How to check what ntlm version you are using in your domain

Md. Mahim Bin Firoj
1 min readAug 30, 2023

Navigate to the following registry path.

Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0

If NtlmMinClientSec and NtlmMinServerSec DWORD value stars with,

512 then it is NTLMv1

5376 then it is NTLMv2

5368 then it is NTLMv2-SSP

SSP means security support provider. NTLM provides ESS functionality (Extended Session Security) which adds to the complexity of the NTLM hash. ESS functionality adds an “SSP” flag in the NTLM hash (NTLM2-SSP). This increases the length of the NTLM hash longer which adds complexity while cracking the hash.

NTLMv2 is default authentication protocol and this by default incorporated SSP feature. When NTLMv2 is used, the ESS functionality is automatically incorporated into the authentication process.

NTLMv2-SSP

Also if you search for event id 4624 in your Security logs, then at the bottom you will see what ntlm version your system is using.

I hope you have learned something new from here.

Thanks. Please Subscribe below.

LinkedIn:

https://www.linkedin.com/in/md-mahimbin-firoj-7b8a5a113/

YouTube:

https://www.youtube.com/@mahimfiroj1802/videos

--

--