Windows - System Preferences - Delete Saved Passwords for Browsers

What the browser password purge Worklet does

This Automox Worklet™ deletes saved credentials from Google Chrome, Microsoft Edge, and Mozilla Firefox across every user profile on a Windows endpoint. The Worklet walks each subdirectory under C:\Users, locates the per-browser password stores, and removes the files that hold cached login data.

For Chrome and Edge, the target is the SQLite database named Login Data inside the Default profile and any numbered Profile N directory. Chrome stores its file under AppData\Local\Google\Chrome\User Data\<profile>\, and Edge stores its file under AppData\Local\Microsoft\Edge\User Data\<profile>\. For Firefox, the targets are logins.json, logins-backup.json, and key4.db inside each randomly named profile directory under AppData\Roaming\Mozilla\Firefox\Profiles\.

The evaluation script exits non-zero the moment it finds Chrome or Edge Login Data, or a Firefox logins.json or key4.db, in any profile. A single dormant Firefox profile or a numbered Chrome profile is enough to flag the endpoint for remediation. The remediation script then calls Stop-Process -Name msedge -Force to release the file lock Edge holds on Login Data, retries the Edge delete up to five times with a five-second pause between attempts, and clears the Chrome and Firefox files in the same pass.

Why purge saved browser passwords from Windows endpoints

Browser password stores are a primary target for commodity infostealer malware. RedLine, Raccoon, LummaC2, StealC, and Vidar all enumerate %LOCALAPPDATA%\Google\Chrome\User Data\Default\Login Data, the equivalent Edge SQLite database, and the Firefox key4.db plus logins.json pair within seconds of execution. The malware decrypts the entries with the DPAPI-protected master key and exfiltrates plaintext credentials to operator infrastructure. A laptop that boots once on an open network with cached corporate credentials in Chrome is a laptop whose SSO, VPN, and Microsoft 365 sessions now live on someone else's server.

Removing those artifacts on every Windows endpoint in scope empties the cache that infostealers exfiltrate, and a recurring policy run keeps the cache empty even after a user re-saves credentials through the browser's Save Password prompt. NIST SP 800-63B explicitly steers organizations away from local browser password stores in favor of dedicated password managers. This Worklet is the enforcement step that brings the fleet in line with that guidance and the cleanup step you run after any suspected credential-theft incident.

How browser password purge works

1. Evaluation phase: The Worklet enumerates every subdirectory of C:\Users and, for each user profile, checks three locations: AppData\Local\Google\Chrome\User Data\ for Chrome Login Data, AppData\Local\Microsoft\Edge\User Data\ for Edge Login Data, and AppData\Roaming\Mozilla\Firefox\Profiles\ for logins.json and key4.db. Each browser profile (Default, Profile 1, Profile 2, plus Firefox's <random>.default and <random>.default-release directories) is inspected in turn. If any of those files exist, the script writes a Console-visible line naming the path and exits non-zero so Automox schedules remediation.

2. Remediation phase: For each user profile under C:\Users, the script deletes Login Data from every Default and Profile N folder under that user's Chrome installation, calls Stop-Process -Name msedge -Force -ErrorAction SilentlyContinue to release Edge's file lock, then deletes Login Data from each Default and Profile N folder under that user's Edge installation. The Edge delete is wrapped in a five-attempt retry loop with a five-second sleep between attempts, which covers cases where Edge respawns under msedge.exe before the lock releases. The Firefox pass removes logins.json, logins-backup.json, and key4.db from every profile directory it finds. The Worklet emits a final 'Password database cleanup for Chrome, Edge, and Firefox completed.' line and exits 0 on success.

Browser password purge requirements

• Windows 10, Windows 11, or Windows Server 2016 and later. The script enumerates C:\Users, so any Windows version that ships that profile root is supported

• PowerShell 3.0 or higher for Test-Path, Get-ChildItem -Directory, and Stop-Process -ErrorAction SilentlyContinue

• Local administrator context on the endpoint so the Automox agent can read and delete files under every user profile, including profiles for accounts that are not currently signed in

• At least one of Google Chrome, Microsoft Edge, or Mozilla Firefox installed. The Worklet is a no-op against any browser whose User Data directory does not exist

• Acceptance that remediation closes Microsoft Edge without warning. Stage the Worklet during a maintenance window, or pair it with a user-notification Worklet, if your fleet runs Edge interactively during business hours

• Optional: pair with a Group Policy or Intune setting that disables PasswordManagerEnabled in Chrome and Edge so users cannot re-save credentials between Worklet runs

Expected endpoint state after credential purge

After remediation, Login Data is absent from every Chrome and Edge profile directory under each user profile, and logins.json, logins-backup.json, and key4.db are absent from every Firefox profile directory. Opening Chrome, Edge, or Firefox no longer offers autofill for previously saved credentials, and the password manager surface in each browser shows an empty list. The next evaluation run exits 0 against the endpoint until a user manually saves a new password.

To audit the result, run Test-Path against the same paths the script targets, or list the User Data directories with Get-ChildItem -Recurse -Filter 'Login Data'. The Automox Console activity log records each deleted path and the final cleanup line, so an auditor can map a single policy run to the exact files removed on each endpoint. The same evidence supports internal credential-hygiene policies that call for clearing cached browser passwords on a fixed cadence or after a lost-laptop event.