The security team at a customer of mine recently received alerts on 2 Domain Controllers and they requested clarification.It appears that this executable:C:\Program Files\Commvault\ContentStore\CVMedia\11.0.0\Windows\ThirdParty\CVInstallThirdParty\GenProcessModuleInfo.exeHas accessed this service in Windows:C:\Windows\system32\lsass.exeBoth machines run daily AD and FS system state backups for a long time now.The current version is 11.30.32Any ideas please?

Question

CV accessed lsass.exe service

2 years ago
March 21, 2023
3 replies
307 views

Marcel
Commvault Certified Expert
12 replies

The security team at a customer of mine recently received alerts on 2 Domain Controllers and they requested clarification.

It appears that this executable:

C:\Program Files\Commvault\ContentStore\CVMedia\11.0.0\Windows\ThirdParty\CVInstallThirdParty\GenProcessModuleInfo.exe

Has accessed this service in Windows:

C:\Windows\system32\lsass.exe

Both machines run daily AD and FS system state backups for a long time now.
The current version is 11.30.32

Any ideas please?

+15

Albert Williams
Vaulter
645 replies
2 years ago
March 21, 2023

Hello @Marcel,

Thanks for raising this question with us.

The process "Lsass" is described as the following on MS website:

https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/troubleshoot-high-lsass.exe-cpu-utilization

Local Security Authority Subsystem Service (Lsass.exe) is the process on an Active Directory domain controller. It's responsible for providing Active Directory database lookups, authentication, and replication.

Given that this client is running AD backups we are going to use the Lsass.exe to authenticate and collect data about AD.

Kind regards

Albert Williams

The best way to learn anything, is to question everything

Marcel
Author
Commvault Certified Expert
12 replies
2 years ago
March 22, 2023

Hi @Albert Williams

Thanks for your response.
Yes that was my first thought aswell,

However I was having second thoughts:

AD backups are running for months now and they never received these alerts until yesterday
Is GenProcessModuleInfo.exe in any way responsible for these backups?

Marcel VIs

Marcel
Author
Commvault Certified Expert
12 replies
2 years ago
April 4, 2023

Any explanation from CV please?

Reply

Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

Cookie settings

We use 3 different kinds of cookies. You can choose which cookies you want to accept. We need basic cookies to make this site work, therefore these are the minimum you can select. Learn more about our cookies.

Basic
Functional

Normal
Functional + analytics

Complete
Functional + analytics + social media + embedded videos + marketing

Reply

Related topics

Konferenz bitte freischaltenicon

Bitte Konferenz freischaltenicon

Konferenz bitte freischaltenicon

konferenz bitte freischaltenicon

Bitte Konferenz freischaltenicon

Most helpful members this week

Sign up

Login to the community

Scanning file for viruses.

This file cannot be downloaded

Cookie policy

Cookie settings