Windows 10 Windows Hardening Guide: Securing the LSASS process

  • Thread Author
Applies to:
Windows 8.1, Windows 10, Server 2012 R2 and Server 2016

Description:
This is a simple tutorial on how to run the lsass.exe process as a protected process so that it's memory can't be dumped and passwords extracted.

Warnings:
Some drivers may be loaded by lsass that will not run when lsass is running in protected mode. If this is the case you can change the value below back to 0

About LSASS:
The lsass.exe process is what authenticates you when you enter your credentials. It also by default stores many types of credentials in clear text within the process memory. Many tools can be used to dump this memory and the passwords can be extracted.

  1. Click on the start button or press the Windows key
  2. Type regedit.exe
  3. Navigate to the following key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
  4. WIth LSA highlighted, in the right pane create a new DWORD named RunAsPPL
  5. Double click the new value and set it to 1
  6. Reboot and your lsass process will be running in protected mode