Cached Credentials in Windows7 -> Who do they belong to?
Hello Everyone,
we would like to restrict the number of logons that are being cached on our windows 7 computers using GPOs. We currently have a setting of four in the policy. The problem is that we are not sure if this is enough since we have some automatic logons for services
and applications on our computers. I would like to see who's credentials are cached on our boxes to check if our policy will work properly.
I know that the cached credentials are stored in the registry under "Security". I can see four entries there. Is there a way to deduce the usernames for those entries without trying to use any "hacker" tools? I don't want to decipher the actual password
hashes or the like, I just want to know who they belong to. Does anybody know of a way to do this?
Any help would be great!
Regards
HarryH
June 17th, 2012 9:26am
Hi,
most services use local accounts. So there is no limit.
You can easily 4x restart computer, and you will see, if ther is any problem.
This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.
Microsoft Student Partner
2010 / 2011 / 2012
Microsoft Certified Professional | Connected Home Integrator
| Consumer Sales Specialist
Microsoft Certified IT Professional: Consumer Support Technician on Windows Vista
Microsoft Certified IT Professional: Enterprise Support Technician on Windows Vista
Microsoft Certified IT Professional: Server Administrator on Windows Server 2008
Microsoft Certified Solututions Associate: Windows Server 2008
MCP transcript, contact information, list of all Certifications
Free Windows Admin Tool Kit Click here and download it now
June 21st, 2012 4:01pm
Hi,
Based on my research, the cache is used by various security principals on the system - not just the users that physically log on to the system with a user account.
You can run Process Monitor and configure a filter to include only paths beginning with
HKLM\Security\Cache in the capture and drop everything else (Filter/Drop filtered events) then it will show a SetReg operation each time a cache entry is written to.
In addition, you will get a LsaSrv 45058 event in the System log whenever an older entry has been removed from the LS cache and what account it was for (see:
Cached User logon fails when LSASRV event 45058 indicates FIFO deletion of cached credential).
For more detailed information, please refer to
Cached logons and CachedLogonsCount.
Hope this helps.
Jeremy Wu
TechNet Community Support
June 22nd, 2012 5:15am
Hello Jeremy,
I will check for the events. That sounds promising!
Thanks & Regards
Harald
Free Windows Admin Tool Kit Click here and download it now
June 22nd, 2012 5:34am