lsass.exe wants to install driver/service

Discussion in 'ProcessGuard' started by earth1, Mar 14, 2005.

Thread Status:
Not open for further replies.
  1. earth1

    earth1 Registered Member

    Joined:
    Oct 17, 2004
    Posts:
    177
    Location:
    Kansas, USA
    Running Win2000 (SP4), I found that lsass.exe tries to install a driver/service after making a change (any change) to:
    Control_Panel ---> Admin_Tools --> Local_Security_Settings ---> Password_Policy

    Unfortunately, the logfile reads like a dime store mytery novel: :D
    Sun 13 - 23:33:49 [DRIVER/SERVICE] c:\winnt\system32\lsass.exe [300] Tried to install a driver/service named

    Has anyone seen this too or know what Win2000 is trying to install?
     
  2. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi Earth1, lsass.exe in the Systm32 folder is a legitmate file that deals specifically with local security polcieas ans login. It probablr intereacts with running services to do it's job. Your text omits the named sevice unfortunately.
    There is also a virus that uses a similar name lsas.exe but that security issue was closed with the latest W2K Service pack.

    Pilli
     
  3. earth1

    earth1 Registered Member

    Joined:
    Oct 17, 2004
    Posts:
    177
    Location:
    Kansas, USA
    Hi Pilli,
    Yes, I agree that it must be legit. I was interacting with the genuine password policy console and got the "wants to install..." balloon with each change I made. But since it's typically a dangerous thing to allow and there is always so much discussion of when that permission is appropriate, I am curious to know whether anyone else has seen it. I searched the forum for references to "lsass", but didn't find anything relevant to driver/svc installation. I have a feeling this is some kind of weird special case, but don't know exactly what to make of it.

    Indeed, the name of the service was also omitted in PG's alert and in its logfile (like a dime store novel where a character dies, struggling to say the murderer's name). It just struck me as humorous. :)
     
  4. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi, I think that you can probably allow this as I seem to remember that lsass uses services which may not show the name in certain circumstances as services are dealt with differently in version 3, this may also be a W2K specific error which DCS will have to verify.

    If you want to be certain please copy and .zip to submit@diamondcs.com.au for analysis.

    Thnaks. Pilli
     
  5. earth1

    earth1 Registered Member

    Joined:
    Oct 17, 2004
    Posts:
    177
    Location:
    Kansas, USA
    I get the same checksum for lsass.exe from multiple partitions on two machines, so I think it's OK. Thanks for all the input, Pilli.
     
Thread Status:
Not open for further replies.