What is Windows Vault?
Amazingly, Windows Vault was first introduced to the public with the release of Windows 7, but there's still no normal information with its description on the net. The documentation on this interesting subject is either completely absent or, to say the least, is superficial. So, what is Vault?
Windows Vault is a protected storage for secrets, passwords and other personal information user or system.
Windows Vault has come to replace the outdated 'Credential Manager', which was used in the earlier versions of Windows. Vault has acquired a number of new features:
- Backing up and restoring all passwords
- Improved encryption system and portability to other systems
- Improved programming interface
- Manual creation and administration of Vault storages
On the physical level, Vault is a disk-based folder with a set of the following files:
- Policy.vpol - set of encryption keys for Vault credentials (records). These keys can be protected using two basic methods: either using DPAPI or using a specific user password. The latter protection method is not used in Windows 8 and currently is not supported by the software.
- <GUID>.vsch - Vault schema that contains data description, flags and other system information.
- <GUID>.vcrd - Vault credential that stores the original encrypted data associated with a certain schema. The data may consist of and normally consists of several fields. Description of the fields is stored in vsch file. AES algorithm is used to protect Vault credentials. Encryption/decryption key for the algorithm resides in policy.vpol file, salt is involved to prevent instant data recovery using rainbow-table-based attacks.
There are two types of Vault storage at the moment: system Vault and user Vault. The user Vault may be found at the following locations:
<USER_APP_DATA>/Microsoft/Vault/<GUID> <USER_LOCAL_APP_DATA>/Microsoft/Vault/<GUID> For example, С:/Users/Helen/AppData/Roaming/Microsoft/Vault/4BF4C442-9B8A-41A0-B380-DD4A704DDB28 С:/Users/John/AppData/Local/Microsof/tVault/18289F5D-9783-43EC-A50D-52DA022B046E
Note that any user can create a custom Vault storage and save here a private data. Windows has VaultCmd.exe utility for managing custom Vaults.
System Vault by default resides in the following folders:
<SYSTEM_APP_DATA>/Microsoft/Vault/<GUID> <SYSTEM_LOCAL_APP_DATA>/Microsoft/Vault/<GUID> <PROGRAM_DATA>/Microsoft/Vault/<GUID> For example, С:/Windows/System32/config/systemprofile/AppData/Roaming/Microsoft/Vault/... С:/Windows/System32/config/systemprofile/AppData/Local/Microsoft/Vault/... C:/ProgramData/Microsoft/Vault/AC658CB4-9126-49BD-B877-31EEDAB3F204
Some of the folders have the system attribute set on, which makes the folders hidden in Windows Explorer.
Take a look at the following pictured sample on how to use Vault Explorer tool to recover Vault credentials offline.