Named Pipe lsass.exe

Hello

Using filemon and checking to see what named pipes are running I have
discovered lsass.exe is reading and writing every so often.

This is the named pipe

lsass.exe \\.\Pipe\lsass\

The user says NT Authority\System

1) Can someone explain what this pipe is for ?

2) How can you shut it off ?

3) Since this is the only named pipe running ...could this be a potential
security risk ?

Marbles wrote:

> lsass.exe \\.\Pipe\lsass\
>
> The user says NT Authority\System
>
> 1) Can someone explain what this pipe is for ?

Not in detail, but lsass.exe is the core part of the operating system executive.

> 2) How can you shut it off ?

I doubt this is possible. Disabling it would probably break Windows.

> 3) Since this is the only named pipe running ...could this be a potential
> security risk ?

Well ... technically anything is a potential security risk. But there's no
particular reason to be concerned about this.

Harry.

Lsass.exe is vital for the operation of Windows.

Lsass.exe is LSA Shell (Export Version). LSA = Local Security Authority.

It is also called the Local Security Administration Subsystem Service.
Lsass.exe seems to have a lot of names.

Lsass.exe starts pretty early in the Windows boot process.

Lsass.exe runs all of the time and is one of the few processes that cannot
be ended with Task Manager.

Lsass.exe is a system process of the Microsoft Windows security mechanisms.
It specifically deals with local security and login policies.

Lsass.exe is the local security authentication server, and it generates the
process responsible for authenticating users for the Winlogon service. This
process is performed by using authentication packages such as the default
Msgina.dll. If authentication is successful, Lsass generates the user's
access token, which is used to launch the initial shell. Other processes
that the user initiates inherit this token.

Lsass.exe is responsible for many services: Net Logon (netlogon), NT LM
Security Support Provider (NtLmSsp), IPSEC Services (PolicyAgent), Protected
Storage (ProtectedStorage) and Security Accounts Manager (SamSs).

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Npfs\Aliases
Value Name: lsass
Data Type: REG_MULTI_SZ
Value Data: protected_storage;netlogon;lsarpc;samr

The Security Account Manager Remote Procedure Call (RPC) protocol (SAMR) is
an integral subsystem that is used to perform remote Service Account Manager
operations, such as user account management and manipulation. The SAMR
interface defines the remote Security Account Manager (SAM) methods that are
called by the client.

Netlogon – Net Logon service
Lsarpc – LSA access
Samr – SAM access

When Windows boots, the MBR(Master Boot Record) reads the boot sector which
is the first sector of the active partition. This sector contains the code
that starts Ntldr which is the boot strap loader for Windows XP. Ntldr runs
Ntdetect.com to get information about installed hardware. Ntldr, then,
loads the two files that make up the core of XP: Ntoskrnl.exe and Hal.dll.
Ntoskrnl.exe starts Winlogon.exe which starts Lsass.exe (Local Security
Administration), this is the program that displays the Welcome screen and
allows a user to log on with their credentials (user name and password).

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In news:CC39154C-D835-4720-B7DB-4598485C6787@microsoft.com,
Marbles <Marbles@discussions.microsoft.com> hunted and pecked:
> Hello
>
> Using filemon and checking to see what named pipes are running I have
> discovered lsass.exe is reading and writing every so often.
>
> This is the named pipe
>
> lsass.exe \\.\Pipe\lsass\
>
> The user says NT Authority\System
>
> 1) Can someone explain what this pipe is for ?
>
> 2) How can you shut it off ?
>
> 3) Since this is the only named pipe running ...could this be a potential
> security risk ?

Thanks Harry for a quick and precise response !

Cheers



"Harry Johnston" wrote:

> Marbles wrote:
>
> > lsass.exe \\.\Pipe\lsass\
> >
> > The user says NT Authority\System
> >
> > 1) Can someone explain what this pipe is for ?
>
> Not in detail, but lsass.exe is the core part of the operating system executive.
>
> > 2) How can you shut it off ?
>
> I doubt this is possible. Disabling it would probably break Windows.
>
> > 3) Since this is the only named pipe running ...could this be a potential
> > security risk ?
>
> Well ... technically anything is a potential security risk. But there's no
> particular reason to be concerned about this.
>
> Harry.
>

Thanks Wesley for your solid in depth knowledge of the inner workings of the
Windows Operating System Services and sub-level functions.

Cheers !


"Wesley Vogel" wrote:

> Lsass.exe is vital for the operation of Windows.
>
> Lsass.exe is LSA Shell (Export Version). LSA = Local Security Authority.
>
> It is also called the Local Security Administration Subsystem Service.
> Lsass.exe seems to have a lot of names.
>
> Lsass.exe starts pretty early in the Windows boot process.
>
> Lsass.exe runs all of the time and is one of the few processes that cannot
> be ended with Task Manager.
>
> Lsass.exe is a system process of the Microsoft Windows security mechanisms.
> It specifically deals with local security and login policies.
>
> Lsass.exe is the local security authentication server, and it generates the
> process responsible for authenticating users for the Winlogon service. This
> process is performed by using authentication packages such as the default
> Msgina.dll. If authentication is successful, Lsass generates the user's
> access token, which is used to launch the initial shell. Other processes
> that the user initiates inherit this token.
>
> Lsass.exe is responsible for many services: Net Logon (netlogon), NT LM
> Security Support Provider (NtLmSsp), IPSEC Services (PolicyAgent), Protected
> Storage (ProtectedStorage) and Security Accounts Manager (SamSs).
>
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Npfs\Aliases
> Value Name: lsass
> Data Type: REG_MULTI_SZ
> Value Data: protected_storage;netlogon;lsarpc;samr
>
> The Security Account Manager Remote Procedure Call (RPC) protocol (SAMR) is
> an integral subsystem that is used to perform remote Service Account Manager
> operations, such as user account management and manipulation. The SAMR
> interface defines the remote Security Account Manager (SAM) methods that are
> called by the client.
>
> Netlogon – Net Logon service
> Lsarpc – LSA access
> Samr – SAM access
>
> When Windows boots, the MBR(Master Boot Record) reads the boot sector which
> is the first sector of the active partition. This sector contains the code
> that starts Ntldr which is the boot strap loader for Windows XP. Ntldr runs
> Ntdetect.com to get information about installed hardware. Ntldr, then,
> loads the two files that make up the core of XP: Ntoskrnl.exe and Hal.dll.
> Ntoskrnl.exe starts Winlogon.exe which starts Lsass.exe (Local Security
> Administration), this is the program that displays the Welcome screen and
> allows a user to log on with their credentials (user name and password).
>
> --
> Hope this helps. Let us know.
>
> Wes
> MS-MVP Windows Shell/User
>
> In news:CC39154C-D835-4720-B7DB-4598485C6787@microsoft.com,
> Marbles <Marbles@discussions.microsoft.com> hunted and pecked:
> > Hello
> >
> > Using filemon and checking to see what named pipes are running I have
> > discovered lsass.exe is reading and writing every so often.
> >
> > This is the named pipe
> >
> > lsass.exe \\.\Pipe\lsass\
> >
> > The user says NT Authority\System
> >
> > 1) Can someone explain what this pipe is for ?
> >
> > 2) How can you shut it off ?
> >
> > 3) Since this is the only named pipe running ...could this be a potential
> > security risk ?
>
>

Sub-level functions are my favorites.

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In news:AA6DD456-4C7B-4B23-A928-3D75DE18E721@microsoft.com,
Marbles <Marbles@discussions.microsoft.com> hunted and pecked:
> Thanks Wesley for your solid in depth knowledge of the inner workings of
> the Windows Operating System Services and sub-level functions.
>
> Cheers !
>
>
> "Wesley Vogel" wrote:
>
>> Lsass.exe is vital for the operation of Windows.
>>
>> Lsass.exe is LSA Shell (Export Version). LSA = Local Security Authority.
>>
>> It is also called the Local Security Administration Subsystem Service.
>> Lsass.exe seems to have a lot of names.
>>
>> Lsass.exe starts pretty early in the Windows boot process.
>>
>> Lsass.exe runs all of the time and is one of the few processes that
>> cannot be ended with Task Manager.
>>
>> Lsass.exe is a system process of the Microsoft Windows security
>> mechanisms. It specifically deals with local security and login policies.
>>
>> Lsass.exe is the local security authentication server, and it generates
>> the process responsible for authenticating users for the Winlogon
>> service. This process is performed by using authentication packages such
>> as the default Msgina.dll. If authentication is successful, Lsass
>> generates the user's access token, which is used to launch the initial
>> shell. Other processes that the user initiates inherit this token.
>>
>> Lsass.exe is responsible for many services: Net Logon (netlogon), NT LM
>> Security Support Provider (NtLmSsp), IPSEC Services (PolicyAgent),
>> Protected Storage (ProtectedStorage) and Security Accounts Manager
>> (SamSs).
>>
>> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Npfs\Aliases
>> Value Name: lsass
>> Data Type: REG_MULTI_SZ
>> Value Data: protected_storage;netlogon;lsarpc;samr
>>
>> The Security Account Manager Remote Procedure Call (RPC) protocol (SAMR)
>> is an integral subsystem that is used to perform remote Service Account
>> Manager operations, such as user account management and manipulation.
>> The SAMR interface defines the remote Security Account Manager (SAM)
>> methods that are called by the client.
>>
>> Netlogon – Net Logon service
>> Lsarpc – LSA access
>> Samr – SAM access
>>
>> When Windows boots, the MBR(Master Boot Record) reads the boot sector
>> which is the first sector of the active partition. This sector contains
>> the code that starts Ntldr which is the boot strap loader for Windows
>> XP. Ntldr runs Ntdetect.com to get information about installed
>> hardware. Ntldr, then, loads the two files that make up the core of XP:
>> Ntoskrnl.exe and Hal.dll. Ntoskrnl.exe starts Winlogon.exe which starts
>> Lsass.exe (Local Security Administration), this is the program that
>> displays the Welcome screen and allows a user to log on with their
>> credentials (user name and password).
>>
>> --
>> Hope this helps. Let us know.
>>
>> Wes
>> MS-MVP Windows Shell/User
>>
>> In news:CC39154C-D835-4720-B7DB-4598485C6787@microsoft.com,
>> Marbles <Marbles@discussions.microsoft.com> hunted and pecked:
>>> Hello
>>>
>>> Using filemon and checking to see what named pipes are running I have
>>> discovered lsass.exe is reading and writing every so often.
>>>
>>> This is the named pipe
>>>
>>> lsass.exe \\.\Pipe\lsass\
>>>
>>> The user says NT Authority\System
>>>
>>> 1) Can someone explain what this pipe is for ?
>>>
>>> 2) How can you shut it off ?
>>>
>>> 3) Since this is the only named pipe running ...could this be a
>>> potential security risk ?

Might add that lsass.exe had a VERY serious security issue - exploited by the
'sasser' virus. Make sure you have the relevant patch. Also, consider
firewalling inbound ports to this process if you don't share files or
printers from the computer.

Ok, I've read all that I can and researched my problem but it's time for some
real HELP!

I rebooted my system on Friday when it slowed and seemed ill. The system
stopped and I got this error message: "lsass.exe - system error Object name
not found". I tried the Microsoft fix but I can't even boot to the "Last
known good configuration" or even to safe mode.

Please help me :( I'm running Windows XP home on an '01 Dell 4300S

"Ian" wrote:

> Might add that lsass.exe had a VERY serious security issue - exploited by the
> 'sasser' virus. Make sure you have the relevant patch. Also, consider
> firewalling inbound ports to this process if you don't share files or
> printers from the computer.
>
>