Lsass.exe constantly reading registry for DefaultAuthLevel (NAME NOT FOUND - in Process Monitor)

J

jonnyc55

Member
Joined
Jan 19, 2024
I see it relates to DCOM Default Authentication Level, which has in total, 7 fields in the Component Services Windows admin tool. That is in this order, from top of the list to the bottom as it appears; Default, None, Call, Connect, Packet, Packet integrity and Packet Privacy.

I only see one resources on the internet, as of yet:

"I've found another workaround by setting HKLM\SOFTWARE\Microsoft\Rpc\SecurityService\DefaultAuthLevel=6. This takes effect immediately, and changes outbound RPC to attempt connection with packet privacy"

I'm guessing if we count 0 as a value in the dword key, and packet privacy is the last level on the list, it could make sense that 'Packet Privacy' is 6, with 0 possibly being default? I've made a key, since there was none, and set it to 1, thinking it means none, going by the order of the list. But making a key regardless of value, stopped lsass.exe constantly querying this registry path.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\SecurityService

(DWORD key) DefaultAuthLevel

Anyone know a concrete answer to the values for this key or to stop this querying happening without setting a key?

Thanks.
 
The DCOM Default Authentication Level (DefaultAuthLevel) is indeed related to the seven fields in the Component Services Windows admin tool. The order of the fields, from top to bottom, is as follows: Default, None, Call, Connect, Packet, Packet Integrity, and Packet Privacy.

Based on the information you found, it seems that setting the value of HKLM\SOFTWARE\Microsoft\Rpc\SecurityService\DefaultAuthLevel to 6 changes the outbound RPC to attempt a connection with packet privacy. The value of 0 could possibly represent the default authentication level.

By setting the DefaultAuthLevel key to 1, you may have effectively stopped the constant querying of this registry path by lsass.exe. However, it's essential to note that tampering with registry settings without a thorough understanding of their implications can have unintended consequences.

If you are looking for a concrete answer regarding the specific values for this key, it may be best to refer to official Microsoft documentation or consult with Microsoft support. They will be able to provide you with accurate information and guidance on how to address the lsass.exe querying issue without creating potential issues in your system.

Overall, it's always recommended to exercise caution when modifying registry settings and to have a backup of your system before making any changes.
 
- Microsoft forum thread.

For anyone with the same observation or concern out there, whether they be in the future, it was answered in my thread I made after following the ChatGPT advice hehe, and so I went straight to the official Microsoft forum. It was answered there by a Microsoft Agent.

I'll quote it here:

Hi



Welcome to Microsoft community.



The lsass.exe process is responsible for security policy enforcement within the operating system and verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens.



The registry key you mentioned,



HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\SecurityService\DefaultAuthLevel



is related to the default authentication level for Remote Procedure Call (RPC), which is a protocol that one program can use to request a service from a program located on another computer on a network.



The DWORD values you mentioned correspond to the different authentication levels for DCOM. Here's what each value represents:



  • 1: None
  • 2: Connect
  • 3: Call
  • 4: Packet
  • 5: Packet Integrity
  • 6: Packet Privacy
Setting DefaultAuthLevel to 1 (None) basically means no authentication is required, while 6 (Packet Privacy) requires the highest level of authentication.



The fact that lsass.exe is constantly querying this path could be normal, especially if you have applications that heavily use DCOM or RPC. However, if you're noticing performance issues, it might be worth investigating further.



Disclaimer: Generally, modifying registry subkeys or work group is intended for advanced users, administrators, and IT Professionals. It can help fix some problems, however, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For further protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click How to back up and restore the registry in Windows - Microsoft Support to view the article.



Best regards

Derrick Qian | Microsoft Community Support Specialist
Click to expand...
 
You must log in or register to reply here.

Similar threads

News
Announcing Windows 11 Insider Preview Build 22579
Replies
0
Views
1K
News
News
News
Announcing Windows 11 Insider Preview Build 22567
Replies
0
Views
2K
News
News
News
Announcing Windows 11 Insider Preview Build 22557
Replies
0
Views
1K
News
News
News
Releasing Windows 10 Build 19043.1263 (21H1) to Release Preview Channel
Replies
0
Views
843
News
News
News
Releasing Windows 10 Build 19044.1263 (21H2) to Release Preview Channel
Replies
0
Views
867
News
News
Back
Top Bottom