Clearing Windows Credential Manager

In our environment there were a lot of user lockouts, and since saved credentials were the culprit in many cases, we needed a something to clear all the user/password combos out of Windows credential manager in a more automated way. Here’s what we did:

Some research showed a Windows built in command line tool called cmdkey.exe that mostly does what we need to do.

We can list all the currently stored credentials with: CMDKEY /list

We can delete stored credentials with: CMDKEY /delete:targetname but it seems only one at a time.

Here’s the core command script built around CMDKEY.

@Echo off & CLS
SetLocal EnableExtensions

:Main
if exist "%temp%\targets.txt" del /F /Q "%temp%\targets.txt"

for /f "delims=;" %%a in ('cmdkey /list ^|find /i "Target: "') do @echo %%a>>"%temp%\targets.txt"

if exist "%temp%\targets.txt" (
powershell -Command "(gc "%temp%\targets.txt").replace('    Target: ', '')| sc -encoding ASCII "%temp%\targets.txt""
for /f "delims=;" %%a in ( %temp%\targets.txt ) do cmdkey /delete:"%%a"
if exist "%temp%\targets.txt" del /F /Q "%temp%\targets.txt"
)

Goto :END


:END
EndLocal & Goto :EOF

Let’s review the more pertinent lines:

Line 7 takes the output of CMDKEY, specifically the lines with “Target:” in them, and places those lines into a temporary text file (targets.txt).

Line 10 spawns a Powershell instance to perform a find/replace on targets.txt (clearing all occurrences of Target: ) and resaves it.

Line 11 parses targets.txt and deletes the stored credentials based on the contents.

Line 12 deletes targets.txt.

Conclusion

The above script is deployable via SCCM/MECM or your deployment tool of choice but note that it must be run as the user.

Comments and questions are welcome.

Supporting this site

The apps and scripts available here are free-ish. Here at GB/2 Labs, we really like the idea of Pay What You Want. If you find this post useful (or need some support), send what you feel the functionality (or support time) is worth to you or your organization. If your business requires it, contact us for a proper invoice. Otherwise, please consider a donation below.