IRONSMITHINTEL
HIGH
|Auth: local access|Reboot: logon req'd|Est. 10 minutes|✓ ScriptJump to Patch ↓

Disable WDigest to Prevent Plaintext Credential Caching in LSASS Memory

Disabling WDigest stops Windows from storing your users' passwords in plaintext in server memory, where tools like Mimikatz can read them in seconds.

✓ Tested on WS2022·Rollback included

Published May 3, 2026 · Updated May 7, 2026
Why patchRisk explained in plain English
Worst-case scenarioIf unpatched

An attacker who gains any foothold on your server — even a low-privileged service account — can run Mimikatz in two commands and read the plaintext passwords of every user currently logged on, including Domain Admins. This is one of the most common techniques used in ransomware attacks and internal penetration tests.

How the attack works

WDigest is a legacy authentication protocol from the early 2000s. Windows Server keeps WDigest enabled by default for backwards compatibility. When enabled, Windows stores a copy of every logged-on user's password in plaintext in LSASS memory. This means any attacker who reaches LSASS — and Mimikatz makes this trivially easy — can read every active user's password in cleartext.

Am I affected?Quick check

Probably yes if any of these apply:

All Windows Servers
Domain Controllers
Member Servers
Jump Hosts
Running WDigest enabled (UseLogonCredential = 1 or not set)

Affected OS versions

Windows Server 2016Windows Server 2019Windows Server 2022
Fixed inWDigest disabled (UseLogonCredential = 0)
Real-world incidentsWhat we've seen

A penetration tester with access to a single compromised service account runs Mimikatz on a member server during a client engagement. Within 30 seconds they have the plaintext password of a Domain Administrator who is logged on. They use it to access every server in the domain. This finding appears in the majority of internal penetration test reports against Windows environments.

How to patchRecommended: PowerShell script
Script Package✓ Tested WS2022
v1.0.0

Fix-Windows-Server-Wdigest-Authentication-Disabled-Hardening.ps1

3.8 KB
↓ Download Fix

Rollback-Windows-Server-Wdigest-Authentication-Disabled-Hardening.ps1

2.4 KB
↓ Download Rollback

SHA-256: 7fa0de1bc6aeea6d512eedcad662238ec94cb357516adf40a9dd5d6d683aca3f

Run interactively

.\Fix-Windows-Server-Wdigest-Authentication-Disabled-Hardening.ps1

Run silently (SCCM / Intune)

.\Fix-Windows-Server-Wdigest-Authentication-Disabled-Hardening.ps1 -Silent -OutputPath C:\Logs

Manual fallback (no script)

10 minutes

Check Current Status

$path = 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest'
$val = Get-ItemProperty -Path $path -Name UseLogonCredential -ErrorAction SilentlyContinue
if ($val.UseLogonCredential -eq 0) {
    Write-Host 'SECURE: WDigest is disabled' -ForegroundColor Green
} else {
    Write-Host 'VULNERABLE: WDigest is enabled or not configured' -ForegroundColor Red
}

Disable WDigest

$path = 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest'
Set-ItemProperty -Path $path -Name UseLogonCredential -Value 0 -Type DWord

Verification

(Get-ItemProperty -Path $path).UseLogonCredential
# Must return 0

Notes

    1
    Takes effect at next user logon — currently logged-on users remain cached until they log off
    1
    No application compatibility issues expected on modern Windows
    1
    Can be deployed via Group Policy: Computer Configuration → Administrative Templates → MS Security Guide → WDigest Authentication

Verify after patching

Confirm the patched version is running:

# Expect: WDigest disabled (UseLogonCredential = 0) or later
Script details · parameters · exit codes
Script Packagev1.0.0 · Tested WS2022 · Rollback included
✓ Fully tested
Fix Script
Fix-Windows-Server-Wdigest-Authentication-Disabled-Hardening.ps1
↓ Download
Rollback Script
Rollback-Windows-Server-Wdigest-Authentication-Disabled-Hardening.ps1
↓ Download
SHA-256 verified · Hashes confirmed on download

Tested On

Reboot

Logon Required

SCCM

✓ Compatible

Est. Time

10 minutes

Parameters

-SilentSuppress all console output. Always used when called via API or SCCM.
-OutputPathDirectory for log files and downloaded installers. Defaults to script directory.

How to Run

Interactive — see output in console

.\Fix-Windows-Server-Wdigest-Authentication-Disabled-Hardening.ps1

Silent mode — for SCCM / automation

.\Fix-Windows-Server-Wdigest-Authentication-Disabled-Hardening.ps1 -Silent

With custom log path

.\Fix-Windows-Server-Wdigest-Authentication-Disabled-Hardening.ps1 -OutputPath "C:\Logs"

Exit Codes

CodeMeaning
0Success — fix applied or already patched
1Failure — check log file
3010Success — reboot required to complete
✓ Fully tested

Fix, idempotency, and rollback verified on

⚠ Rollback available. If this fix causes issues, run Rollback-Windows-Server-Wdigest-Authentication-Disabled-Hardening.ps1 to restore the previous state.