15

Script to Clear Credman

With my customer facing role, there are lot of demonstrations to enterprise customers.  Manually reverting machines back to the initial starting point for the next demo can be time consuming and error prone.

One example of this is clearing out the contents on Window's Credential Manager.  There is no option to do a block select to delete multiple entries at once.  Worse still is that Modern Authentication will create multiple entries inside Credential Manager.  An example is shown below for an Windows 7 test machine.  The same premise applies to Windows 10.

Credential Manager - Multiple Entries Created by Modern Authentication

In order to remove the entry, the Remove From Vault option must be clicked.  This is per entry which is a lot of overhead.

Credential Manager - Remove From Vault

Thankfully, there are some options...

CmdKey To the Rescue

Windows has the cmdkey.exe utility which can be used to manage the contents of Credential Manager.

While we will look at the deletion option in this post, the documentation can be consulted for all of the other available options.

cmdkey.exe /delete will remove the specified credential

Cmdkey Syntax

 

Cmdkey Command

The base cmdkey commands can be automated using some old skool batch commands.

FOR can be used to loop through the credentials and then pass them to the delete command.

The below is a sample command which can be executed in a cmd prompt.

For /F "tokens=1,2 delims= " %G in ('cmdkey /list ^| findstr Target') do  cmdkey /delete %H

 

 

Cmdkey Batch File Automation

Now that we have some tool which can be used to manipulate the saved credentials, it can be easily automated.

The below is a sample command which can be executed in a batch file.

Note that the syntax is changed slightly from the previous command.

For /F "tokens=1,2 delims= " %%G in ('cmdkey /list ^| findstr Target') do  cmdkey /delete %%H

 

 

Command Explanation

In case you are wondering about the pipe to findstr, this is due to the output returned by cmdkey.  There are multiple lines per credential, and we want to select the correct line for manipulation.

Cmdkey /List - Note the Multiple Output Lines per Credential

 

I'll let you figure out the % and %% differences.  Those who wrote batch files in the last century should remember the difference…..

The same can be said for the circumflex character.

 

Cheers,

Rhoderick

Rhoderick Milne [MSFT]

15 Comments

  1. Thanks, this works great.Ensure you replace the curly quotes with straight. I see a lot of lockouts due to credentials in these locations, which need to be deleted.
    %appdata%\Microsoft\Credentials
    %appdata%\Microsoft\Protect
    %localappdata%\Microsoft\Credentials
    %localappdata%\Microsoft\Vault

  2. Thanks for the note Ed - that is yet another TechNet migration issue that is lingering. That and the removal of \ in file system paths has been a problem.

    I'll re-do the plugin to correct the smart quotes.

    Cheers,
    Rhoderick

  3. This solution no longer works as Adobe have started putting spaces and other trash in the string, which trips up the delimiter. Any suggestions?

  4. Hi,

    How to improve script, so that it also deletes this password?

    ->
    C:\_Install>cmdkey /list

    Currently stored credentials:

    Target: LegacyGeneric:target=OneDrive Cached Credential Business - Business1
    Type: Generic
    User: 94cb99b1-e8d8-416d-94db-d56ab8a96ff6
    Local machine persistence

    Seems, this element cannot be found.
    CMDKEY: Element not found.

  5. I modified the script to this just for deleting the Adobe credentials:

    @echo off
    setlocal enableextensions disabledelayedexpansion
    for /f "delims=" %%a in ('cmdkey /list ^| findstr Adobe') do (
    set "buffer=%%a"
    setlocal enabledelayedexpansion
    (for /f "tokens=1,2 delims=¬" %%b in ("!buffer:Target: =¬!") do (
    endlocal
    cmdkey /delete %%c
    )) || if "!!"=="" endlocal
    )

  6. This is for deleting all credentials:

    @echo off
    setlocal enableextensions disabledelayedexpansion
    for /f "delims=" %%a in ('cmdkey /list ^| findstr Target') do (
    set "buffer=%%a"
    setlocal enabledelayedexpansion
    (for /f "tokens=1,2 delims=¬" %%b in ("!buffer:Target: =¬!") do (
    endlocal
    cmdkey /delete %%c
    )) || if "!!"=="" endlocal
    )

        • Exactly - there was a plugin added to the blog so that it would force quotes etc. to be regular and not "smart" quotes.

          Ironically that was broken as it ended up with smart quotes inside of it during an upgrade...

          Plugin should be fixed now and to force all posts, comments etc. to be normal quotes.
          If not, please let me know!

          Cheers,
          Rhoderick

  7. Guys, good afternoon

    I need help!
    I need to delete all credentials through the credential manager via cmd or powerShell. But it is not working follows a script .. it is just listing the credentials that I have registered but does not delete ...

    @echo off
    cmdkey.exe / list> "% c: \ TEMP% \ List.txt"
    # findstr.exe Target "% c: \ TEMP% \ List.txt"> "% TEMP% \ tokensonly.txt"
    for / F "tokens = 1, * delims ="% G in ('cmdkey / list ^ | findstr) from cmdkey / delete% H
    del "% c: \ TEMP% \ List.txt" / s / f / q
    del "% c: \ TEMP% \ tokensonly.txt" / s / f / q
    echo All done
    pause

  8. Hello,
    I am using this to try and delete a couple saved credentials and it works great but it is also deleting SSO_POP_DEVICE even though my search string has nothing to do with any of the text in that credential. My code is:
    @echo off
    For /F "tokens=1,2 delims= " %%G in ('cmdkey /list ^| findstr /I mail.server.com') do cmdkey /delete %%H
    For /F "tokens=1,2 delims= " %%G in ('cmdkey /list ^| findstr /I domain.local') do cmdkey /delete %%H
    It deletes the 2 that I need, but also the SSO_POP_DEVICE. Any idea why?
    Thanks!

  9. I wonder if I could delete all credentials in all local user-profiles.
    AS I see now I can only delete it for the current user

Leave a Reply

Your email address will not be published. Required fields are marked *