How to Find Saved WiFi Password on Windows

Finding a saved WiFi password on Windows takes seconds — navigate to the Network and Sharing Center, open adapter properties, and the Security tab reveals the stored key in plain text. Our team covers every retrieval method available in Windows 10 and Windows 11 below, from the three-click GUI path to bulk Command Prompt exports. Anyone already investigating connectivity issues will find our guide on how to improve WiFi signal strength a natural companion to this workflow, and both topics fall squarely within our tech tips coverage.

Windows stores all network credentials in WLAN profiles — encrypted XML configuration files managed by the WLAN AutoConfig service. The Data Protection API (DPAPI) encrypts each passphrase at rest, binding it to the local machine account. Administrator-level access unlocks every retrieval path described here. Standard user accounts can still access credentials for the currently connected network via the GUI method, without elevation.

The techniques below apply identically to Windows 10 and Windows 11 at the command line level. Minor UI differences exist in the Settings app between builds, but the netsh wlan syntax is unchanged. Our team has verified all three methods across multiple OS versions and build revisions.

Understanding How Windows Stores WiFi Credentials

The WLAN AutoConfig Service

Windows manages all wireless connectivity through the WLAN AutoConfig service — wlansvc in the services registry. This service handles network discovery, profile management, and automatic reconnection at every boot and resume cycle. Each saved network generates a distinct WLAN profile stored under C:\ProgramData\Microsoft\Wlansvc\Profiles\Interfaces\. The files are XML-structured and human-readable in format, but the key material is DPAPI-encrypted and not directly parseable without the correct decryption context.

The service exposes a documented public API — WlanGetProfile — that allows processes with sufficient privileges to request the plaintext passphrase directly. Both the built-in GUI and command-line tools call this API internally. No reverse engineering or third-party tooling is required to access stored credentials through legitimate channels.

Credential Storage Architecture

DPAPI operates at either the user level or the machine level. WiFi profiles use machine-level DPAPI, meaning any local administrator can decrypt them regardless of which user account originally saved the network. This is an intentional design decision — network connectivity must remain accessible across user sessions on shared machines.

• Profile scope: All-user by default; per-user scope available via API flag
• Encryption: AES-256 via DPAPI with machine-bound master key
• Storage path: %ProgramData%\Microsoft\Wlansvc\Profiles\Interfaces\{adapter-GUID}\
• Export format: XML with a <keyMaterial> node containing the plaintext key when exported with the /key flag

Understanding this architecture is essential for anyone responsible for network security posture. Any local administrator account can read every stored passphrase on the machine. This reinforces why strong local account policies and physical device security are non-negotiable baselines. Our team's complete hardening checklist for network credentials is covered in the guide on how to secure a home WiFi network.

When Recovering a Saved WiFi Password Becomes Necessary

Common Scenarios

Most people encounter this need in predictable, recurring situations. The password was configured years ago, the router documentation is gone, and a new device needs credentials. Our team identifies six scenarios that account for the vast majority of credential retrieval requests:

• Onboarding a new device — smartphone, smart TV, tablet, or IoT sensor — onto an established network
• Sharing credentials with a guest without triggering a router password reset
• Migrating to a replacement router while preserving the existing SSID and passphrase
• Recovering credentials after a Windows reinstall or hardware replacement on a secondary machine
• IT inventory audits requiring a documented credential record for all managed endpoints
• Pre-departure documentation for traveling setups — RVs, remote offices, mobile workstations

In enterprise and managed IT contexts, the netsh wlan export profile command used for a single machine scales directly to batch scripts executed via Group Policy or remote management tools. The output is consistent and machine-parseable — well-suited for automated inventory pipelines.

Network Ownership and Access Considerations

Credential retrieval is only appropriate on networks the operator owns or formally administers. Computer fraud statutes in most jurisdictions treat unauthorized access to stored credentials as a criminal offense, even when the technical method requires no exploitation. Our team recommends explicit documented authorization before performing any credential audit in a professional or contractual context.

Home users have full authorization on their own hardware by definition. Managed IT contexts require scope definition — typically formalized in a network access policy, change management ticket, or written authorization from the network owner.

Built-In Windows Tools for Password Recovery

Network and Sharing Center Overview

The GUI method requires no administrator elevation for the currently connected network. It operates through the legacy Control Panel interface, which remains fully functional in both Windows 10 and Windows 11 despite progressive migration toward the Settings app. The navigation path is: Control Panel → Network and Internet → Network and Sharing Center → active connection link → Wireless Properties → Security tab → Show characters.

This path is limited to the currently connected network only. For saved-but-inactive profiles — networks within range or previously connected networks no longer available — Command Prompt or PowerShell is required. The GUI method cannot enumerate or access any profile except the active one.

Command Prompt and PowerShell

The netsh wlan command set is the most capable built-in tool for WLAN profile management. It operates on all saved profiles regardless of current connection state. Core commands used in credential retrieval:

• netsh wlan show profiles — enumerates all saved WLAN profiles by name
• netsh wlan show profile name="NetworkName" key=clear — reveals the plaintext passphrase for a specific profile
• netsh wlan export profile key=clear folder="C:\Export" — exports all profiles as XML files with unencrypted key material

Pro insight: Running netsh wlan show profile name="NetworkName" key=clear as administrator is the single fastest method for credential retrieval — it is fully scriptable, produces consistent output, and works on every Windows version from 7 through 11.

PowerShell provides the same access via .NET interop with the native WLAN API. The PowerShell approach is preferred in automation contexts where output requires structured formatting, programmatic parsing, or integration with a broader inventory or reporting pipeline.

Windows Credential Manager

Windows Credential Manager — accessible via control keymgr.dll — stores domain passwords, RDP session credentials, and certificate-based tokens. WiFi passphrases are not stored here. They exist exclusively in WLAN profiles. Credential Manager is the correct tool for recovering stored network drive passwords and domain authentication tokens, not wireless keys.

Our team flags this distinction because the two are routinely confused. Credential Manager shows nothing relevant for WiFi, which leads many people to conclude the password is unrecoverable — when the WLAN profile path is, in fact, entirely intact and accessible via netsh.

How to Find Saved WiFi Password on Windows: Step-by-Step

Method 1 — GUI via Network Properties

This is the correct path for home users who need a single password with minimal technical overhead. It works on the active connection only and requires no elevation.

1. Press Win + R, type ncpa.cpl, and press Enter to open Network Connections
2. Right-click the active wireless adapter and select Status
3. Click Wireless Properties in the status dialog
4. Navigate to the Security tab
5. Check the Show characters checkbox — the Network security key field reveals the plaintext passphrase

This bypasses the longer Control Panel navigation path and works on all current Windows builds. It is limited strictly to the currently connected network. No offline or inactive profile access is available through this method.

Method 2 — netsh wlan Command

The netsh wlan method accesses all saved profiles, connected or not. Our team considers this the definitive procedure for how to find saved WiFi password on Windows — it is fast, reliable, and works on every Windows version released since Vista.

1. Open Command Prompt as Administrator — press Win + X and select Windows Terminal (Admin) or Command Prompt (Admin)
2. Run netsh wlan show profiles — identify the target profile name from the output list
3. Run netsh wlan show profile name="PROFILE_NAME" key=clear — substitute the exact profile name
4. Locate the Key Content field in the Security settings section of the output

The output also includes the authentication type, cipher algorithm, and connection mode. This information is directly useful for diagnosing compatibility issues with older devices, embedded systems, or IoT hardware with limited protocol support. For anyone simultaneously configuring device access policies, our guide on how to set up parental controls on a home router covers how credential and MAC-based filtering interact at the firmware level.

Method 3 — PowerShell Bulk Export

PowerShell provides the cleanest path for bulk credential retrieval across all saved profiles simultaneously. The following one-liner returns every saved profile name paired with its plaintext key:

(netsh wlan show profiles) | Select-String "\:(.+)$" | %{$name=$_.Matches.Groups[1].Value.Trim(); $_} | %{(netsh wlan show profile name="$name" key=clear)} | Select-String "Key Content\W+\:(.+)$" | %{$_.Matches.Groups[1].Value.Trim()}

This outputs a flat list of passphrases in the same order as the profile enumeration. For structured output with profile name and key pairs, extend the pipeline to construct a PSObject per profile and export the collection to CSV. Our team uses this approach for pre-deployment documentation on managed Windows endpoints and as part of quarterly credential audits on fleet machines.

Managing and Securing Stored Network Credentials

Removing Stale Network Profiles

Every saved WLAN profile is a stored credential. Profiles accumulated from hotel networks, conference venues, airports, and former workplaces expand the attack surface on any machine where credential theft is a realistic concern. Our team audits WLAN profiles on all managed machines on a quarterly cycle.

Removal paths by preference:

• Settings GUI: Settings → Network & Internet → Wi-Fi → Manage known networks → Forget
• Single profile: netsh wlan delete profile name="NetworkName"
• Bulk delete: netsh wlan delete profile name=* i=* — removes all saved profiles immediately

The bulk delete command should be executed with deliberate caution on primary workstations. All credentials are lost permanently and cannot be recovered from the WLAN profile path after deletion. Our team documents all profile names and keys prior to any bulk operation. This is non-negotiable practice before running fleet-wide profile resets.

WEP and TKIP profiles discovered during enumeration should be treated as an immediate remediation priority. Both authentication protocols are cryptographically broken. Any network still operating on WEP or TKIP should have its router reconfigured to WPA2-AES or WPA3 before the next connection attempt.

Auditing Stored Passwords Periodically

Periodic credential audits catch weak passphrases, unauthorized profile additions, and protocol downgrades before they become security incidents. A clean, documented profile inventory also reduces association latency on machines with large numbers of saved networks — the WLAN AutoConfig service evaluates all saved profiles during each association attempt.

Our recommended audit checklist:

• Export all profiles with netsh wlan export profile key=clear and archive the output with a date-stamped filename
• Flag any profile with WEP or TKIP authentication — both are deprecated and must not remain in production
• Remove profiles for networks no longer in active rotation
• Verify that passphrases for active networks meet current complexity requirements — minimum 12 characters, mixed character classes, no dictionary words
• Cross-reference profile names against known corporate SSIDs to identify potential evil-twin exposure
• Confirm that all remaining profiles use WPA2-AES or WPA3-SAE authentication

WPA3 adoption remains incomplete across consumer and prosumer hardware. WPA2-AES with a strong, unique passphrase remains the practical baseline for most home and small-office deployments. Our team tracks authentication protocol support across all device inventories and escalates WEP or TKIP findings to immediate remediation, regardless of the network's perceived threat exposure.

Frequently Asked Questions

Every WiFi password on a Windows machine is already recoverable — the only variable is whether the operator knows where to look.