I re-discovered cmdkey.exe, which I used to use a lot in a Win2K domain environment. I've retired since then, so the domain credential features are probably no longer useful. Still, it seems like Windows 10/OneDrive may give me some similar convenience features, perhaps without the security of Kerberos. I'm trying to remember what the different Types, Targets, and Users listed by cmdkey /list mean.
I bought a new dev machine a few months back, now cmdkey /list shows me a lot of stored credentials (too bad it doesn't show dates on them). Is there documentation that can help me decode the various "Target" strings included?
For example, here are some of the target types (PII redacted) listed:
LegacyGeneric:target=git:https://github.com
LegacyGeneric:target=git:https://<redacted>.visualstudio.com
LegacyGeneric:target=GitHub - https://api.github.com/<redacted>
LegacyGeneric:target=GoPro_Desktop_App
LegacyGeneric:target=GoPro_Entitlement_Credentials
LegacyGeneric:target=https://index.docker.io/v1/
LegacyGeneric:target=MicrosoftAccount:user=<redacted>@hotmail.com
LegacyGeneric:target=MSIX-Skype for Desktop/live:<redacted>
LegacyGeneric:target=OneDrive Cached Credential
LegacyGeneric:target=OneDrive Cached Credential Business - Business1
LegacyGeneric:target=vscodevscode.github-authentication/github.auth
LegacyGeneric:target=WindowsLive:(token):name=<redacted>@hotmail.com;serviceuri=scope=service::user.auth.xboxlive.com::mbi_ssl
LegacyGeneric:target=www.bing.com
WindowsLive:target=virtualapp/didlogical
As I never entered these manually, some apps (e.g. GoPro_Desktop_App) must have. I wonder if these apps have access to credentials created by other apps (e.g. GitHub)?
The cmdkey tool just manages the credentials in the Credential Manager. You can see the UI through control /name Microsoft.CredentialManager if you're so inclined.
There are a handful of types. LegacyGeneric is just a catch-all for any kind of credential that isn't Windows-Integrated-Auth-specific, meaning Windows can't do anything special with it. This is in contrast to CRED_TYPE_DOMAIN_* credentials where Windows knows they're special and can do special things like use them for Kerberos, or protect them with Credential Guard. All of the types are documented. For completeness, there's actually also a third type that is sort of the logical successor to credman, which is the PasswordVault APIs. It uses the same functions under the cover, but is separated from win32 APIs.
Target indicates what the credential is intended to be used for or by. In the generic case it's an arbitrary value. In the domain case it's a service identifier that matches a hostname or realm to say that 'when connecting to this service you can use this cred'.
As such it's impossible to say what each target represents. Most of them are fairly obvious in name.
CRED_TYPE_GENERIC = 1 (0x1)
The credential is a generic credential. The credential will not be used by any particular authentication package. The credential will be stored securely but has no other significant characteristics.
CRED_TYPE_DOMAIN_PASSWORD = 2 (0x2)
The credential is a password credential and is specific to Microsoft's authentication packages. The NTLM, Kerberos, and Negotiate authentication packages will automatically use this credential when connecting to the named target.
CRED_TYPE_DOMAIN_CERTIFICATE = 3 (0x3)
The credential is a certificate credential and is specific to Microsoft's authentication packages. The Kerberos, Negotiate, and Schannel authentication packages automatically use this credential when connecting to the named target.
CRED_TYPE_DOMAIN_VISIBLE_PASSWORD = 4 (0x4)
This value is no longer supported. Windows Server 2003 and Windows XP: The credential is a password credential and is specific to authentication packages from Microsoft. The Passport authentication package will automatically use this credential when connecting to the named target.
Additional values will be defined in the future. Applications should be written to allow for credential types they do not understand.
CRED_TYPE_GENERIC_CERTIFICATE = 5 (0x5)
The credential is a certificate credential that is a generic authentication package. Windows Server 2008, Windows Vista, Windows Server 2003 and Windows XP: This value is not supported.
CRED_TYPE_DOMAIN_EXTENDED = 6 (0x6)
The credential is supported by extended Negotiate packages. Windows Server 2008, Windows Vista, Windows Server 2003 and Windows XP: This value is not supported.