Introduction

Microsoft added a new feature to Windows 7 called ‘Vault’ which you can access through the Credential Manager in control panel or vaultcmd from command line. It works very similar to Gnome Key Ring on Linux or the Apple Keychain on Mac OS.

In versions 7, 8 and 9 of Internet Explorer, passwords were protected using DPAPI and the login URL as entropy before being saved in the registry. The new algorithm in IE10 continues to use DPAPI but the encryption of credentials is now handled by the Vault Service.

Vault System Service

Like most Windows Encryption, the protection of Vault data occurs within a LocalSystem service. vaultsvc.dll contains the service code and is loaded by the Local Security Account Subsystem (lsass.exe) at boot time.

Between 18-24 functions (depending on OS) are exposed to clients over a local RPC end point. On Windows 7 is an additional KeyRing Credential UI application (VaultSysUI.exe) launched by the service if it requires information from the owner of a vault.

For example, you have the ability to lock a vault with a password.



You can also configure a vault to require permission from the user when an application attempts to access the password element.



In both situations, VaultSysUI will display a window to the user and then write the response back to heap memory which Vault Service can access.

Although both these features are useful and add further protection to a user’s credentials, they were removed in Windows 8 along with other functionality.

Vault Client Library Access

From the user session, RPC calls are made through API exported by vaultcli.dll

Explorer.exe loads Credui.dll and Vault.dll when accessing the Credential Manager through the Control Panel.



You can also use vaultcmd.exe to add/remove credentials but it doesn’t display passwords on either 7 or 8.



On Windows 8 . . .



For whatever reasons, there was a pretty significant reduction in Vault features between Windows 7 and 8. Below is a list of what was removed.

Creation / Deletion of vaults.

Loading / Unloading external vault files.

Locking / Unlocking vaults with additional password protection.

Protection Methods

Windows 7 has 2 methods available but Windows 8 only has 1.

DPAPI (Data Protection API) is used by default but on Windows 7, you can also use a password.

The algorithm used to protect passwords is RSA PBKDF2.

Recovery of Web Credentials

As said, there were some changes to Vault service between Windows 7 and 8.

VaultGetItem requires an additional parameter on Windows 8 and the VAULT_ITEMstructure has an extra property. Here’s the structure for Windows 7

typedef struct _VAULT_ITEM_W7 { GUID SchemaId; LPCWSTR pszCredentialFriendlyName; PVAULT_ITEM_ELEMENT pResourceElement; PVAULT_ITEM_ELEMENT pIdentityElement; PVAULT_ITEM_ELEMENT pAuthenticatorElement; FILETIME LastModified; DWORD dwFlags; DWORD dwPropertiesCount; PVAULT_ITEM_ELEMENT pPropertyElements; } VAULT_ITEM_W7, *PVAULT_ITEM_W7;

And for Windows 8 . . .

typedef struct _VAULT_ITEM_W8 { GUID SchemaId; LPCWSTR pszCredentialFriendlyName; PVAULT_ITEM_ELEMENT pResourceElement; PVAULT_ITEM_ELEMENT pIdentityElement; PVAULT_ITEM_ELEMENT pAuthenticatorElement; PVAULT_ITEM_ELEMENT pPackageSid; FILETIME LastModified; DWORD dwFlags; DWORD dwPropertiesCount; PVAULT_ITEM_ELEMENT pPropertyElements; } VAULT_ITEM_W8, *PVAULT_ITEM_W8;

I’ve written a tool to recover IE10 passwords using the Vault API, here’s example of output on Windows 7 machine.



Because the Windows Vault Service remains undocumented, I can’t guarantee the accuracy of information provided. The latest protection of Web Credentials for Internet Explorer is indeed weaker than previous algorithm for 7, 8 and 9 but the upside is that with the Vault you can reliably backup/restore your passwords when needed.