Named Pipe lsass.exe

[Guest]

Hello

Using filemon and checking to see what named pipes are running I have
discovered lsass.exe is reading and writing every so often.

This is the named pipe

lsass.exe \\.\Pipe\lsass\

The user says NT Authority\System

1) Can someone explain what this pipe is for ?

2) How can you shut it off ?

3) Since this is the only named pipe running ...could this be a potential
security risk ?

 

[Harry Johnston]

lsass.exe \\.\Pipe\lsass\

The user says NT Authority\System

1) Can someone explain what this pipe is for ?

Not in detail, but lsass.exe is the core part of the operating system executive.

2) How can you shut it off ?

I doubt this is possible. Disabling it would probably break Windows.

3) Since this is the only named pipe running ...could this be a potential
security risk ?

Well ... technically anything is a potential security risk. But there's no
particular reason to be concerned about this.

Harry.

 

[Wesley Vogel]

Lsass.exe is vital for the operation of Windows.

Lsass.exe is LSA Shell (Export Version). LSA = Local Security Authority.

It is also called the Local Security Administration Subsystem Service.
Lsass.exe seems to have a lot of names.

Lsass.exe starts pretty early in the Windows boot process.

Lsass.exe runs all of the time and is one of the few processes that cannot
be ended with Task Manager.

Lsass.exe is a system process of the Microsoft Windows security mechanisms.
It specifically deals with local security and login policies.

Lsass.exe is the local security authentication server, and it generates the
process responsible for authenticating users for the Winlogon service. This
process is performed by using authentication packages such as the default
Msgina.dll. If authentication is successful, Lsass generates the user's
access token, which is used to launch the initial shell. Other processes
that the user initiates inherit this token.

Lsass.exe is responsible for many services: Net Logon (netlogon), NT LM
Security Support Provider (NtLmSsp), IPSEC Services (PolicyAgent), Protected
Storage (ProtectedStorage) and Security Accounts Manager (SamSs).

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Npfs\Aliases
Value Name: lsass
Data Type: REG_MULTI_SZ
Value Data: protected_storage;netlogon;lsarpc;samr

The Security Account Manager Remote Procedure Call (RPC) protocol (SAMR) is
an integral subsystem that is used to perform remote Service Account Manager
operations, such as user account management and manipulation. The SAMR
interface defines the remote Security Account Manager (SAM) methods that are
called by the client.

Netlogon – Net Logon service
Lsarpc – LSA access
Samr – SAM access

When Windows boots, the MBR(Master Boot Record) reads the boot sector which
is the first sector of the active partition. This sector contains the code
that starts Ntldr which is the boot strap loader for Windows XP. Ntldr runs
Ntdetect.com to get information about installed hardware. Ntldr, then,
loads the two files that make up the core of XP: Ntoskrnl.exe and Hal.dll.
Ntoskrnl.exe starts Winlogon.exe which starts Lsass.exe (Local Security
Administration), this is the program that displays the Welcome screen and
allows a user to log on with their credentials (user name and password).

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In

 

[Guest]

Thanks Harry for a quick and precise response !

Cheers

 

[Guest]

Thanks Wesley for your solid in depth knowledge of the inner workings of the
Windows Operating System Services and sub-level functions.

Cheers !

 

[Wesley Vogel]

Sub-level functions are my favorites.

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In

 

[Guest]

Might add that lsass.exe had a VERY serious security issue - exploited by the
'sasser' virus. Make sure you have the relevant patch. Also, consider
firewalling inbound ports to this process if you don't share files or
printers from the computer.

 

[Guest]

Ok, I've read all that I can and researched my problem but it's time for some
real HELP!

I rebooted my system on Friday when it slowed and seemed ill. The system
stopped and I got this error message: "lsass.exe - system error Object name
not found". I tried the Microsoft fix but I can't even boot to the "Last
known good configuration" or even to safe mode.

Please help me I'm running Windows XP home on an '01 Dell 4300S