Question

CV accessed lsass.exe service

  • 21 March 2023
  • 3 replies
  • 168 views

Userlevel 1
Badge +4
  • Commvault Certified Expert
  • 12 replies

The security team at a customer of mine recently received alerts on 2 Domain Controllers and they requested clarification.

It appears that this executable:

  • C:\Program Files\Commvault\ContentStore\CVMedia\11.0.0\Windows\ThirdParty\CVInstallThirdParty\GenProcessModuleInfo.exe

Has accessed this service in Windows:

  • C:\Windows\system32\lsass.exe

Both machines run daily AD and FS system state backups for a long time now.
The current version is 11.30.32

Any ideas please?


3 replies

Userlevel 5
Badge +12

Hello @Marcel,

 

Thanks for raising this question with us.

The process "Lsass" is described as the following on MS website:

https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/troubleshoot-high-lsass.exe-cpu-utilization

Local Security Authority Subsystem Service (Lsass.exe) is the process on an Active Directory domain controller. It's responsible for providing Active Directory database lookups, authentication, and replication.

 

Given that this client is running AD backups we are going to use the Lsass.exe to authenticate and collect data about AD.

 

Kind regards

Albert Williams

Userlevel 1
Badge +4

Hi @Albert Williams 

Thanks for your response.
Yes that was my first thought aswell,

However I was having second thoughts:

  • AD backups are running for months now and they never received these alerts until yesterday
  • Is GenProcessModuleInfo.exe in any way responsible for these backups?

br

Marcel VIs

Userlevel 1
Badge +4

Any explanation from CV please?

Reply