Running Win2000 (SP4), I found that lsass.exe tries to install a driver/service after making a change (any change) to:
Control_Panel ---> Admin_Tools --> Local_Security_Settings ---> Password_Policy

Unfortunately, the logfile reads like a dime store mytery novel: :D
Sun 13 - 23:33:49 [DRIVER/SERVICE] c:\winnt\system32\lsass.exe [300] Tried to install a driver/service named

Has anyone seen this too or know what Win2000 is trying to install?

Hi Earth1, lsass.exe in the Systm32 folder is a legitmate file that deals specifically with local security polcieas ans login. It probablr intereacts with running services to do it's job. Your text omits the named sevice unfortunately.
There is also a virus that uses a similar name lsas.exe but that security issue was closed with the latest W2K Service pack.

Pilli

Hi Pilli,
Yes, I agree that it must be legit. I was interacting with the genuine password policy console and got the "wants to install..." balloon with each change I made. But since it's typically a dangerous thing to allow and there is always so much discussion of when that permission is appropriate, I am curious to know whether anyone else has seen it. I searched the forum for references to "lsass", but didn't find anything relevant to driver/svc installation. I have a feeling this is some kind of weird special case, but don't know exactly what to make of it.

Indeed, the name of the service was also omitted in PG's alert and in its logfile (like a dime store novel where a character dies, struggling to say the murderer's name). It just struck me as humorous. :)

Hi, I think that you can probably allow this as I seem to remember that lsass uses services which may not show the name in certain circumstances as services are dealt with differently in version 3, this may also be a W2K specific error which DCS will have to verify.

If you want to be certain please copy and .zip to submit@diamondcs.com.au for analysis.

Thnaks. Pilli

I get the same checksum for lsass.exe from multiple partitions on two machines, so I think it's OK. Thanks for all the input, Pilli.