Tell me more ×
IT Security Stack Exchange is a question and answer site for IT security professionals. It's 100% free, no registration required.
up vote 1 down vote favorite

Is there any way to clear cached credentials on Windows, that doesn't require:

  • user interaction (e.g. a confirmation window);
  • administrator access; or
  • making a persistent change to the configuration, such as tampering with the registry?

A function implemented in a DLL is fine, I can write a small utility around it.

Who wins there — accountability or privacy?

share|improve this question
1  
No. The type of action you are seeking to do requires a user profile with administrator priviliages. – Ramhound Oct 9 '12 at 16:25
@Ramhound A DLL can be a system level driver. If it were previously loaded, this is not entirely outside the realm of possible. – Jeff Ferland Oct 9 '12 at 17:50
@JeffFerland The DLL could bypass items #1 and #2 I suppose, but we're still stuck with item #3 regardless. – Iszi Oct 9 '12 at 17:52
1  
@Iszi Perhaps the asker means without user interaction to the registry. Since cached credential keys are stored in the registry, it must be modified. To the asker: is the goal to make a single library call without the programming needing to acquire specialized permissions under the idea the library would already have privileged rights? – Jeff Ferland Oct 9 '12 at 18:05
1  
Question is too vague. The requested action requires some combination of the 3 requirements. The OP needs to clarify. – schroeder Oct 9 '12 at 20:27
show 2 more comments

closed as off topic by Terry Chia, Scott Pack, Iszi, schroeder, Rory Alsop Oct 9 '12 at 18:37

Questions on IT Security Stack Exchange are expected to relate to IT security within the scope defined in the FAQ. Consider editing the question or leaving comments for improvement if you believe the question can be reworded to fit within the scope. Read more about closed questions here.

1 Answer

up vote 1 down vote

The short answer is "no".

Cached credentials are maintained in special Registry keys. These keys are only accessible by the SYSTEM account. In order to impersonate the SYSTEM account, you must have Administrator access to the system.

You might be able to write a script or something that can bypass #1. However, in the absence of any flaw in the OS (which cannot be reliably presumed, since it would likely be patched at some point), you cannot likely avoid #2. And, since the cached credentials are stored in the Registry, #3 is non-optional no matter how you want to do it.

I believe you can get away without using the SYSTEM account, by modifying the configuration options that define how the system handles cached credentials instead of messing with the cache itself. However, this will still violate your #2 & #3 requirements because the options are stored in the Registry and do require Administrator permissions to modify. Additionally, it may require one or two re-logins or reboots to be effective.

Sidenote: This question, as currently written, is perhaps more appropriate for Server Fault or Stack Overflow. Nevertheless, the answer remains the same.

EDIT: For more information about where the cached credentials are stored and how to modify settings which affect them, you may want to check out my related question on ServerFault.

share|improve this answer

Not the answer you're looking for? Browse other questions tagged or ask your own question.