1

I'm using CredWriteW to store some credentials and persisting through the user session. As we will have to store the credentials for lots of different accounts, I'm wondering: is there some kind of limit as to how many credentials can be stored on the credential manager?

I found this doc Credential limit per app | Microsoft Learn , but it's not clear whether it applies only to RDP, or to Credential Manager in general, or to something else. I've tried searching for this limit, but everything seems to point back to that same doc.

This is the code for reference:

CREDENTIAL credential = {0};
credential.Type = CRED_TYPE_DOMAIN_PASSWORD;
credential.TargetName = account;
credential.CredentialBlobSize = credentialBlobSize;
credential.CredentialBlob = (LPBYTE)password;
credential.Persist = CRED_PERSIST_SESSION;
credential.UserName = (LPWSTR)userName;

// Write the credential in the user space
if (!CredWriteW(&credential, 0))
{
    // ...
}
andre_ss6
  • 1,195
  • 1
  • 13
  • 34
  • The credential limit in the doc is only for Remote Desktop Services (it's easy to test if you *really* want to make sure, just create 100). Why do you think there's a limit if none is documented? – Simon Mourier Jan 09 '23 at 07:51
  • @SimonMourier The referenced doc says "*Windows* only allows up to 20 credentials per app" (emphasis mine), so it's not clear to me that it only applies to RDP. That's the source of my confusion. – andre_ss6 Jan 09 '23 at 22:11
  • @SimonMourier Also, notice how the workaround they suggest involve changing a registry key under `Vault`; no mention of RDP, suggesting that it's something more fundamental – andre_ss6 Jan 09 '23 at 22:12
  • I understood your question. This is not the same API, Vault is an undocumented API (examples https://stackoverflow.com/questions/37523752/reverse-engineering-the-function-arguments-of-vaultremoveitem https://github.com/rapid7/meterpreter/blob/master/source/extensions/kiwi/mimikatz/modules/kuhl_m_vault.c) not the same as wincred, but like I said, just create 100 credentials and you'll see it works. – Simon Mourier Jan 10 '23 at 06:42
  • @SimonMourier I see. Thanks. Could you write that as an answer? – andre_ss6 Jan 10 '23 at 13:31

1 Answers1

1

This API indirectly mentioned/used in your RDP/Remote Deskop link is called "Vault", it's not the same API that the one used by CredWrite.

Vault is an undocumented API. See here for example on SO: Reverse engineering the function arguments of VaultRemoveItem or here on github's mimikatz

CredWrite is not documented to have any reasonable limit, here are 100 credentials I've just created with it:

100 credentials

Simon Mourier
  • 132,049
  • 21
  • 248
  • 298
  • Hi Simon. I unmarked your answer because I learned internally some further details about this API and it seems that there is in fact an undocumented limit. I'm still evaluating how to share those details publicly. However, if you just run your test a little longer and add just a little more credentials you should be able to discover that limit yourself and add to your answer – andre_ss6 Jan 12 '23 at 22:12