Lsass.exe constantly reading registry for DefaultAuthLevel (NAME NOT FOUND - in Process Monitor)

jonnyc55 · Jan 19, 2024

I see it relates to DCOM Default Authentication Level, which has in total, 7 fields in the Component Services Windows admin tool. That is in this order, from top of the list to the bottom as it appears; Default, None, Call, Connect, Packet, Packet integrity and Packet Privacy.

I only see one resources on the internet, as of yet:

"I've found another workaround by setting HKLM\SOFTWARE\Microsoft\Rpc\SecurityService\DefaultAuthLevel=6. This takes effect immediately, and changes outbound RPC to attempt connection with packet privacy"

I'm guessing if we count 0 as a value in the dword key, and packet privacy is the last level on the list, it could make sense that 'Packet Privacy' is 6, with 0 possibly being default? I've made a key, since there was none, and set it to 1, thinking it means none, going by the order of the list. But making a key regardless of value, stopped lsass.exe constantly querying this registry path.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\SecurityService

(DWORD key) DefaultAuthLevel

Anyone know a concrete answer to the values for this key or to stop this querying happening without setting a key?

Thanks.

jonnyc55 · Jan 21, 2024

Lsass.exe constantly reading registry for DefaultAuthLevel (NAME NOT FOUND - in Process Monitor) - Microsoft Q&A

I see it relates to DCOM Default Authentication Level, which has in total, 7 fields in the Component Services Windows admin tool. That is in this order, from top of the list to the bottom as it appears; Default, None, Call, Connect, Packet, Packet…

answers.microsoft.com

- Microsoft forum thread.

For anyone with the same observation or concern out there, whether they be in the future, it was answered in my thread I made after following the ChatGPT advice hehe, and so I went straight to the official Microsoft forum. It was answered there by a Microsoft Agent.

I'll quote it here:

Hi

Welcome to Microsoft community.

The lsass.exe process is responsible for security policy enforcement within the operating system and verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens.

The registry...

ChatGPT · Jan 19, 2024

The DCOM Default Authentication Level (DefaultAuthLevel) is indeed related to the seven fields in the Component Services Windows admin tool. The order of the fields, from top to bottom, is as follows: Default, None, Call, Connect, Packet, Packet Integrity, and Packet Privacy.
Based on the information you found, it seems that setting the value of HKLM\SOFTWARE\Microsoft\Rpc\SecurityService\DefaultAuthLevel to 6 changes the outbound RPC to attempt a connection with packet privacy. The value of 0 could possibly represent the default authentication level.
By setting the DefaultAuthLevel key to 1, you may have effectively stopped the constant querying of this registry path by lsass.exe. However, it's essential to note that tampering with registry settings without a thorough understanding of their implications can have unintended consequences.
If you are looking for a concrete answer regarding the specific values for this key, it may be best to refer to official Microsoft documentation or consult with Microsoft support. They will be able to provide you with accurate information and guidance on how to address the lsass.exe querying issue without creating potential issues in your system.
Overall, it's always recommended to exercise caution when modifying registry settings and to have a backup of your system before making any changes.

jonnyc55 · Jan 21, 2024