childebrandt42

Worthless info……………Oh blinky lights!

Unlocking Secrets: A Guide to Windows Credential Manager in PowerShell

Posted by

childebrandt42

·

, , , ,

Redux of Previous Post that has been archived as I felt like I could do it more justice.

Over the years I have done ton of different ways of dealing with Credentials in scripts, the whole just do Get-Credential and enter it every time I run the script but that is a great for one off script but not for scheduled tasks. In the past I had just been using the Import-Clixml and importing the creds saved from a txt file. This works well but now you have to deal with actual txt files. In dealing with text files for Password storage, well is two things, either I delete the files doing something, or when I create the files, don’t realize what account I created them under so might not have rights to decrypt them. A few years ago, I ran across an article somewhere reading on something else and remember someone saying something about saving credentials to the Windows Credential Manager. After doing some research and some digging and reading found this Gem of a PowerShell module. CredentialManager Module is an easy module to use, and simplistic with only 4 commands.

Get-StoredCredential
Get-StrongPassword
New-StoredCredential
Remove-StoredCredential

With these 4 commands you can now save credentials and call credentials from the credential manager. This has been a huge win for me, no more having to deal with cred files, trying to remember what account created the txt file and fighting that mess. Now we can just pull direct from Windows Certs Store.

Installing Credential Manager PowerShell Module

Import-Module -Name CredentialManager

As you run the command it will prompt you as you are installing from Untrusted Repo, just enter “Y” for yes, or “A” for all. And should look like below:

Creating Stored Credentials

Creating Stored Credentials is pretty simple process. Let’s dive into some of the parameters.

Let’s jump into the parameters we have in creating Credentials.

  • Comment – This is only needed if you want to add a specific comment, by default it adds a comment for you when you run the command.
  • Password and Username – I don’t typically use these, as more or less just would rather do it a different way and use the Credentials parameter.
  • Credentials – Gives you the ability to import already captured creds or using the $(Get-Credential) instead to just prompt you for the creds needed.
  • Target – Is what you want to save the Credentials as, in Credential Manager its listed as “Internet or Network Address” pretty much the name of the creds you want to save.
  • Type – These are options persisted from Credential Manager you can use one of the following for type: GENERIC, DOMAIN_PASSWORD, DOMAIN_CERTIFICATE, DOMAIN_VISIBLE_PASSWORD, GENERIC_CERTIFICATE, DOMAIN_EXTENDED, MAXIMUM, MAXIMUM_EX
  • Persist – This is the parameter I always seem to forget about then reboot and wonder where my creds are. There are 3 options for this, and they are: SESSION, LOCAL_MACHINE, ENTERPRISE, by default all new are created as SESSION, so that is the reason they don’t persist after reboot.
    • Session – is current Windows session and is the default option.
    • Local_Machine – will persist past reboots and stay on the machine for the life of the machine.
    • Enterprise – is used for everyone that uses this machine, allowing service accounts or other users to pull from credential manager. Don’t typically use this one as only want intended user to use the credentials.

Let’s create a new Credential called “TestCreds” Below is the code to create a Credential that persists to local machine and allows you to reboot, and the credential is still there.

New-StoredCredential -Credentials $(Get-Credential) -Target 'TestCreds' -Type Generic -Persist LocalMachine

When you run the command, it does show the Credential info in the PowerShell window, like below:

As you can see above, it does show all the data you put in, including the password. So just be warned to clear the screen after or close the window.

Below you can see the creds in the Credential Manager window.

Using the stored Credentials

Get-StoredCredential has a few parameters you can use, but only one is required. Same as before but one new one.

  • Target – Is what you want to save the Credentials as, in Credential Manager its listed as “Internet or Network Address” pretty much the name of the creds you want to save.
  • Type – These are options persisted from Credential Manager you can use one of the following for type: GENERIC, DOMAIN_PASSWORD, DOMAIN_CERTIFICATE, DOMAIN_VISIBLE_PASSWORD, GENERIC_CERTIFICATE, DOMAIN_EXTENDED, MAXIMUM, MAXIMUM_EX
  • AsCredentialObject – Shows the Object info from Credential Manager
Get-StoredCredential -Target 'TestCreds'

This will show the below but only shows limited data information.

If you want to get the information like when you created the creds you can run the following command:

Get-StoredCredential -Target 'TestCreds' -AsCredentialObject

This will give you data like below:

If you store this into a variable now you can use this variable for your credentials as you normally would. 

$TestCreds = Get-StoredCredential -Target 'TestCreds'

Removing Stored Credentials

Cleaning up old credentials is always great housekeeping. Remove-StoredCredential has a few parameters you can use, but only one is required. Target is the only required one, but if you have multiple credentials with the same “Target” name would suggest using the “Type” parameter get the correct one.

  • Target – Is what you want to save the Credentials as, in Credential Manager its listed as “Internet or Network Address” pretty much the name of the creds you want to save.
  • Type – These are options persisted from Credential Manager you can use one of the following for type: GENERIC, DOMAIN_PASSWORD, DOMAIN_CERTIFICATE, DOMAIN_VISIBLE_PASSWORD, GENERIC_CERTIFICATE, DOMAIN_EXTENDED, MAXIMUM, MAXIMUM_EX
Remove-StoredCredential -Target 'TestCreds'

Using Strong Passwords

Get-StrongPassword is a great way to create strong passwords. It does require a few parameters.

  • Length – Is the length of the password you want to create.
  • NumberofSpecialCharacters – Is how many special characters you want to include in the password you want to create. 
Get-StrongPassword -Length 20 -NumberOfSpecialCharacters 15

The command will get you a password that is 20 characters long with 15 special characters. Pretty simple way to generate passwords if you’re in PowerShell all day anyways.

Combining some of the Commands to Create New Stored Credential

If you are looking to Create a Credential and also create a new password to use in this credential, you can run the following code:

New-StoredCredential -UserName 'Testing2' -Password $(Get-StrongPassword -Length 20 -NumberOfSpecialCharacters 4) -Target 'TestCreds' -Type Generic -Persist LocalMachine

It will look a bit like something below:

Conclusion:

This simple PowerShell module has saved me a ton of time, and solved some self-inflicted problems that I created by using txt files or saving creds in code. Keep in mind that this method uses Windows Credential Manager to save your credentials and is not portable from system to system.

childebrandt42 Avatar

About the author

Hi! My name is Chris Hildebrandt, I’m a EUC consultant by day, and automation junkie at night. I have worked my way from being small customer to enterprise side customer, with a recent transition into consulting. I enjoy everything EUC focused and more so on how to automate it. I like to find ways to make mine and your jobs easier with automation.