locked
CREDHIST System File RRS feed

  • Question

  •  

    In C:\Documents and Settings\HP_Administrator\Application Data\Microsoft\Protect, I have a CREDHIST system file.  Does anyone know what this is?  Of course, I got the warning that it may be unsafe to delete it.  I did not delete it, but I've got a bit of a malware problem that I am trying to clean up.

     

    Thanks advance for your help!

     

    --jss

    Thursday, December 20, 2007 3:11 PM

All replies

  •  

    You don't have that on Server 2008 do you? That directory shouldn't exist there. The file would be in C:\Users\<username>\AppData\Roaming\Microsoft\Protect.

     

    That file is a component of the credential manager components. I do not know exactly what it does but my rudimentary understanding is that it contains information on the current encryption key. You should leave this file alone.

     

    If you are into hex and parsing file details, you can probably glean some information from this article: http://www.beginningtoseethelight.org/efsrecovery/.

    Friday, December 21, 2007 7:33 AM
  •  

    No, it's on my home computer...it is in C:\Docs and Settings\Adminstrator\App Data\Microsoft\Protect, as well as a couple of other nearby places.  I just came across it, the day that I posted it.  I think I'm having a malware/trojan issue.  I've got this one file that I found in the CREDHIST file, and everytime that I delete it from that file, it keeps coming back, even though I'm emptying the recycle bin..  Also, the string of characters listed on this file are in the Recycler folder, and will not delete from there.  I originally found this issue out by running Spyware Doctor a few days ago, and it mentioned this particular thing (the string of characters, not CREDHIST) as being associated with Virus Protect Pro, which is the dreaded Zlob Trojan.  But, I've already posted on bleepingcomputer.com, so hopefully they should be able to help decipher everything.  I'm not so into whole-house networking and automation anymore, though.

     

    Thanks for the quick responses on my other post!  I really appreicate it!  I'll check out that article when my head stops spinning!

     

    --JSS

    Friday, December 21, 2007 10:31 PM
  • Aah. That explains my confusion. You posted the query in a newsgroup for a pre-release server OS.

     

    You found a file in the CREDHIST file? That shouldn't be. That file should have what looks like random characters in it.

     

    The best thing you can probably do is to call Microsoft's free security support line. They are experts in handling infected machines and can walk you through this. If you are in North America the number is (866) PC-Safety. If you are outside North America, go to http://www.microsoft.com/protect/support/default.mspx and look up the number for your region.

    Saturday, December 22, 2007 5:07 AM
  • Oops...Sorry about that...I was just looking for a security forum, but neglected to look at the title.  Thanks for the number to MS Security Support Line.  Thanks and sorry again!

    Wednesday, December 26, 2007 8:33 PM
  • The CREDHIST file contains all of your previous password-linked master key hashes used by Microsoft's DPAPI - one key per previous password. When applications (such as Internet Explorer) use DPAPI calls to protect secrets on the device, they use these keys as part of the mechanism for protecting/unprotecting data.

    When a user's password changes, or 90 days have passed (whichever is sooner) a new set of keys are generated. The old ones are kept in the CREDHIST file so that applications can still decrypt files that were encrypted using the older keys. When an application asks DPAPI to decrypt something, it will first try with the current master key (this is contained in the 'Preferred' file, which you'll find in the \..\protect\<User GUID> folder) - if that fails it will try each of the CREDHIST keys in turn until the data are successfully decrypted.

    In a Domain environment, the Domain Controller also has a global CREDHIST file - but I'm not entirely sure how that mechanism is invoked or what role it plays.

    Hope that helps,

     Gunny

    Thursday, August 1, 2013 12:54 PM
  • doesn't help at all.. since that file is a system file.. in the protect folder.. credhist and sinchist .. the preferred file is in the hkey folder..or  labeled S-1-5-21-3310908124-2528261554-3789350133-1000 blah blah.. where the preferred system file is.. along with all other significant files are.. if this is what you say .. the preferred filed wouldn't store a previous version attribute.. but it does. so whats the point? if you ask me its non consequential but another easy way for google or microsoft to update you without your approval

    .. js

    Wednesday, July 26, 2017 10:33 AM