Vault module reference
The vault module exposes helpers for interrogating Windows Vault containers and Credential Manager entries so that collected secrets can be inspected from a mimikatz session. The module provides two commands—vault::list and vault::cred—and each command accepts flags that control how much metadata is dumped or how enumeration is performed.
| Command | Purpose |
|---|---|
vault::list |
Enumerate every Windows Vault on the host and describe each stored item. |
vault::cred |
Enumerate Credential Manager secrets and optionally patch LSASS to widen the enumeration scope. |
vault::listvault::list walks the set of vault containers exposed by the vaultcli API, opens each vault, and prints a friendly description of every stored credential item. On pre-Windows 8 hosts it uses the Windows 7 item structure, while on Windows 8 and later it selects the newer structure and includes the PackageSid column when present.【F:mimikatz/modules/kuhl_m_vault.c†L67-L171】
For every item the command prints the schema GUID, timestamps, resource, identity, authenticator, and on modern builds the package SID. If mimikatz can call VaultGetItem, the decrypted authenticator value is shown as well.【F:mimikatz/modules/kuhl_m_vault.c†L115-L155】 After the generic dump, the command recognises special schema identifiers such as PIN, picture password, biometric, or next-generation credential entries and runs helper routines so the output includes additional context (for example, the associated SID or background path for picture passwords).【F:mimikatz/modules/kuhl_m_vault.c†L157-L205】
| Flag | Why/when to use it |
|---|---|
/attributes |
Include every property blob associated with a vault entry. By default vault::list hides these auxiliary attributes to keep the output compact, but passing /attributes toggles the isAttr flag so each property is iterated and described. Use this when you need to inspect DPAPI-encrypted metadata or application-specific state beyond the core resource/identity fields.【F:mimikatz/modules/kuhl_m_vault.c†L76-L114】【F:mimikatz/modules/kuhl_m_vault.c†L140-L146】 |
vault::credvault::cred enumerates the Credential Manager store via CredEnumerate, printing the target name, alias, user name, credential type, persistence policy, and raw credential blob for each entry that the caller can access.【F:mimikatz/modules/kuhl_m_vault.c†L489-L523】 The command walks through the enumeration flags from the default view up to CRED_ENUMERATE_ALL_CREDENTIALS so that, on modern Windows builds, both standard and extended credentials are returned.【F:mimikatz/modules/kuhl_m_vault.c†L489-L529】 After dumping the metadata, mimikatz attempts to decrypt well-known DPAPI blobs, such as WinINet passwords or Ivanti FileDirector secrets, so you immediately see the clear-text payload whenever the current context has access to the required keys.【F:mimikatz/modules/kuhl_m_vault.c†L534-L595】
| Flag | Why/when to use it |
|---|---|
/attributes |
Print every credential attribute key/value pair. Credential Manager attributes often contain application-specific metadata or DPAPI-protected payloads, but they are suppressed by default to reduce noise. Supplying /attributes ensures the loop iterates through each attribute and renders its flag, keyword, and decoded value so you can analyse the extra context attached to a credential.【F:mimikatz/modules/kuhl_m_vault.c†L511-L522】 |
/patch |
Apply an in-memory patch to lsasrv!CredpCloneCredential inside the LSASS process before enumerating. Recent Windows builds gate the enumeration of certain credentials; this flag locates the operating-system-specific byte pattern and replaces the conditional branch so the underlying API stops filtering entries. Use /patch when the default enumeration omits expected credentials (for example, due to the Windows 8+ hardening of CRED_ENUMERATE_ALL_CREDENTIALS). The helper attaches to the SamSs service, opens the LSASS module map, and writes the patch just-in-time; the main enumeration runs afterwards once the patch succeeds.【F:mimikatz/modules/kuhl_m_vault.c†L446-L486】 |
token::elevate first if LSASS access is restricted; both commands rely on Vault and Credential Manager APIs that require high privileges to open other users' vaults.【F:README.md†L78-L87】vault::list /attributes with DPAPI master-key extraction to correlate attribute blobs with decrypted vault items when triaging modern authentication mechanisms.vault::cred /patch /attributes sparingly and only during controlled engagements: the patch temporarily modifies LSASS code in memory, which can be detected by security tooling and should be reversed by restarting the SamSs service or the host after use.【F:mimikatz/modules/kuhl_m_vault.c†L446-L486】