CMDKEY - CMD

Overview

The CMDKEY command in Windows is used to create, list, and delete stored user names and passwords from a user’s credentials store. This utility is primarily used for managing credentials for automatic logon by command-line tools, enabling secure access to various network resources without manual input of passwords.

Syntax

The basic syntax for CMDKEY is as follows:

CMDKEY [{/add | /generic}]:TargetName /user:UserName /pass[:Password]
CMDKEY /list[:TargetName]
CMDKEY {/delete | /deletecert}:TargetName
CMDKEY /deleteall

Parameters

  • /add: Adds a user account and password to the credential store.
  • /generic: Adds generic credentials.
  • TargetName: Specifies the server or domain name where the credentials are to be used.
  • /user: Specifies the username associated with the credentials.
  • /pass: Optional. Specifies the password for the given user. If not provided, the command prompts for a password.
  • /list: Lists detailed information about all stored credentials. A specific TargetName can be provided to list details of a particular credential.
  • /delete: Deletes credentials for a specified TargetName.
  • /deletecert: Deletes a certificate for a specified TargetName.
  • /deleteall: Deletes all credentials stored on the computer.

Options/Flags

  • TargetName: Specifies the remote system or service you want your credentials to be associated with, formatted as domain or server.
  • /user: Typically used with administrative credentials that need elevated privileges.
  • /pass: For automated scripts, adding a password directly can avoid manual input but can be a security risk.
  • /list: Useful for verifying currently stored credentials.
  • /delete: Important for removing credentials when no longer necessary or when changing passwords.
  • /deleteall: Used for clearing out all stored credentials, often as a security measure before transferring a system.

Examples

  1. Adding a credential for a network resource:

    CMDKEY /add:corpserver.net /user:john /pass

  2. Listing all credentials:

    CMDKEY /list

  3. Deleting a specific credential:

    CMDKEY /delete:corpserver.net

  4. Deleting all credentials on a system:

    CMDKEY /deleteall

Common Issues

  • Security Risk: Storing passwords with /pass:Password can expose sensitive information if the script is shared or accessed by unauthorized users.

    Solution: Use password prompts or manage passwords through secure vaults.

  • Credential Overwrite: Using /add with an existing TargetName will overwrite the existing credentials without warning.

    Solution: Always check existing credentials with /list before adding new ones.

Integration

CMDKEY can be integrated with other commands and scripts to automate various network-related tasks. For instance:

  • Batch login script:

    CMDKEY /add:corpserver.net /user:john /pass:example
NET USE Z: \\corpserver.net\share

  • Clear credentials post-script execution:

    :: At the start of the script
CMDKEY /add:corpserver.net /user:john /pass:example

:: Your script commands here

:: At the end of the script
CMDKEY /delete:corpserver.net
  • NET USE: Used to connect, disconnect, and manage network resources.
  • RUNAS: Execute a program under a different user account.

For more detailed documentation and advanced usage scenarios, refer to Microsoft’s official documentation on CMDKEY and related commands.