NT Authority

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Why does NT AUTHORITY\LocalService password services on my computer? I have
no desire to access them, but what if I did? I don't like someone other than
me putting passwords on my computer. I have XP Home. These are the services
with the passwords.

Webclient
Universal Plug and Play
uninterruptible Power
TCP/IP NetBIOS Helper
SSDP Discovery Service
Smart Card Helper Properties
Smart Card
Remote Procedure Call Locator
Services Local
DNS Client Properties
Distributed Transaction Coordinator
Application Layer Gateway Service Properties
Alerter

NT Authority's propensity to act like a human is creepy. Does anyone know
what password it uses?

Thank you.

password is?
 
Just how have you determined that these services have or need passwords?
And that the NT AUTHORITY\LocalService is what has added the passwords?

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In
 
It looks like the program determined they need passwords. I was looking
around the computer, in Services, and saw that most log on as Local System
Account and have no passwords. However, the ones I mentioned log on as This
Account, with the user as NT Authority, LocalService and have a password
which I didn't put there and I don't know.

I found this after doing a reformat, before I went online, so no one could
have put these passwords there. Is NT Authority some kind of ghost in the
machine?
 
Why does NT AUTHORITY\LocalService password services on my computer? I
have
no desire to access them, but what if I did? I don't like someone other
than
me putting passwords on my computer. I have XP Home. These are the
services
with the passwords.

Webclient
Universal Plug and Play
uninterruptible Power
TCP/IP NetBIOS Helper
SSDP Discovery Service
Smart Card Helper Properties
Smart Card
Remote Procedure Call Locator
Services Local
DNS Client Properties
Distributed Transaction Coordinator
Application Layer Gateway Service Properties
Alerter

NT Authority's propensity to act like a human is creepy. Does anyone know
what password it uses?


The Nt Authority / Local Service Account is a special system account created
by XP when the OS is installed and has reduced privileges. Even though
there is a password box with what appears to be a password, there is none
for this account. See this link:
http://msdn2.microsoft.com/en-us/library/ms684188.aspx
 
Is NT Authority some kind of ghost in the machine?

Yes.

With the help of Rock's post I see now. Don't worry about it.

<quote>
Microsoft Windows XP includes the following three built-in local accounts
used as the logon accounts for various system services:

The Local System account is a predefined local account that can start a
service and provide the security context for that service. The actual name
of the account is NT AUTHORITY\System.

The Local Service account is a special built-in account that has reduced
privileges similar to an authenticated local user account. The actual name
of the account is NT AUTHORITY\LocalService.

The Network Service account is a special built-in account that has reduced
privileges similar to an authenticated user account. The actual name of the
account is NT AUTHORITY\NetworkService.
<quote>

The Local Service account is a special built-in account that has reduced
privileges similar to an authenticated local user account. The actual name
of the account is NT AUTHORITY\LocalService.

%SystemRoot%\System32\svchost.exe -k LocalService
or
C:\WINDOWS\System32\svchost.exe -k LocalService

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\SvcHost
* LocalService loads these services: Alerter, WebClient, LmHosts (TCP/IP
NetBIOS Helper), RemoteRegistry, upnphost (Universal Plug and Play Device
Host) and SSDPSRV (SSDP Discovery Service).
* NetworkService loads DnsCache (DNS Client).

All of those services run in hidden windows (they do not show up on the
Applications tab of Task Manager) and have no user interaction.

These accounts have the Hidden and System attributes.

C:\Documents and Settings\LocalService
C:\Documents and Settings\NetworkService

The LocalService and NetworkService accounts perform things like
synchronizing the time, running services, system maintenance, etc.

LocalService and NetworkService can:
Change the system time
Generate security audits
Log on as a service

From Small Potato.
<quote>
Just for more information, Local Service and Network Service accounts
are created for security reasons.

In Windows 2000/NT, system services are launched with "Local System"
credential, which has system-wide privilege as Administrator. So if the
service was attacked, attackers gain the privilege of Local System can
perform system-wide attack.

So Windows XP introduced Local Service and Network Service accounts for
system services. Both run with unprivileged "Limited Users" credential
instead of having full system rights, but Local Service access Windows
network using null sessions, i.e., it uses anonymous credential, while
Network Service access Windows network with the computer account, just
like Local System.

For more information, you may refer to this article:

The Services and Service Accounts Security Planning Guide
http://www.microsoft.com/technet/security/topics/serversecurity/serviceaccount/default.mspx
<quote>

For more information, you may refer to this article:

The Services and Service Accounts Security Planning Guide
Chapter 2 - The Approach to Running Services More Securely
http://www.microsoft.com/technet/security/topics/serversecurity/serviceaccount/sspgch02.mspx

Every time that I read through those articles it seems like I understand
things, but if I try to explain those things to someone else it's a
different story. :-)

Services are loaded under svchost.exe, lsass.exe and services.exe.

To see what services are running under which svchost.exe, open a command
prompt, type: tasklist /svc and hit enter.

You can match up the PID# with the PID# in Task Manager if you have that
column showing: Task Manager | View | Select columns | PID (Process
Identifier).

Tasklist with no switches will show like in the Task Manager. The /SVC
switch displays services in each process.

Services are loaded under svchost.exe, lsass.exe and services.exe.

Lsass.exe is LSA Shell (Export Version). LSA = Local Security Authority.
It is also called the Local Security Administration Subsystem Service.
Lsass.exe seems to have a lot of names.

Lsass.exe is responsible for many services: Net Logon (netlogon), NT LM
Security Support Provider (NtLmSsp), IPSEC Services (PolicyAgent), Protected
Storage (ProtectedStorage) and Security Accounts Manager (SamSs).

Services.exe (Services and Controller app) loads the Event Log service and
the Plug and Play service.

Svchost.exe (Generic Host Process for Win32 Services) loads the rest of the
services.

Depending on the switch used, svchost.exe loads them under imgsvc,
LocalService, netsvcs, NetworkService, rpcss or termsvcs.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\SvcHost
* imgsvc loads StiSvc. StiSvc is the Windows Image Acquisition (WIA)
service.
%SystemRoot%\system32\svchost.exe -k imgsvc
* LocalService loads Alerter, WebClient, LmHosts, RemoteRegistry, upnphost
and SSDPSRV.
%SystemRoot%\system32\svchost.exe -k LocalService
*netsvcs loads 6to4, AppMgmt, AudioSrv. Browser, ryptSvc, DMServer, DHCP,
ERSvc, EventSystem, FastUserSwitchingCompatibility, HidServ, Ias, Iprip,
Irmon, LanmanServer, LanmanWorkstation, Messenger, Netman, Nla, Ntmssvc,
NWCWorkstation, Nwsapagent, Rasauto,Rasman, Remoteaccess, Schedule,
Seclogon, SENS, Sharedaccess, SRService, Tapisrv, Themes, TrkWks, W32Time,
WZCSVC, Wmi, WmdmPmSp, winmgmt, TermService, wuauserv, BITS,
ShellHWDetection, helpsvc, uploadmgr, WmdmPmSN and Ip6FwHlp.
%SystemRoot%\System32\svchost.exe -k netsvcs
* NetworkService loads DnsCache.
%SystemRoot%\system32\svchost.exe -k NetworkService
* rpcss loads RpcSs.
%SystemRoot%\system32\svchost -k rpcss
* termsvcs loads TermService.
%SystemRoot%\System32\svchost -k DComLaunch

I am not going to translate all of those Service Names to their Display
Names. If you want to know open the Registry Editor (regedit) and navigate
to...

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

if you click on ALG, for example, and look at the Display Name you'll see
Application Layer Gateway Service. You can also open services.msc, double
click a service and on the General tab are both the service name and the
display name. The service name is used for commands like: sc query alg
etc. The service name is also how they are listed in the registry. Some
are self evident, some are tough to figure out without a program.

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In
 
It looks like the program determined they need passwords. I was looking
around the computer, in Services, and saw that most log on as Local System
Account and have no passwords. However, the ones I mentioned log on as This
Account, with the user as NT Authority, LocalService and have a password
which I didn't put there and I don't know.

I found this after doing a reformat, before I went online, so no one could
have put these passwords there. Is NT Authority some kind of ghost in the
machine?







- Show quoted text -

Yes, it's a legacy ghost, and you shouldn't worry, it uses accounts
for the system so that the computers' subsystems can communicate on a
secure level... if you tamper with the passwords, or the service, you
will most likely loose some function, have errors, and probably hose
your system...
 
Back
Top