Cached credentials security on Windows Operating Systems.

“Where are they actually stored though?  In the Roaming Profile, or somewhere else?”, asked the Problem Team.

The answer is “somewhere else”.

Windows NT 4.0 has the capability to cache logon information in short-term memory. If the domain controller cannot be found during logon and the user has logged on to the system in the past, it can use those credentials to log on.”

Yes, cached logons have been around for a long time.

The cached credentials are stored in the Registry, in HKEY_LOCAL_MACHINE\SECURITY\Cache

image

References:
Cached credentials security in Windows Server 2003, in Windows XP, and in Windows 2000
4 Windows 10 settings to prevent credential theft