PSSecurityUtils

0.2.0

Public/Disable-WDigestAuthentication.ps1

                                function Disable-WDigestAuthentication {

    <#

    .SYNOPSIS

        Prevents Windows from caching plaintext credentials in LSASS memory via WDigest.

    .DESCRIPTION

        Sets the UseLogonCredential DWORD value to 0 under the WDigest security provider

        registry key, disabling WDigest authentication and preventing Windows from storing

        plaintext credentials in LSASS memory. This is one of the primary mitigations against

        credential dumping tools such as Mimikatz.

        The registry key is created if it does not exist.

        Changes take effect for new logon sessions; a restart ensures all existing sessions

        are also cleared.

    .INPUTS

        None. Parameters must be supplied directly.

    .OUTPUTS

        None.

    .PARAMETER ComputerName

        The target computer. Defaults to the local machine.

    .PARAMETER Force

        Restarts the computer immediately after applying the change to ensure the WDigest

        credential cache is cleared for all active sessions.

    .EXAMPLE

        Disable-WDigestAuthentication

        Disables WDigest credential caching on the local machine.

    .EXAMPLE

        Disable-WDigestAuthentication -ComputerName 'Server01' -Force

        Disables WDigest on Server01 and restarts it immediately.

    .NOTES

        Requires Administrator privileges.

        Remote operations require WinRM to be configured on the target machine.

    #>

    [CmdletBinding(SupportsShouldProcess, ConfirmImpact = 'High')]

    [OutputType([void])]

    param (

        [Parameter(Mandatory = $false)]

        [string]$ComputerName = $env:COMPUTERNAME,

        [Parameter(Mandatory = $false)]

        [switch]$Force

    )

    $isLocal = ($ComputerName -ieq $env:COMPUTERNAME) -or

               ($ComputerName -ieq 'localhost') -or

               ($ComputerName -eq '127.0.0.1')

    $registryPath = 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest'

    $valueName    = 'UseLogonCredential'

    if ($PSCmdlet.ShouldProcess($ComputerName, "Set $valueName = 0 under WDigest")) {

        $work = {

            param($registryPath, $valueName)

            if (-not (Test-Path $registryPath)) {

                New-Item -Path $registryPath -Force | Out-Null

            }

            Set-ItemProperty -Path $registryPath -Name $valueName -Value 0 -Type DWord -ErrorAction Stop

        }

        if ($isLocal) {

            & $work $registryPath $valueName

        } else {

            Invoke-Command -ComputerName $ComputerName -ScriptBlock $work -ArgumentList $registryPath, $valueName

        }

        Write-Verbose "WDigest authentication disabled on '$ComputerName'."

        Write-Warning "Changes take effect for new logon sessions. Restart to clear all active session caches."

        if ($Force -and $PSCmdlet.ShouldProcess($ComputerName, 'Restart computer to apply changes')) {

            Restart-Computer -ComputerName $ComputerName -Force

        }

    }

}