Skip to main content
commvault.com commvault.com
Question

CV accessed lsass.exe service

  • March 21, 2023
  • 3 replies
  • 348 views
Marcel
Certified Expert
Forum|alt.badge.img+3

The security team at a customer of mine recently received alerts on 2 Domain Controllers and they requested clarification.

It appears that this executable:

  • C:\Program Files\Commvault\ContentStore\CVMedia\11.0.0\Windows\ThirdParty\CVInstallThirdParty\GenProcessModuleInfo.exe

Has accessed this service in Windows:

  • C:\Windows\system32\lsass.exe

Both machines run daily AD and FS system state backups for a long time now.
The current version is 11.30.32

Any ideas please?

F

3 replies

A
Vaulter
Forum|alt.badge.img+14

Hello @Marcel,

 

Thanks for raising this question with us.

The process "Lsass" is described as the following on MS website:

https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/troubleshoot-high-lsass.exe-cpu-utilization

Local Security Authority Subsystem Service (Lsass.exe) is the process on an Active Directory domain controller. It's responsible for providing Active Directory database lookups, authentication, and replication.

 

Given that this client is running AD backups we are going to use the Lsass.exe to authenticate and collect data about AD.

 

Kind regards

Albert Williams

The best way to learn anything, is to question everything
Onno van den Berg
Chris Hollis
Marcel
Certified Expert
Forum|alt.badge.img+3
  • MarcelCertified Expert
  • Author
  • Certified Expert
  • March 22, 2023

Hi @Albert Williams 

Thanks for your response.
Yes that was my first thought aswell,

However I was having second thoughts:

  • AD backups are running for months now and they never received these alerts until yesterday
  • Is GenProcessModuleInfo.exe in any way responsible for these backups?

br

Marcel VIs

Marcel
Certified Expert
Forum|alt.badge.img+3
  • MarcelCertified Expert
  • Author
  • Certified Expert
  • April 4, 2023

Any explanation from CV please?

Terms & ConditionsCookie settingsAccessibility statement