Windows 7: Exploring Credential Manager and Windows Vault

Last week, our friends Paul Thurrott and Rafael Rivera explored one of the untold mysteries (according to them) of Windows 7 - Windows Vault

I have been using this feature for quite some time since the beta release, even before Paul and Rafael might have discovered it. Let me explain what this Windows Vault is and how to use it. Before that, let us take a minute to read what Microsoft had replied Mary-Jo Foley regarding Windows Vault

"Windows 7 includes a feature called 'credential manager.' This is similar to technology in past versions of Windows in that it stores your frequently used passwords so you can easily access and manage; however, in Windows 7 we've added the ability to back up or restore this information. The default storage vault for the credential manager information is the 'Windows Vault.'"

As Microsoft says, the Windows Vault stores user credentials for servers, wesbites and other programs that Windows can log in the users automatically. At first instance, this might look like now users can store their Facebook credentials, twitter credentials, gmail credentials etc., so that they automatically log in via browsers. But it is not so.

Windows Vault stores credentials that Windows can log in the users automatically, which means that any Windows application that needs credentials to access a resource (server or a website) can make use of this Credential Manager & Windows Vault and use the credentials supplied instead of users entering the username and password all the time.

Unless the applications interact with Credential Manager, I dont think it is possible for them to use the credentials for a given resource. So, if your application wants to make use of the vault, it should somehow communicate with the credential manager and request the credentials for that resource from the default storage vault.

Let us take an application for example: Google Talk

Google Talk does not use (Windows) Credential Manager to store or retrieve user credentials. Below are the steps if Google Talk wants to make use of the (Windows) Credential Manager

1) Google Talk requests the Credential Manager with the resource
2) Credential Manager looks into its default vault for the appropriate credentials(for that resource)
3) If there is any credential associated, the vault returns it to the Credential Manager
4) Credential Manager returns it back to Google Talk
5) Google Talk signs in with the returned credentials

I have seen few Microsoft applications making use of this feature already in Windows 7

  • Windows Live Messenger
  • Microsoft Word 2007
  • Microsoft Outlook 2007
  • Windows Explorer(when accessing network resources)

You have to remember that all these applications are accessing a resource using the Credential Manager, which can be a website or a server. In my case, I accessed my company resource through Microsoft Word which required username and password. When I stored my credentials for my company resource (usually the URL endpoint), Microsoft Word picked it up and prompted me with the username and password boxes filled in with those credentials!

Similarly, I added my network computer and the proper credentials to access it into the vault and Windows Explorer picked it up whenever I connected to that network computer! And similarly, when I accessed other network resources with credentials, Windows Explorer added those to the vault.

Since Windows Vault stores your credentials, you as a user should be able to access your vault and manage all of your credentials.

You can also backup and restore your vault, which is quite handy.

After this, Windows switches to a secure desktop where you could provide a password for your backup. You will be prompted for the password when you restore this vault in the other computer. The backup and restore feature worked really well for me.

Adding Credentials to the Vault

Most of the time its going to be Windows applications that interact with the Credential Manager and not the user. However, if you do want to manage your credentials, you are allowed to do so.

Let us take an example of adding a Windows Credentials. I am going to add credentials to connect to one of my network PC - GALAXY. Initially, the credentials without being in the vault, when I connect to my PC, I get this prompt

Let us add the credentials

Notice that I am writing my PC Name as my resource. After adding the credentials, I can see it in my vault

Here is the prompt I get now whenever I connect to my network PC - GALAXY

It remembers the credentials once I choose the option to remember

I tried adding my company credentials and tested with Microsoft Word 2007 and Microsoft Outlook 2007 and they all worked perfect!

Whats missing?

Well, there is no documentation online by Microsoft mentioning the uses of this credential manager for Windows 7, but given the fact that Windows 7 is still in its beta stage, I couldn't complain. In my opinion, Microsoft will come out with some documentation once Windows 7 RC is released.

I have not tested adding a certificate-based credentials as I don't have any Windows applications that gets authenticated using a certificate. Currently in Windows 7 build 7000, I get this when I choose to add a certificate-based credential

But, in the Windows 7 build 7048, Microsoft has given a clue how this feature will be used. Below is what I get when I choose to add a certificate-based credential in Windows 7 build 7048

Now, thats interesting. Adding a certificate that is used with the smart card. Visit here to know more about enrolling for a smart card certificate. If you have a Smart Card Logon certificate (which provides authentication) or a Smart Card User certificate (which provides authentication plus other uses of the smart card cryptography, you can very well test this feature in the Windows 7 build 7048!

What about developers?

Searching MSDN, I found a sample - Credential Management with the .NET Framework 2.0. The sample application interacts with the Credential Manager and allows you to manage your credentials in the default vault. It worked perfectly in Windows 7 build 7000.

The Credential Manager is nothing new for Windows 7 and is present since Windows XP. The documentation is available in MSDN for quite a long time since Windows XP.

May be next time Rafael and Paul should consider digging more into the feature before concluding that its something new to Windows 7 and undocumented by Microsoft. Windows applications, especially Microsoft products, make use of this Credential Manager a lot.

Credential Manager & Windows Vault are nothing new and have just got a new shiny user interface in Windows 7

Report a problem with article
Previous Story

Range of 'Hero' style games announced, given release dates

Next Story

Twitter getting ready to serve local news to users?

37 Comments

Commenting is disabled on this article.

Doh!

This feature is simply based on the credential manager in XP, with all its features and limitations.
So no, by far most apps, especially web apps, won't be able to use it as a password storage.

Here it is on Vista:
http://www.tomstricks.com/wp-content/uploa...credentials.jpg

Here it is on XP:
http://onnraves.com/wp-content/uploads/200...d-passwords.png

And what is this all about in THIS article:

The Credential Manager is nothing new for Windows 7 and is present since Windows XP. The documentation is available in MSDN for quite a long time since Windows XP.

May be next time Rafael and Paul should consider digging more into the feature before concluding that its something new to Windows 7 and undocumented by Microsoft. Windows applications, especially Microsoft products, make use of this Credential Manager a lot.

Credential Manager & Windows Vault are nothing new and have just got a new shiny user interface in Windows 7.


???

Why do you post a story here on Neowin if you also flame it for not being news!? Why is this note not higher up?
Many will think this is a cool new Windows 7 feature now.

Jugalator said,
Why do you post a story here on Neowin if you also flame it for not being news!?

The reporter did not flame this and did not say it wasn't news. Please rethink such replies before you make rash comments.

The reporter simply said this feature was in Windows XP. It has gotten more exposure lately from many news outlets. It makes sense to highlight this on our front page.

So how does the sdk work? I see a checkbox "show passwords" does that mean any program can see the passwords of any credential they want?

Even if the browser supported Credential Mgr, I would not trust my online banking logins to a MS product. I use KeePass for all my web logins and other passwords. One (long) master passphrase to remember, then ^U to open an URL, ^V to login. Simple and elegant, AES encryption, and I can leave copies of my vault on my various computers without worry.

kaborka said,
Even if the browser supported Credential Mgr, I would not trust my online banking logins to a MS product. I use KeePass for all my web logins and other passwords.


Because we all know that a program written by some random guy on the Internet is always going to be more trustworthy than a Microsoft product...

JonathanMarston said,
Because we all know that a program written by some random guy on the Internet is always going to be more trustworthy than a Microsoft product...

Im not using it (using "Keychain" in OSX which sounds awful like Windows Vault...- that's another story ) but KeePass is open source. So it is actually more trustworthy than a Microsoft product.

KeePass is fantastic. It'll be a cold day in hell when I trust Microsoft with my passwords to anything important. I don't even trust them with my personal files anymore.

I am sorry, but I think you are getting it wrong. KeePass is different from this Credential Manager. Microosft products such as Microsoft Office do not use KeePass and they internally use Credential Manager to cache and persist the authentication, if user chooses to do so. And application developers too can make use of this and intergrate their apps with this credential manager.

I think it all comes down to choice. Like, I dont have any problem trusting Microsoft, but for some they would like to use some third party apps. But you wont be able to change if the application chooses to use the credential manager as the application is integrated with it already.

Nightkrawler said,
Im not using it (using "Keychain" in OSX which sounds awful like Windows Vault...- that's another story ) but KeePass is open source. So it is actually more trustworthy than a Microsoft product.

So your saying microsoft is not trustworthy? that includes windows

Chris-Gonzales said,
So your saying microsoft is not trustworthy? that includes windows

No that's not what i meant. I should have written "any closed source Software" not "a Microsoft Product". Im sorry if anyone misunderstand that - i was just referring to JonathanMarston comment.

My point was that an open source application can be more trustworthy than any closed source software. That doesn't necessarily mean that the app is more secure than an closed source app but the fact that the programmers also share the source-code shows that they really just want to play an open game here - they cant hide backdoors but they also cant hide security holes.

So you knew about and have been using this feature for "quite some time ... even before Paul and Rafael might have discovered it?" I find it immensely entertaining that you feel the need to claim this, essentially indicating that you are more knowledgeable than two VERY noteworthy and famous Windows experts.

So, have you blogged or otherwise written publicly about it EVER before this article?

Didn't think so.

This particular feature has been there since Windows XP and is nothing new for Windows 7. If you see the comments in Rafael's post (linked in the article), there are people who say they have been using this feature.

Just because Thurott or Rafael posted about it, didn't mean they discovered it. I'd seen it in Windows 7 for a while now, but never poked around in it. It's been sitting int he Control Panel of anyone who had Windows 7 installed waiting to be "discovered" ... it's not like they found Atlantis.

@nunjabusiness -

What has that got to do with the content of the article? That is just an attack on the way the reporter has written this article.

There is no need for a comment like that - it does not provide any form of meaningful discussion about said article.

What's the big deal? Chaks starts off letting you know he has experience using this feature, and is going to expound upon it while integrating outside information to the article as well. Yes, maybe the opening sentence could have been worded differently for the overly-critical, but I'm guessing anyone who took offense to that comment stopped reading right there because they found exactly what they were looking for: nitpicking ammo to post in the comments.

Thank you sibot for not ENTIRELY missing my point. The author's statement ALSO had nothing whatsoever to do with the topic and added nothing to the article. I spent years as an editor at a newspaper and if a writer had brought that to me I would have struck the first sentence and reprimanded him for grandstanding.

CalumJR said,
@nunjabusiness -

What has that got to do with the content of the article? That is just an attack on the way the reporter has written this article.

There is no need for a comment like that - it does not provide any form of meaningful discussion about said article.

Your criticism applies perfectly to the subject of my post as well.

nunjabusiness said,
Thank you sibot for not ENTIRELY missing my point. The author's statement ALSO had nothing whatsoever to do with the topic and added nothing to the article.

The reporter stated that Paul and Rafael are friends of Neowin and they are. They also both covered PDC with us. Therefore, they obviously won't mind this. Why would we insult our friends?

This maybe considered an editorial nunjabusiness but if you want something professional like a newspaper I suggest you should, well go read a newspaper.

This looks INCREDIBLY confusing/complicated. Maybe it isn't, but it seems like it takes a lot of work just to have it remember your password.

sooo, do i include full url or what? like for myspace, facebook, and alot of other websites that require password no matter how many times visited?

Any site that requires a log in. Also note it doesnt matter how much you visit the site, you could visit it 50 million times and the log in still wont be saved. its the cookies and stored information that keeps the passwords in check.

Excellent 10 thumbs up. because its good to know that Office 2007 using some of features present in Windows 7. Now if only other 3rd programs started using Jumplist and other API and additonal features and give users some real hardcore functionality

a good and secure way to manage passwords for websites, the browser i assume wouldn't have to store your information at all? hope developers make use of it

Perhaps the feature was so well hidden in the past, that for all intents and purposes it did not exist. This situation is happening with increased frequently as Operating Systems and applications get more and more complicated. In essence, if a user can't find (or worse, can't figure out how to use) a feature then it does not exist. That may have been the situation with Messrs. Rafael and Paul.

That's a good one, I always wanted to clean up the damn cookies but then I need to enter logon afresh afterwards lol.