• Insights

Roaming Internet Explorer and Chrome User Saved Passwords with UE-V

Kraft Kennedy

2 min read

All Insights

It is possible to capture and roam user-saved passwords in Internet Explorer and Chrome with UE-V, but first you have to complete a few steps.

The first thing to understand is how the passwords are stored and encrypted/decrypted on the local machine. Both web browsers leverage the Windows DPAPI (Data Protection Application Programming Inferface) to encrypt a password when saving and to decrypt it upon the next use.

The DPAPI relies on a master key protected by a value derived from the user’s domain login password. Users’ master key is stored in their profiles at %APPDATA%\Microsoft\Protect and since a user’s domain password is the same between sessions and machines, DPAPI is able to decrypt the key on any machine that the user logs into. This means that as long as the master key in the user’s profile is available, IE and Chrome will be able to use it to decrypt any stored browser passwords in their respective caches.

Before roaming anything, the initial step is to ensure that the saving of passwords is enabled and functioning as expected for both web browsers. If it is not working the roaming of passwords becomes a moot point. Once verified, there are several file and folder locations to be added to the existing UE-V templates.


For Internet Explorer, the needed locations are:


    • AppData\Local\Microsoft\Credentials (folder)
    • AppData\Local\Microsoft\Vault (folder)
    • AppData\Roaming\Microsoft\Credentials (folder)
    • AppData\Roaming\Microsoft\Crypto (folder)
    • AppData\Roaming\Microsoft\Protect (see section below)
    • AppData\Roaming\Microsoft\SystemCertificates (folder)

For Chrome, the needed locations are:


    • AppData\Local\Google\Chrome\User Data\Default\Login Data (file)
    • AppData\Local\Google\Chrome\User Data\Default\Extensions (folder)
    • AppData\Local\Google\Chrome\User Data\First Run (file)
    • AppData\Local\Google\Chrome\User Data\Local State (file)
    • AppData\Local\Google\Chrome\User Data\Default\Bookmarks (file)
    • AppData\Local\Google\Chrome\User Data\Default\Favicons (file)
    • AppData\Local\Google\Chrome\User Data\Default\History (file)
    • AppData\Local\Google\Chrome\User Data\Default\Preferences (file)
    • AppData\Local\Google\Chrome\User Data\Default\Cookies (file)
    • AppData\Roaming\Microsoft\Protect (see section below)

The “Login Data” file contains the saved passwords for Chrome, but the other files/folder should be added as well for a better end-user experience (I do not recommend that you roam the entire Chrome user data folder as that can create tremendous bloat in the UE-V profile).

As mentioned in the first paragraph and highlighted in red above, both IE and Chrome need the “Protect” folder available for the DPAPI to decrypt the saved passwords. Rather than adding it to both templates, which can cause versioning and sync issues, remove it from both and add to a new or existing template that is tied to the shell process. In this fashion, the “Protect” folder will be put in place immediately after login and will be available regardless of which browser is launched first. Any updates or changes to the master key will then be saved upon logoff.

The above scenario has been tested successfully on Windows 7 x64 with IE11 (December 2016 CU) and Chrome version 56.0.2924.87, plus in Citrix on Server 2008 R2 with the same versions of IE and Chrome. Further testing is needed to confirm applicability on Windows 10 and Server 2012/2016, but the DPAPI is still used to encrypt/decrypt user passwords so the expected result should be positive. As always with the release of new versions of IE and Chrome, management of user passwords can change and must be monitored for needed updates to existing UE-V templates.