credentialspasswordsmartcardwindowswindows-registry
I'm troubleshooting cached credentials on Windows 7, specifically Smart Card logins, and I would like to know how I can find out which users currently have their credentials cached on the machine.
I have read How are cached Windows credentials stored on the local machine?
and can see the HKLM/Security/cache registry keys, but they are just hash values.
The best practice, as it mentioned in many articles on the subject is to set CachedLogonsCount=1. When the user logs into their laptop the admin credentials will be flushed. Be sure to explain to the user that they need to login while connected to the network before leaving or they'll be locked out.
Also it's worth noting that Pass-The-Hash doesn't work on Kerberos. It's recommended you disable NTLM auth wherever it's convenient.
Recent Developments:
Programs that take advantage of GPUs (graphics cards) to crack NTLM passwords are becoming more popular, and extremely fast. A 7 character NTLM password can be cracked in <20 minutes with a reasonable home computer. Disabling NTLM Caching is becoming more important as recovering the password from the hash becomes easier (which could then be used for Kerberos, http-digest, or other authentication methods).
With the rise of cloud computing, cracking NTLM passwords in the cloud has made it possible to 'rent' the resources to crack almost any NTLM hash in a reasonable amount of time (though at sum expense). Given these developments, everyone should be re-evaluating their password length and complexity policies; limiting the use and storage of NTLM hashes; and carefully evaluating (or guessing) how much a nefarious organization (competitor) would pay to get access to your systems.
Best Answer
I'm not sure that there is an officially supported technique or API for this.
One method of getting this info (be ready to trigger the antivirus software on your computer) would be to use Mimikatz.
mimikatz # lsadump::cache