{"id":2479,"date":"2023-04-14T12:33:08","date_gmt":"2023-04-14T16:33:08","guid":{"rendered":"https:\/\/increasec.com\/?p=2479"},"modified":"2026-03-04T10:28:15","modified_gmt":"2026-03-04T15:28:15","slug":"howto-verify-your-domain-isnt-using-lm-or-ntlmv1","status":"publish","type":"post","link":"https:\/\/increasec.com\/?p=2479","title":{"rendered":"HowTo Verify your Domain isn&#8217;t using LM or NTLMv1"},"content":{"rendered":"\n<p>some explan goes here<\/p>\n\n\n\n<p>open your fav MMC console OR start, run, mmc.exe (enter)<\/p>\n\n\n\n<p>File, Add \/ Remove Snap In<br>In the left pane choose Computer Management<br>In the Select a Computer Dialog, select Another Computer and type the FQDN (Fully Qualified Domain Name) of your Domain Controller, Finish, OK<\/p>\n\n\n\n<p>Open System tools, Event Viewer<br>Right click Event Viewer, Create Custom View<br>Click the XML tab, click the &#8220;Edit Query Manually&#8221; box<br>Click Yes to any warning you get<\/p>\n\n\n\n<p>Paste the following into the box<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"538\" height=\"549\" src=\"https:\/\/increasec.com\/wp-content\/uploads\/2023\/04\/image-1.png\" alt=\"\" class=\"wp-image-2481\" srcset=\"https:\/\/increasec.com\/wp-content\/uploads\/2023\/04\/image-1.png 538w, https:\/\/increasec.com\/wp-content\/uploads\/2023\/04\/image-1-294x300.png 294w\" sizes=\"auto, (max-width: 538px) 100vw, 538px\" \/><\/figure>\n\n\n\n<p>Stooopid WordPress won&#8217;t let me paste the text in here so just get it from the source linked below<\/p>\n\n\n\n<p><a href=\"https:\/\/gist.github.com\/jschlackman\/90937d34850159269c46c7a799fb878b\">https:\/\/gist.github.com\/jschlackman\/90937d34850159269c46c7a799fb878b<\/a><\/p>\n\n\n\n<p><\/p>\n\n\n\n<p>Login Auth LM past 30 days:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&lt;QueryList>\n  &lt;Query Id=\"0\" Path=\"Security\">\n    &lt;Select Path=\"Security\">\n      *&#91;System&#91;(EventID=4776 or EventID=4624 or EventID=4625) \n      and TimeCreated&#91;timediff(@SystemTime) &amp;lt;= 2592000000]]]\n      and\n      *&#91;EventData&#91;Data&#91;@Name=\"AuthenticationPackageName\"]=\"NTLM\"]]\n      and\n      *&#91;EventData&#91;Data&#91;@Name=\"LmPackageName\"]=\"LM\"]]\n    &lt;\/Select>\n  &lt;\/Query>\n&lt;\/QueryList><\/code><\/pre>\n\n\n\n<p><\/p>\n\n\n\n<p>Login Auth NTLMv1 past 7 days:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&lt;QueryList>\n  &lt;Query Id=\"0\" Path=\"Security\">\n    &lt;Select Path=\"Security\">\n      *&#91;System&#91;(EventID=4776 or EventID=4624 or EventID=4625) \n      and TimeCreated&#91;timediff(@SystemTime) &amp;lt;= 604800000]]]\n      and\n      *&#91;EventData&#91;Data&#91;@Name=\"AuthenticationPackageName\"]=\"NTLM\"]]\n      and\n      *&#91;EventData&#91;Data&#91;@Name=\"LmPackageName\"]=\"NTLM V1\"]]\n    &lt;\/Select>\n  &lt;\/Query>\n&lt;\/QueryList><\/code><\/pre>\n\n\n\n<p>Login Auth NTLMv2 past 7 days:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&lt;QueryList>\n  &lt;Query Id=\"0\" Path=\"Security\">\n    &lt;Select Path=\"Security\">\n      *&#91;System&#91;(EventID=4776 or EventID=4624 or EventID=4625) \n      and TimeCreated&#91;timediff(@SystemTime) &amp;lt;= 604800000]]]\n      and\n      *&#91;EventData&#91;Data&#91;@Name=\"AuthenticationPackageName\"]=\"NTLM\"]]\n      and\n      *&#91;EventData&#91;Data&#91;@Name=\"LmPackageName\"]=\"NTLM V2\"]]\n    &lt;\/Select>\n  &lt;\/Query>\n&lt;\/QueryList><\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"<p>some explan goes here open your fav MMC console OR start, run, mmc.exe (enter) File, Add \/ Remove Snap InIn the left pane choose Computer ManagementIn the Select a Computer&#8230;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[51],"class_list":["post-2479","post","type-post","status-publish","format-standard","hentry","category-uncategorised","tag-domain"],"_links":{"self":[{"href":"https:\/\/increasec.com\/index.php?rest_route=\/wp\/v2\/posts\/2479","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/increasec.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/increasec.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/increasec.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/increasec.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2479"}],"version-history":[{"count":4,"href":"https:\/\/increasec.com\/index.php?rest_route=\/wp\/v2\/posts\/2479\/revisions"}],"predecessor-version":[{"id":4108,"href":"https:\/\/increasec.com\/index.php?rest_route=\/wp\/v2\/posts\/2479\/revisions\/4108"}],"wp:attachment":[{"href":"https:\/\/increasec.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2479"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/increasec.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2479"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/increasec.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2479"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}