Show

Windows 7: Exploring Credential Manager and Windows Vault

Chakkaradeep Chandran
07 March 2009 - 13:50
38 Comments
Liked this (5)

Last week, our friends Paul Thurrott and Rafael Rivera explored one of the untold mysteries (according to them) of Windows 7 - Windows Vault

I have been using this feature for quite some time since the beta release, even before Paul and Rafael might have discovered it. Let me explain what this Windows Vault is and how to use it. Before that, let us take a minute to read what Microsoft had replied Mary-Jo Foley regarding Windows Vault

"Windows 7 includes a feature called 'credential manager.' This is similar to technology in past versions of Windows in that it stores your frequently used passwords so you can easily access and manage; however, in Windows 7 we've added the ability to back up or restore this information. The default storage vault for the credential manager information is the 'Windows Vault.'"

As Microsoft says, the Windows Vault stores user credentials for servers, wesbites and other programs that Windows can log in the users automatically. At first instance, this might look like now users can store their Facebook credentials, twitter credentials, gmail credentials etc., so that they automatically log in via browsers. But it is not so.

Windows Vault stores credentials that Windows can log in the users automatically, which means that any Windows application that needs credentials to access a resource (server or a website) can make use of this Credential Manager & Windows Vault and use the credentials supplied instead of users entering the username and password all the time.

Unless the applications interact with Credential Manager, I dont think it is possible for them to use the credentials for a given resource. So, if your application wants to make use of the vault, it should somehow communicate with the credential manager and request the credentials for that resource from the default storage vault.

Let us take an application for example: Google Talk

Google Talk does not use (Windows) Credential Manager to store or retrieve user credentials. Below are the steps if Google Talk wants to make use of the (Windows) Credential Manager

1) Google Talk requests the Credential Manager with the resource
2) Credential Manager looks into its default vault for the appropriate credentials(for that resource)
3) If there is any credential associated, the vault returns it to the Credential Manager
4) Credential Manager returns it back to Google Talk
5) Google Talk signs in with the returned credentials

I have seen few Microsoft applications making use of this feature already in Windows 7

  • Windows Live Messenger
  • Microsoft Word 2007
  • Microsoft Outlook 2007
  • Windows Explorer(when accessing network resources)

You have to remember that all these applications are accessing a resource using the Credential Manager, which can be a website or a server. In my case, I accessed my company resource through Microsoft Word which required username and password. When I stored my credentials for my company resource (usually the URL endpoint), Microsoft Word picked it up and prompted me with the username and password boxes filled in with those credentials!

Similarly, I added my network computer and the proper credentials to access it into the vault and Windows Explorer picked it up whenever I connected to that network computer! And similarly, when I accessed other network resources with credentials, Windows Explorer added those to the vault.

Since Windows Vault stores your credentials, you as a user should be able to access your vault and manage all of your credentials.

You can also backup and restore your vault, which is quite handy.

After this, Windows switches to a secure desktop where you could provide a password for your backup. You will be prompted for the password when you restore this vault in the other computer. The backup and restore feature worked really well for me.

Adding Credentials to the Vault

Most of the time its going to be Windows applications that interact with the Credential Manager and not the user. However, if you do want to manage your credentials, you are allowed to do so.

Let us take an example of adding a Windows Credentials. I am going to add credentials to connect to one of my network PC - GALAXY. Initially, the credentials without being in the vault, when I connect to my PC, I get this prompt

Let us add the credentials

Notice that I am writing my PC Name as my resource. After adding the credentials, I can see it in my vault

Here is the prompt I get now whenever I connect to my network PC - GALAXY

It remembers the credentials once I choose the option to remember

I tried adding my company credentials and tested with Microsoft Word 2007 and Microsoft Outlook 2007 and they all worked perfect!

Whats missing?

Well, there is no documentation online by Microsoft mentioning the uses of this credential manager for Windows 7, but given the fact that Windows 7 is still in its beta stage, I couldn't complain. In my opinion, Microsoft will come out with some documentation once Windows 7 RC is released.

I have not tested adding a certificate-based credentials as I don't have any Windows applications that gets authenticated using a certificate. Currently in Windows 7 build 7000, I get this when I choose to add a certificate-based credential

But, in the Windows 7 build 7048, Microsoft has given a clue how this feature will be used. Below is what I get when I choose to add a certificate-based credential in Windows 7 build 7048

Now, thats interesting. Adding a certificate that is used with the smart card. Visit here to know more about enrolling for a smart card certificate. If you have a Smart Card Logon certificate (which provides authentication) or a Smart Card User certificate (which provides authentication plus other uses of the smart card cryptography, you can very well test this feature in the Windows 7 build 7048!

What about developers?

Searching MSDN, I found a sample - Credential Management with the .NET Framework 2.0. The sample application interacts with the Credential Manager and allows you to manage your credentials in the default vault. It worked perfectly in Windows 7 build 7000.

The Credential Manager is nothing new for Windows 7 and is present since Windows XP. The documentation is available in MSDN for quite a long time since Windows XP.

May be next time Rafael and Paul should consider digging more into the feature before concluding that its something new to Windows 7 and undocumented by Microsoft. Windows applications, especially Microsoft products, make use of this Credential Manager a lot.

Credential Manager & Windows Vault are nothing new and have just got a new shiny user interface in Windows 7

Comments (38)

  1. SuperKid - 07 March 2009 - 14:17

    Looks good i like how you can backup your passwords and data though, thats awesome.

  2. FaiKee - 07 March 2009 - 14:22

    That's a good one, I always wanted to clean up the damn cookies but then I need to enter logon afresh afterwards lol.

  3. TsarNikky - 07 March 2009 - 14:33

    Perhaps the feature was so well hidden in the past, that for all intents and purposes it did not exist. This situation is happening with increased frequently as Operating Systems and applications get more and more complicated. In essence, if a user can't find (or worse, can't figure out how to use) a feature then it does not exist. That may have been the situation with Messrs. Rafael and Paul.

  4. DOOOMKULTUS - 07 March 2009 - 14:51

    I didn't get it.Dammit

  5. artfuldodga - 07 March 2009 - 16:55

    a good and secure way to manage passwords for websites, the browser i assume wouldn't have to store your information at all? hope developers make use of it

  6. rakeshishere - 07 March 2009 - 17:08

    Excellent 10 thumbs up. because its good to know that Office 2007 using some of features present in Windows 7. Now if only other 3rd programs started using Jumplist and other API and additonal features and give users some real hardcore functionality

  7. DrOmango - 07 March 2009 - 17:45

    sooo, do i include full url or what? like for myspace, facebook, and alot of other websites that require password no matter how many times visited?

  8. +M2Ys4U - 07 March 2009 - 19:45

    Your browser will have to have support for the credentials manager first.

  9. Chris-Gonzales - 08 March 2009 - 08:03

    Any site that requires a log in. Also note it doesnt matter how much you visit the site, you could visit it 50 million times and the log in still wont be saved. its the cookies and stored information that keeps the passwords in check.

  10. McDave - 07 March 2009 - 17:45

    In vista the credential manager can be found under User Accounts if anyone is intrested.

  11. Faisal Islam - 07 March 2009 - 18:06

    great.

  12. Raikou Tch - 07 March 2009 - 18:24

    This looks INCREDIBLY confusing/complicated. Maybe it isn't, but it seems like it takes a lot of work just to have it remember your password.

  13. sibot - 07 March 2009 - 20:37

    I personally think its simpler than how complicated you've made it look like.

  14. nunjabusiness - 07 March 2009 - 20:48

    So you knew about and have been using this feature for "quite some time ... even before Paul and Rafael might have discovered it?" I find it immensely entertaining that you feel the need to claim this, essentially indicating that you are more knowledgeable than two VERY noteworthy and famous Windows experts.

    So, have you blogged or otherwise written publicly about it EVER before this article?

    Didn't think so.

  15. sibot - 07 March 2009 - 21:17

    yeah that comment was totally uncalled for. I'm actually surprised he's claiming something like that.

  16. Chaks - 07 March 2009 - 23:49

    This particular feature has been there since Windows XP and is nothing new for Windows 7. If you see the comments in Rafael's post (linked in the article), there are people who say they have been using this feature.

  17. Marshalus - 08 March 2009 - 00:27

    Just because Thurott or Rafael posted about it, didn't mean they discovered it. I'd seen it in Windows 7 for a while now, but never poked around in it. It's been sitting int he Control Panel of anyone who had Windows 7 installed waiting to be "discovered" ... it's not like they found Atlantis.

  18. Calum - 08 March 2009 - 03:34

    @nunjabusiness -

    What has that got to do with the content of the article? That is just an attack on the way the reporter has written this article.

    There is no need for a comment like that - it does not provide any form of meaningful discussion about said article.

  19. Saarineames - 08 March 2009 - 03:35

    What's the big deal? Chaks starts off letting you know he has experience using this feature, and is going to expound upon it while integrating outside information to the article as well. Yes, maybe the opening sentence could have been worded differently for the overly-critical, but I'm guessing anyone who took offense to that comment stopped reading right there because they found exactly what they were looking for: nitpicking ammo to post in the comments.

  20. nunjabusiness - 08 March 2009 - 12:20

    Thank you sibot for not ENTIRELY missing my point. The author's statement ALSO had nothing whatsoever to do with the topic and added nothing to the article. I spent years as an editor at a newspaper and if a writer had brought that to me I would have struck the first sentence and reprimanded him for grandstanding.

Please Log In or Register to post a comment.