IRONSMITHINTEL
HIGH
|Auth: local admin (for exploitation)|Reboot: required|Est. 10 minutes + reboot|✓ ScriptJump to Patch ↓

Enable PPL Protection on LSASS to Prevent Credential Dumping via Mimikatz

Enabling LSASS as a Protected Process prevents credential-dumping tools like Mimikatz from reading passwords from memory, even when run as local administrator.

✓ Tested on WS2022·Rollback included

Published May 7, 2026 · Updated May 7, 2026
Why patchRisk explained in plain English
Worst-case scenarioIf unpatched

A local administrator on any domain-joined server can dump LSASS memory in seconds and extract NTLM hashes and Kerberos tickets for every user logged on, including Domain Admins. These credentials are then used for lateral movement, pass-the-hash attacks, and eventually full domain compromise. Enabling PPL forces tools to bypass kernel protections, which is significantly harder and leaves more forensic evidence.

How the attack works

LSASS (lsass.exe) manages Windows authentication and stores credential material in memory including Kerberos tickets, NTLM hashes, and in some configurations plaintext passwords. Without PPL (Protected Process Light) enabled, any local administrator can read LSASS memory using tools like Mimikatz, ProcDump, or Task Manager. This is one of the primary techniques used in every stage of post-compromise lateral movement.

Am I affected?Quick check

Probably yes if any of these apply:

All Windows Servers
Domain Controllers
Member Servers
Jump Hosts
Running LSASS PPL disabled (RunAsPPL = 0 or not set)

Affected OS versions

Windows Server 2016Windows Server 2019Windows Server 2022
Fixed inLSASS PPL enabled (RunAsPPL = 2)
Real-world incidentsWhat we've seen

LSASS credential dumping is the single most common post-exploitation technique observed in incident response engagements. Ransomware operators dump LSASS on every server they access to accumulate credentials. Without PPL enabled, a single compromised low-privileged server can yield Domain Admin credentials within minutes.

How to patchRecommended: PowerShell script
Script Package✓ Tested WS2022
v1.0.0

Fix-Windows-Server-Lsass-Protection-Enabled-Hardening.ps1

3.7 KB
↓ Download Fix

Rollback-Windows-Server-Lsass-Protection-Enabled-Hardening.ps1

2.7 KB
↓ Download Rollback

SHA-256: 38b31eb623b7c1a82694e01dbf30531cdc276cde204bdaebb4f4727557edb907

Run interactively

.\Fix-Windows-Server-Lsass-Protection-Enabled-Hardening.ps1

Run silently (SCCM / Intune)

.\Fix-Windows-Server-Lsass-Protection-Enabled-Hardening.ps1 -Silent -OutputPath C:\Logs

Manual fallback (no script)

10 minutes + reboot

Check Current LSASS Protection Status

$val = Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Lsa' -Name RunAsPPL -ErrorAction SilentlyContinue
if ($val.RunAsPPL -ge 1) {
    Write-Host "SECURE: LSASS PPL is enabled (RunAsPPL = $($val.RunAsPPL))" -ForegroundColor Green
} else {
    Write-Host "VULNERABLE: LSASS PPL is not enabled" -ForegroundColor Red
}

Enable LSASS PPL Protection

Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Lsa' -Name RunAsPPL -Value 2 -Type DWord
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Lsa' -Name RunAsPPLBoot -Value 2 -Type DWord

Verification After Reboot

Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Lsa' | Select-Object RunAsPPL, RunAsPPLBoot
# RunAsPPL must be 1 or 2

Notes

    1
    Requires reboot — PPL takes effect at next startup, not immediately
    1
    RunAsPPL = 1 enables PPL; RunAsPPL = 2 enables UEFI-locked PPL (cannot be disabled without physical access)
    1
    Test on a non-production server first — some third-party security products are incompatible with PPL
    1
    Can be deployed via Group Policy: Computer Configuration → Windows Settings → Security Settings → Local Policies → Security Options → "LSASS Protection"

Verify after patching

Confirm the patched version is running:

# Expect: LSASS PPL enabled (RunAsPPL = 2) or later
Script details · parameters · exit codes
Script Packagev1.0.0 · Tested WS2022 · Rollback included
✓ Fully tested
Fix Script
Fix-Windows-Server-Lsass-Protection-Enabled-Hardening.ps1
↓ Download
Rollback Script
Rollback-Windows-Server-Lsass-Protection-Enabled-Hardening.ps1
↓ Download
SHA-256 verified · Hashes confirmed on download

Tested On

Reboot

Reboot Required

SCCM

✓ Compatible

Est. Time

10 minutes + reboot

Parameters

-SilentSuppress all console output. Always used when called via API or SCCM.
-OutputPathDirectory for log files and downloaded installers. Defaults to script directory.

How to Run

Interactive — see output in console

.\Fix-Windows-Server-Lsass-Protection-Enabled-Hardening.ps1

Silent mode — for SCCM / automation

.\Fix-Windows-Server-Lsass-Protection-Enabled-Hardening.ps1 -Silent

With custom log path

.\Fix-Windows-Server-Lsass-Protection-Enabled-Hardening.ps1 -OutputPath "C:\Logs"

Exit Codes

CodeMeaning
0Success — fix applied or already patched
1Failure — check log file
3010Success — reboot required to complete
✓ Fully tested

Fix, idempotency, and rollback verified on

⚠ Rollback available. If this fix causes issues, run Rollback-Windows-Server-Lsass-Protection-Enabled-Hardening.ps1 to restore the previous state.