: Windows Credentials
        Vault Guid:77BC582B-F0A6-4E15-4E80-61736B6F3B29
        Location: C:\Users\*\AppData\Local\Microsoft\Vault

of course vaultcmd and most vaults, say Web Credentials (store passwords in ie) will be work only in case VaultSvc is running

but Windows Credentials (77BC582B-F0A6-4E15-4E80-61736B6F3B29) is built in credential, which is always running (inside lsass), even if VaultSvc not running (disabled). the CredRead, CredWrite, CredEnumerate, and other Cred* api will be always work. it can not be disabled

exist undocumented api Vault* api implemented in vaultcli.dll. all this api named in form Vault*. when we call it and in case VaultSvc is running - vaultsvc.dll is loaded in lsass and handled remote call :

vaultcli!VaultSomeApi -> rpc - > vaultsvc!VltSomeApi

for example when we call VaultEnumerateItems in client, VltEnumerateItems called in lsass (vaultsvc.dll). what is internally called inside VltEnumerateItems depend from concrete vault, on which it called. for Windows Credentials vault - CredEnumerateW called inside VltEnumerateItems

RbMm
  • 31,280
  • 3
  • 35
  • 56
-1

The name of the Credentials Service is VaultSvc. You can find how to query the status of any service in this answer and just use the code whilst passing the "ValutSvc" string to the function.

Michael Haephrati
  • 3,660
  • 1
  • 33
  • 56
  • 4
    I don't know precisely how lsass.exe manages credentials across Windows versions, with or without VaultSvc (vaultsvc.dll). However, I can say that in Windows 10 a clean boot with this service disabled does not completely disable the Credential Manager API. The remote procedure call is still handled by LSA. For example, I was able to enumerate a user's stored credentials via `CredEnumerate`, which triggered a breakpoint set on `lsasrv!CredrEnumerate` in lsass.exe. Also, I was able to write new credentials via `CredWrite`, which triggered a breakpoint set on `lsasrv!CredrWrite` in lsass.exe. – Eryk Sun Mar 30 '18 at 00:23
  • I understand my answer may be incomplete and I will research further and update it. I find the question very interesting... – Michael Haephrati Mar 30 '18 at 17:01