Skip to main content
Question

CV accessed lsass.exe service


Marcel
Commvault Certified Expert
Forum|alt.badge.img+4
  • Commvault Certified Expert
  • 12 replies

The security team at a customer of mine recently received alerts on 2 Domain Controllers and they requested clarification.

It appears that this executable:

  • C:\Program Files\Commvault\ContentStore\CVMedia\11.0.0\Windows\ThirdParty\CVInstallThirdParty\GenProcessModuleInfo.exe

Has accessed this service in Windows:

  • C:\Windows\system32\lsass.exe

Both machines run daily AD and FS system state backups for a long time now.
The current version is 11.30.32

Any ideas please?

3 replies

Forum|alt.badge.img+15

Hello @Marcel,

 

Thanks for raising this question with us.

The process "Lsass" is described as the following on MS website:

https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/troubleshoot-high-lsass.exe-cpu-utilization

Local Security Authority Subsystem Service (Lsass.exe) is the process on an Active Directory domain controller. It's responsible for providing Active Directory database lookups, authentication, and replication.

 

Given that this client is running AD backups we are going to use the Lsass.exe to authenticate and collect data about AD.

 

Kind regards

Albert Williams


Marcel
Commvault Certified Expert
Forum|alt.badge.img+4
  • Author
  • Commvault Certified Expert
  • 12 replies
  • March 22, 2023

Hi @Albert Williams 

Thanks for your response.
Yes that was my first thought aswell,

However I was having second thoughts:

  • AD backups are running for months now and they never received these alerts until yesterday
  • Is GenProcessModuleInfo.exe in any way responsible for these backups?

br

Marcel VIs


Marcel
Commvault Certified Expert
Forum|alt.badge.img+4
  • Author
  • Commvault Certified Expert
  • 12 replies
  • April 4, 2023

Any explanation from CV please?


Reply


Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings