CredWrite function

The CredWrite function creates a new credential or modifies an existing credential in the user's credential set. The new credential is associated with the logon session of the current token. The token must not have the user's security identifier (SID) disabled.


BOOL CredWrite(
  _In_ PCREDENTIAL Credential,
  _In_ DWORD       Flags


Credential [in]

A pointer to the CREDENTIAL structure to be written.

Flags [in]

Flags that control the function's operation. The following flag is defined.


The credential BLOB from an existing credential is preserved with the same credential name and credential type. The CredentialBlobSize of the passed in Credential structure must be zero.


Return value

If the function succeeds, the function returns TRUE.

If the function fails, it returns FALSE. Call the GetLastError function to get a more specific status code. The following status codes can be returned.

Other smart card errors can be returned when writing a CRED_TYPE_CERTIFICATE credential.

Return code/valueDescription

The logon session does not exist or there is no credential set associated with this logon session. Network logon sessions do not have an associated credential set.


Certain fields cannot be changed in an existing credential. This error is returned if a field does not match the value in a protected field of the existing credential.


A value that is not valid was specified for the Flags parameter.


The UserName member of the passed in Credential structure is not valid. For a description of valid user name syntax, see the definition of that member.


CRED_PRESERVE_CREDENTIAL_BLOB was specified and there is no existing credential by the same TargetName and Type.


The CRED_TYPE_CERTIFICATE credential being written requires the smart card reader to be available.


A CRED_TYPE_CERTIFICATE credential being written requires the smart card to be inserted.


The wrong PIN was supplied for the CRED_TYPE_CERTIFICATE credential being written.



This function creates a credential if a credential with the specified TargetName and Type does not exist. If a credential with the specified TargetName and Type exists, the new specified credential replaces the existing one.

When this function writes a CRED_TYPE_CERTIFICATE credential, the Credential->CredentialBlob member specifies the PIN protecting the private key of the certificate specified by the Credential->UserName member. The credential manager does not maintain the PIN. Rather, the PIN is passed to the cryptographic service provider (CSP) indicated on the certificate for later use by the CSP and the authentication packages. The CSP defines the lifetime of the PIN. Most CSPs flush the PIN when the smart card removal from the smart card reader.

If the value of the Type member of the CREDENTIAL structure specified by the Credential parameter is CRED_TYPE_DOMAIN_EXTENDED, a namespace must be specified in the target name. This function does not support writing to target names that contain wildcards.


Minimum supported client

Windows XP [desktop apps only]

Minimum supported server

Windows Server 2003 [desktop apps only]







Unicode and ANSI names

CredWriteW (Unicode) and CredWriteA (ANSI)

See also