lsass.exe error

  • Thread starter Thread starter Doug G
  • Start date Start date
D

Doug G

We're getting reports from one of your XPE systems in the field that it has
a "Windows error message" that won't go away and that the message references
"lsass.exe". As usual, details are lacking, but I'm trying to find out more.
However, this does have a ring of familiarity about it. I checked the
archives and found a number of threads related to this module, but this
error just started occurring on a system that has been running well up to
this point. Also, the system uses EWF and should be protected against any
changes since deployment. However, it's obvious that *something* must have
changed.

Anyone have any ideas what could have gone wrong?

Doug Gordon
 
Doug, FYI

I got lsass.exe errors whenever I loaded Roxio's Direct
CD on XPE boxes. I no longer use it because I couldnt
figure out the problem. The Roxio install messed up local
security. Has there been and additional installs on the
system, updates, 3rd party utils?
 
I'm going to do that, but I don't see how a virus could infect a system that
is protected by EWF. It should start up clean at every reboot, regardless of
file & registry changes made by the virus. That's why I'm wondering if
someone has changed the config or committed changes when they shouldn't have
or something.

Doug Gordon
 
Hi Doug,

EWF is to broad to give you any conclusion about what virus can/can't do.

Is it RAM or DISK based overlay?

Best regards,
Slobodan
 
Doug G.

Can you tell if someone did a -commit? ie. do you pipe the output to a txt
file like "ewfmgr C: -commit > save.txt"

Also, it looks like you are not implementing port filtering. This would
help a lot in avoiding many viruses by only allowing inbound ports that you
really need.

HTH... Doug H.
 
I'm going to do that, but I don't see how a virus could infect a
system that is protected by EWF. It should start up clean at every
reboot, regardless of file & registry changes made by the virus.
That's why I'm wondering if someone has changed the config or
committed changes when they shouldn't have or something.
Click to expand...

Is it possible there are infected machines on the network, and the XPE
device is being reinfected every time it restarts?
 
Back
Top