none
Cached Credentials in Windows7 -> Who do they belong to?

    Dotaz

  • Hello Everyone,

    we would like to restrict the number of logons that are being cached on our windows 7 computers using GPOs. We currently have a setting of four in the policy. The problem is that we are not sure if this is enough since we have some automatic logons for services and applications on our computers. I would like to see who's credentials are cached on our boxes to check if our policy will work properly.

    I know that the cached credentials are stored in the registry under "Security". I can see four entries there. Is there a way to deduce the usernames for those entries without trying to use any "hacker" tools? I don't want to decipher the actual password hashes or the like, I just want to know who they belong to. Does anybody know of a way to do this?

    Any help would be great!

    Regards

    HarryH

    15. června 2012 13:40

Odpovědi

  • Hi,


    Based on my research, the cache is used by various security principals on the system - not just the users that physically log on to the system with a user account.


    You can run Process Monitor and configure a filter to include only paths beginning with HKLM\Security\Cache in the capture and drop everything else (Filter/Drop filtered events) then it will show a SetReg operation each time a cache entry is written to.


    In addition, you will get a LsaSrv 45058 event in the System log whenever an older entry has been removed from the LS cache and what account it was for (see: Cached User logon fails when LSASRV event 45058 indicates FIFO deletion of cached credential).


    For more detailed information, please refer to Cached logons and CachedLogonsCount.


    Hope this helps.


    Jeremy Wu

    TechNet Community Support

    • Označen jako odpověď HarryNew 19. června 2012 9:46
    19. června 2012 9:29

Všechny reakce

  • Hi,

    most services use local accounts. So there is no limit.

    You can easily 4x restart computer, and you will see, if ther is any problem.


    This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    Microsoft Student Partner 2010 / 2011 / 2012
    Microsoft Certified Professional | Connected Home Integrator | Consumer Sales Specialist
    Microsoft Certified IT Professional: Consumer Support Technician on Windows Vista
    Microsoft Certified IT Professional: Enterprise Support Technician on Windows Vista
    Microsoft Certified IT Professional: Server Administrator on Windows Server 2008
    Microsoft Certified Solututions Associate: Windows Server 2008
    MCP transcript, contact information, list of all Certifications

    18. června 2012 20:15
  • Hi,


    Based on my research, the cache is used by various security principals on the system - not just the users that physically log on to the system with a user account.


    You can run Process Monitor and configure a filter to include only paths beginning with HKLM\Security\Cache in the capture and drop everything else (Filter/Drop filtered events) then it will show a SetReg operation each time a cache entry is written to.


    In addition, you will get a LsaSrv 45058 event in the System log whenever an older entry has been removed from the LS cache and what account it was for (see: Cached User logon fails when LSASRV event 45058 indicates FIFO deletion of cached credential).


    For more detailed information, please refer to Cached logons and CachedLogonsCount.


    Hope this helps.


    Jeremy Wu

    TechNet Community Support

    • Označen jako odpověď HarryNew 19. června 2012 9:46
    19. června 2012 9:29
  • Hello Jeremy,

    I will check for the events. That sounds promising!

    Thanks & Regards

    Harald

    19. června 2012 9:47