Is NT Authority some kind of ghost in the machine?
Yes.
With the help of Rock's post I see now. Don't worry about it.
<quote>
Microsoft Windows XP includes the following three built-in local accounts
used as the logon accounts for various system services:
The Local System account is a predefined local account that can start a
service and provide the security context for that service. The actual name
of the account is NT AUTHORITY\System.
The Local Service account is a special built-in account that has reduced
privileges similar to an authenticated local user account. The actual name
of the account is NT AUTHORITY\LocalService.
The Network Service account is a special built-in account that has reduced
privileges similar to an authenticated user account. The actual name of the
account is NT AUTHORITY\NetworkService.
<quote>
The Local Service account is a special built-in account that has reduced
privileges similar to an authenticated local user account. The actual name
of the account is NT AUTHORITY\LocalService.
%SystemRoot%\System32\svchost.exe -k LocalService
or
C:\WINDOWS\System32\svchost.exe -k LocalService
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\SvcHost
* LocalService loads these services: Alerter, WebClient, LmHosts (TCP/IP
NetBIOS Helper), RemoteRegistry, upnphost (Universal Plug and Play Device
Host) and SSDPSRV (SSDP Discovery Service).
* NetworkService loads DnsCache (DNS Client).
All of those services run in hidden windows (they do not show up on the
Applications tab of Task Manager) and have no user interaction.
These accounts have the Hidden and System attributes.
C:\Documents and Settings\LocalService
C:\Documents and Settings\NetworkService
The LocalService and NetworkService accounts perform things like
synchronizing the time, running services, system maintenance, etc.
LocalService and NetworkService can:
Change the system time
Generate security audits
Log on as a service
From Small Potato.
<quote>
Just for more information, Local Service and Network Service accounts
are created for security reasons.
In Windows 2000/NT, system services are launched with "Local System"
credential, which has system-wide privilege as Administrator. So if the
service was attacked, attackers gain the privilege of Local System can
perform system-wide attack.
So Windows XP introduced Local Service and Network Service accounts for
system services. Both run with unprivileged "Limited Users" credential
instead of having full system rights, but Local Service access Windows
network using null sessions, i.e., it uses anonymous credential, while
Network Service access Windows network with the computer account, just
like Local System.
For more information, you may refer to this article:
The Services and Service Accounts Security Planning Guide
http://www.microsoft.com/technet/security/topics/serversecurity/serviceaccount/default.mspx
<quote>
For more information, you may refer to this article:
The Services and Service Accounts Security Planning Guide
Chapter 2 - The Approach to Running Services More Securely
http://www.microsoft.com/technet/security/topics/serversecurity/serviceaccount/sspgch02.mspx
Every time that I read through those articles it seems like I understand
things, but if I try to explain those things to someone else it's a
different story.
Services are loaded under svchost.exe, lsass.exe and services.exe.
To see what services are running under which svchost.exe, open a command
prompt, type: tasklist /svc and hit enter.
You can match up the PID# with the PID# in Task Manager if you have that
column showing: Task Manager | View | Select columns | PID (Process
Identifier).
Tasklist with no switches will show like in the Task Manager. The /SVC
switch displays services in each process.
Services are loaded under svchost.exe, lsass.exe and services.exe.
Lsass.exe is LSA Shell (Export Version). LSA = Local Security Authority.
It is also called the Local Security Administration Subsystem Service.
Lsass.exe seems to have a lot of names.
Lsass.exe is responsible for many services: Net Logon (netlogon), NT LM
Security Support Provider (NtLmSsp), IPSEC Services (PolicyAgent), Protected
Storage (ProtectedStorage) and Security Accounts Manager (SamSs).
Services.exe (Services and Controller app) loads the Event Log service and
the Plug and Play service.
Svchost.exe (Generic Host Process for Win32 Services) loads the rest of the
services.
Depending on the switch used, svchost.exe loads them under imgsvc,
LocalService, netsvcs, NetworkService, rpcss or termsvcs.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\SvcHost
* imgsvc loads StiSvc. StiSvc is the Windows Image Acquisition (WIA)
service.
%SystemRoot%\system32\svchost.exe -k imgsvc
* LocalService loads Alerter, WebClient, LmHosts, RemoteRegistry, upnphost
and SSDPSRV.
%SystemRoot%\system32\svchost.exe -k LocalService
*netsvcs loads 6to4, AppMgmt, AudioSrv. Browser, ryptSvc, DMServer, DHCP,
ERSvc, EventSystem, FastUserSwitchingCompatibility, HidServ, Ias, Iprip,
Irmon, LanmanServer, LanmanWorkstation, Messenger, Netman, Nla, Ntmssvc,
NWCWorkstation, Nwsapagent, Rasauto,Rasman, Remoteaccess, Schedule,
Seclogon, SENS, Sharedaccess, SRService, Tapisrv, Themes, TrkWks, W32Time,
WZCSVC, Wmi, WmdmPmSp, winmgmt, TermService, wuauserv, BITS,
ShellHWDetection, helpsvc, uploadmgr, WmdmPmSN and Ip6FwHlp.
%SystemRoot%\System32\svchost.exe -k netsvcs
* NetworkService loads DnsCache.
%SystemRoot%\system32\svchost.exe -k NetworkService
* rpcss loads RpcSs.
%SystemRoot%\system32\svchost -k rpcss
* termsvcs loads TermService.
%SystemRoot%\System32\svchost -k DComLaunch
I am not going to translate all of those Service Names to their Display
Names. If you want to know open the Registry Editor (regedit) and navigate
to...
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
if you click on ALG, for example, and look at the Display Name you'll see
Application Layer Gateway Service. You can also open services.msc, double
click a service and on the General tab are both the service name and the
display name. The service name is used for commands like: sc query alg
etc. The service name is also how they are listed in the registry. Some
are self evident, some are tough to figure out without a program.
--
Hope this helps. Let us know.
Wes
MS-MVP Windows Shell/User
In
