What are the two main categories of credentials stored in Windows Credential Manager, and what is the key difference between them in terms of access permissions?

The two main categories are Domain Credentials and Generic Credentials. Domain Credentials can only be read and written by the Local Security Authority (LSA), meaning normal user permissions cannot extract their plaintext passwords. Generic Credentials, however, can be read and written by user processes, so regular permissions can often extract their plaintext passwords. This distinction guides tool selection during information retrieval from Windows Credential Manager.