Extreme technical Questions about windowsxp/2000

[=met=Badger]

I have a few questions which are related to another thread but are more for this forum. my questions are about the relation between winlogon, lsass, and windows in general. i know windows is stuborn and must use pretty much anything that it starts with because most of them are linked. Ive just reformated my windows drive like a week ago so im not afraid to do it again if i mess something up.

MyQ's

1.Does anyone know exactly What lsass (Local Security Authentication Server), in windowsxp, really does besides auth for winlogon?
2.If there is anyway to remove it by removing any winlogon services?

my understanding of winlogon is that it is mainly used with Remote assistance or remote desktop. alloowing other users to access your windows via a network.It's a part of the Windows Login subsystem. Winlogon is necessary for user authorization and checks the Windows XP activation code.

3. Does windows force you to use winlogon when accessing the internet?

I know that microsoft is pretty touchy about people not paying for windows and to save my self time when in reformat or reinstall ive recorded the activation info and sp1, because i used to have dial up and i used the phone activation. but

4. Does windows really need to verify the key everytime it runs. Winlogon to me seems like an unessential proccess.
these are from my other thread concerning internet security and lsass intrusions block by my firewall.

 

[=met=Badger]

I found my answer to disabling lsass in the Black Viper Tweaks, but i would still like answers to my query.

 

[Spike]

To the best of my knowledge, Winlogon deals with ALL acounts, not just remotely accessed ones, right the way from the welcome screen to task manager. It provides the logon/off facilities, while also monitoring all user accounts and partly facilitates product activation.

as for LSASS (in brief) - http://www.neuber.com/taskmanager/process/lsass.exe.html

(or from the horses mouth under point 3, "Security Considerations for Baseline Configurations") - http://msdn.microsoft.com/library/d...en-us/dnxpembed/html/Windows_XPE_Security.asp (ok, I know it's XP Embedded, but it makes no difference)

...LSASS is a user-mode process that is responsible for the following areas:

1,The local system security policy, such as which users are allowed to log on to the machine, password policies, privileges granted to users and groups, and the system security auditing settings.
2,User authentication.
3,Sending security audit messages to the event log.

 

[=met=Badger]

Well ive gone through almost all the services and disable those i felt weren't needed and checking with the Black viper list I got almost the desired setting for my pc. I reduced Lsass to 500kb ram w/ almost nothin running that uses it.

Most of my queries are based on that my firewall is blocking instrusions from LSASS.exe but the address it gives is 0x77E74A8F. Im not programmer or tech but i know enought to know that its not an internet address. I've seen similar addresses when a GPF occurs w/ some programs. I also had a buffer overflow with Lsass that was logged by my FW. What im thinkin it is; is a feedback loop for the auth. (as its is a normal part of windows and it verify's windows auth as a security option and a microsoft "spyware" type program; to verify that eveyone has a legit copy of Windows.) When Lsass sends out and doesnt recieve (because of my FW) it faults and because its always active it cant crash and my FW logs the address.

Thats my hypothesis. like i said i dont know anyhing about coding and am not a tech and this make sense to me. If someone could explain the reason why im getting 0x77E74A8F as an address id love to hear it.

my FW: Kerio personal FW last version

 

[Spike]

I don't know why it would be that specific address (someone else might. Possibly). I can tell you for sure though that 0x77E74A8F is a memory block (ie, an address to an area of your systems memory, expressed as these things are in hex code.)