Extreme technical Questions about windowsxp/2000

By =met=Badger ยท 4 replies
Apr 30, 2006
  1. I have a few questions which are related to another thread but are more for this forum. my questions are about the relation between winlogon, lsass, and windows in general. i know windows is stuborn and must use pretty much anything that it starts with because most of them are linked. Ive just reformated my windows drive like a week ago so im not afraid to do it again if i mess something up.

    I know that microsoft is pretty touchy about people not paying for windows and to save my self time when in reformat or reinstall ive recorded the activation info and sp1, because i used to have dial up and i used the phone activation. but

    4. Does windows really need to verify the key everytime it runs. Winlogon to me seems like an unessential proccess.
    these are from my other thread concerning internet security and lsass intrusions block by my firewall.
  2. =met=Badger

    =met=Badger TS Rookie Topic Starter Posts: 25

    I found my answer to disabling lsass in the Black Viper Tweaks, but i would still like answers to my query.
  3. Spike

    Spike TS Evangelist Posts: 2,168

    To the best of my knowledge, Winlogon deals with ALL acounts, not just remotely accessed ones, right the way from the welcome screen to task manager. It provides the logon/off facilities, while also monitoring all user accounts and partly facilitates product activation.

    as for LSASS (in brief) - http://www.neuber.com/taskmanager/process/lsass.exe.html

    (or from the horses mouth under point 3, "Security Considerations for Baseline Configurations") - http://msdn.microsoft.com/library/d...en-us/dnxpembed/html/Windows_XPE_Security.asp (ok, I know it's XP Embedded, but it makes no difference)

    ...LSASS is a user-mode process that is responsible for the following areas:

    1,The local system security policy, such as which users are allowed to log on to the machine, password policies, privileges granted to users and groups, and the system security auditing settings.
    2,User authentication.
    3,Sending security audit messages to the event log.
  4. =met=Badger

    =met=Badger TS Rookie Topic Starter Posts: 25

    Well ive gone through almost all the services and disable those i felt weren't needed and checking with the Black viper list I got almost the desired setting for my pc. I reduced Lsass to 500kb ram w/ almost nothin running that uses it.

    Most of my queries are based on that my firewall is blocking instrusions from LSASS.exe but the address it gives is 0x77E74A8F. Im not programmer or tech but i know enought to know that its not an internet address. I've seen similar addresses when a GPF occurs w/ some programs. I also had a buffer overflow with Lsass that was logged by my FW. What im thinkin it is; is a feedback loop for the auth. (as its is a normal part of windows and it verify's windows auth as a security option and a microsoft "spyware" type program; to verify that eveyone has a legit copy of Windows.) When Lsass sends out and doesnt recieve (because of my FW) it faults and because its always active it cant crash and my FW logs the address.

    Thats my hypothesis. like i said i dont know anyhing about coding and am not a tech and this make sense to me. If someone could explain the reason why im getting 0x77E74A8F as an address id love to hear it.

    my FW: Kerio personal FW last version
  5. Spike

    Spike TS Evangelist Posts: 2,168

    I don't know why it would be that specific address (someone else might. Possibly). I can tell you for sure though that 0x77E74A8F is a memory block (ie, an address to an area of your systems memory, expressed as these things are in hex code.)
Topic Status:
Not open for further replies.

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...