cmdkey.exe: Windows Credentials Manager Command-Line Tool

cmdkey.exe is a built-in command-line utility in Windows operating systems that allows users to manage stored user names and passwords, also known as credentials. These credentials can be used for accessing various resources, including network shares, websites, and other applications that require authentication. It's the command-line interface for the Windows Credential Manager.

Origin and Purpose

cmdkey.exe is a core component of the Windows operating system, developed by Microsoft. Its primary purpose is to provide a secure and convenient way to store and retrieve credentials, eliminating the need for users to repeatedly enter their usernames and passwords for frequently accessed resources. It leverages the Windows Credential Manager service, which provides a secure vault for storing this sensitive information. The command-line interface was provided to allow scripting and automation of credential management tasks, useful for system administrators and power users.

Functionality

cmdkey.exe provides the following core functionalities:

Creating Credentials: You can create new credentials, specifying the target resource, username, and password.
Listing Credentials: You can list all stored credentials or filter them by target name.
Deleting Credentials: You can remove stored credentials when they are no longer needed.
Modifying Credentials (Indirectly): While cmdkey.exe doesn't directly support modifying an existing credential, you can achieve the same effect by deleting the old credential and creating a new one with the updated information.

Is it a Virus? / Can it Become a Virus?

cmdkey.exe itself is not a virus. It is a legitimate and essential part of the Windows operating system. However, like many legitimate system tools, it could be misused by malicious actors.

Potential Misuse:

Credential Theft (Indirect): While cmdkey.exe cannot directly display passwords in plain text, a malicious script or program could use cmdkey /list to identify stored credentials. Then other malicious program could be used to steal credentials. This would typically require elevated privileges (administrator rights).
Creating Malicious Credentials: A malicious script could use cmdkey to create credentials that point to a malicious server or resource. This could be used in phishing attacks or to redirect network traffic.
Part of a Larger Attack: cmdkey.exe is rarely used in isolation in an attack. It's more likely to be a small component of a larger, multi-stage attack.

Important Note: The presence of cmdkey.exe on your system is normal and expected. Suspicion should only arise if you observe unusual activity related to it, such as unexpected credential prompts or unexplained network connections, especially when combined with other suspicious behavior.

Usage (Detailed Guide)

The basic syntax of cmdkey.exe is as follows:

cmdkey [{/add:<TargetName> /user:<UserName> /pass:<Password> | /generic:<TargetName> /user:<UserName> /pass:<Password>}] | {/delete:<TargetName> | /delete /ras} | {/list:<TargetName> | /list} | {/smartcard}

Let's break down the options:

/add:<TargetName>: Creates a new credential. <TargetName> is the network resource or website for which the credentials are used. This usually expects /user and /pass options. This creates a "domain" credential.
/generic:<TargetName>: Creates a new credential. Similar to /add, but creates a "generic" credential, which is used for applications rather than network resources. This usually expects /user and /pass options.
/user:<UserName>: Specifies the username for the credential. Used with /add or /generic.
/pass:<Password>: Specifies the password for the credential. Used with /add or /generic. If you omit /pass:<Password>, cmdkey will prompt you to enter the password interactively, which is more secure.
/delete:<TargetName>: Deletes the credential associated with the specified <TargetName>.
/delete /ras: Deletes all Remote Access Service (RAS) credentials.
/list:<TargetName>: Lists the credential(s) associated with the specified <TargetName>. Wildcards are supported (e.g., /list:*.example.com).
/list: Lists all stored credentials.
/smartcard: It displays smart card credentials, not to configure credentials.

Examples:

Create a credential for a network share (prompting for password):

cmdkey /add:server1.example.com /user:MyDomain\JohnDoe (You'll be prompted to enter the password.)
Create a credential for a network share (specifying the password - less secure):

cmdkey /add:server1.example.com /user:MyDomain\JohnDoe /pass:MySecretPassword
Create a generic credential (prompting for password):

cmdkey /generic:MyApplication /user:[email protected]
List all credentials:

cmdkey /list
List credentials for a specific target:

cmdkey /list:server1.example.com
Delete a credential:

cmdkey /delete:server1.example.com 7. Delete all RAS credentials:

cmdkey /delete /ras

List smart card credentials:

cmdkey /smartcard Security Considerations:
Avoid Storing Passwords in Scripts: Never store passwords directly in scripts using /pass:<Password>. This is extremely insecure. Always allow cmdkey to prompt for the password interactively.
Use Strong Passwords: Always use strong, unique passwords for all your credentials.
Elevated Privileges: Managing credentials often requires administrator privileges. Be mindful of running cmdkey with elevated privileges.
Credential Guard (Windows 10/11): If available, consider enabling Credential Guard, a virtualization-based security feature that helps protect credentials from theft.
Review Regularly: You should check /list result regularly to see if there is any credential you don't recognize.

Conclusion