About the LSAss.exe process on Windows
Author: eygle
Source: http://blog.eygle.com
Date: decEmber 26, 2004
«Install Cronolog, format Apache log files | Blog Home | Configuring awStats, Apache Log Analysis Tools»
Today I saw someone asked the LSAss.exe process, turned it on something, record something here.
LSASS - LSASS.EXE - Process Information Process File: LSAss or LSASS.EXE Process Name: Local Security Permission Services Description: Local Security Permissions Services, Controlling Windows Security Mechanism. Common error: N / A is a system process: Yes
The process is a system process and cannot be terminated in the task manager, remember that the process of the command line before command may cause the system blue screen (not confirmed).
Microsoft's instructions are as follows:
Lsass.exe -.. You can not end this process from Task Manager This is the local security authentication server, and it generates the process responsible for authenticating users for the Winlogon service This process is performed by using authentication packages such as the default Msgina.dll ............................... ..
LINK
It means: This is a local security authorization service, and it generates a process for authorized users using Winlogon services. This process is performed by using an authorized package, such as the default Msgina.dll. If the authorization is successful, LSASS will generate the user's entry token, let the table use the initial shell. Other processes initialized by users will inherit this token.
But proper worry is necessary, known part of the virus is related to LSASS. First, Microsoft deficient LSAss.exe is located in c: /windows/system32/lsass.exe
We should clearly run the dynamic link library that LSASS needs:
C: /> TLIST 720
720 lsass.exe
CWD: C: / Windows / System32 /
CMDline: c: /windows/system32/lsass.exe
Virtualsize: 43208 KB Peakvirtualsize: 49040 KB
Workingsetsize: 1360 KB Peakworkingsetsize: 10640 KB
NumberOfThreads: 19
732 Win32Startaddr: 0x74497f07 lasterr: 0x00000000 State: waiting
736 Win32Startaddr: 0x7c94798d lasterr: 0x00000000 State: waiting
740 Win32Startaddr: 0x7c930760 lasterr: 0x00000000 State: Waiting
744 Win32Startaddr: 0x7c949fae lasterr: 0x00000000 State: Waiting
748 Win32Startaddr: 0x0000028E Lasterr: 0x00000000 State: Waiting764 Win32Startaddr: 0x7c930aca lasterr: 0x00000000 State: waiting
792 Win32Startaddr: 0x00000000 lasterr: 0x00000000 State: Waiting
800 Win32Startaddr: 0x00040d64 lasterr: 0x00000000 State: Waiting
812 Win32Startaddr: 0x7488c23 lasterr: 0x00000000 State: waiting
1700 Win32Startaddr: 0x74488c23 lasterr: 0x00000000 State: Waiting
212 Win32Startaddr: 0x77dbb479 lasterr: 0x00000000 State: Waiting
364 Win32Startaddr: 0x77c0a341 lasterr: 0x000003E5 State: waiting
376 Win32Startaddr: 0x77c0a341 lasterr: 0x00000000 State: Waiting
380 Win32Startaddr: 0x77c0a341 lasterr: 0x00000000 State: waiting
3056 Win32Startaddr: 0x759d8831 lasterr: 0x00000000 State: Waiting
1048 Win32Startaddr: 0x77e56bf0 lasterr: 0x0000006D State: waiting
2628 Win32Startaddr: 0x00000000 lasterr: 0x000003F0 State: waiting
3204 Win32Startaddr: 0x00000000 lasterr: 0x00000000 State: Waiting
3032 Win32Startaddr: 0x77e56bf0 lasterr: 0x00000000 State: Waiting
5.1.2600.2180 SHP 0x01000000 lsass.exe
5.1.2600.2180 SHP 0x7C920000 NTDLL.DLL
5.1.2600.2180 SHP 0x7C800000 kernel32.dll
5.1.2600.2180 SHP 0X77DA0000 Advapi32.dll
5.1.2600.2180 SHP 0x77E50000 rpCRT4.DLL
5.1.2600.2525 SHP 0x74480000 lsasrv.dll
5.1.2600.2180 SHP 0x71A90000 MPR.DLL
5.1.2600.2180 SHP 0x77D10000 USER32.DLL
5.1.2600.2180 SHP 0x77EF0000 GDI32.DLL
5.1.2600.2180 SHP 0x76DB0000 MSASN1.DLL
7.0.2600.2180 SHP 0x77Be0000 MSVCRT.DLL
5.1.2600.2180 SHP 0x5FDD0000 Netapi32.dll
5.1.2600.2180 SHP 0x76770000 NTDSAPI.DLL
5.1.2600.2180 SHP 0x76EF0000 DNSAPI.DLL
5.1.2600.2180 SHP 0x71A20000 WS2_32.dll
5.1.2600.2180 SHP 0x71A10000 WS2HELP.DLL
5.1.2600.2180 SHP 0x76F30000 WLDAP32.DLL
5.1.2600.2180 SHP 0X77FC0000 SECUR32.DLL
5.1.2600.2180 SHP 0x71B70000 Samlib.dll5.1.2600.2180 SHP 0x743A0000 Samsrv.dll
5.1.2600.2180 SHP 0x76760000 CRYPTDLL.DLL
5.1.2600.2180 SHP 0x5cc30000 Shimeng.dll
0x58fb0000 acgenral.dll
5.1.2600.2180 SHP 0x76B10000 Winmm.dll
5.1.2600.2180 SHP 0x76990000 OLE32.DLL
5.1.2600.2180 SHP 0x770F0000 oleaut32.dll
5.1.2600.2180 SHP 0X77BB0000 MSACM32.DLL
5.1.2600.2180 SHP 0x77BD0000 Version.dll
6.0.2900.2180 SHP 0x773A0000 shell32.dll
6.0.2900.2180 SHP 0x77F40000 shlwapi.dll
5.1.2600.2180 SHP 0x759D0000 Userenv.dll
6.0.2900.2180 SHP 0X5ADC0000 UXTHEME.DLL
5.1.2600.2180 SHP 0x76300000 Imm32.dll
5.1.2600.2180 SHP 0x62C20000 LPK.DLL
1.420.2600.2180 SH 0x73fa0000 usp10.dll
5.82.2900.2180 SHP 0x77180000 ComctL32.dll
5.82.2900.2180 SHP 0x5D170000 ComctL32.dll
5.1.2600.2180 SHP 0x20000000 MSPrivs.dll
5.1.2600.2180 SHP 0x71C70000 Kerberos.dll
5.1.2600.2180 SHP 0x77C40000 msv1_0.dll
5.1.2600.2180 SHP 0x76D30000 iphlpapi.dll
5.1.2600.2180 SHP 0X74410000 Netlogon.dll
5.1.2600.2180 SHP 0x76790000 W32Time.dll
6.0.8168.0 SHP 0x75FF0000 MSVCP60.DLL
5.1.2600.2180 SHP 0x767C0000 Schannel.dll
5.131.2600.2180 SH 0x765E0000 CRYPT32.DLL
5.1.2600.2180 SHP 0x742E0000 WDIGEST.DLL
5.1.2600.2161 SHP 0x0FFD0000 RSAENH.DLL
5.1.2600.2180 SHP 0X74370000 SCECLI.DLL
5.1.2600.2180 SHP 0x76060000 Setupapi.dll
5.1.2600.2180 SHP 0x74340000 ipsecsvc.dll
5.1.2600.2180 SHP 0x77FE0000 Authz.dll
5.1.2600.2180 SHP 0x73ED0000 Oakley.dll
5.1.2600.2180 SHP 0x742D0000 Winipsec.dll
5.1.2600.2180 SHP 0x74300000 Pstorsvc.dll
0x43000000 GoogleDesktopNetwork1.dll
5.1.2600.2180 SHP 0x719C0000 mswsock.dll
5.1.2600.2180 SHP 0x60FD0000 HNETCFG.DLL
5.1.2600.2180 SHP 0x71a00000 wshtcpip.dll5.1.2600.2180 SHP 0x74320000 PSBase.dll
5.1.2600.2133 SHP 0X68100000 DSsenh.dll
Everyone can see that Google's desktop search also need to register here, this process is required for permission control. Some software verify and update or verify registration information, using 500 port communication (IKE) -Internet key exchange ports, may sometimes be falsely virus or Trojan.
I often believe that as long as there is an appropriate understanding of Windows, it is still sensitive to the abnormal process or an exception DLL, so I can find suspicious processes and find out the problem. TLIST This simple gadget has helped me find a virus that several anti-virus software cannot recognize in time.
Currently known and LSASS related viruses are: w32.hllw.lovgate.c@mm - symantec corporationw32.mydoom.l@mm - symantec corporationw32.nimos.worm - Symantec Corporationw32.sasser.e.exe - McAfee
So everyone should pay attention to this process properly.
