This tutorial will show you how to determine whether LSA started in protected mode when Windows 11 started.
Core isolation is a security feature of Microsoft Windows that protects important core processes of Windows from malicious software by isolating them in memory. It does this by running those core processes in a virtualized environment.
Windows 11, version 22H2 supports additional protection for the Local Security Authority (LSA) process to prevent code injection that could compromise credentials.
Windows has several critical processes to verify a user’s identity. The LSA is one of those processes, responsible for authenticating users and verifying Windows logins. It is responsible for handling user credentials, like passwords, and tokens used to provide single sign-on to Microsoft accounts and Azure services. Attackers have developed tools and have abused Microsoft tools to take advantage of this process to steal credentials. To combat this, additional LSA protection will be enabled by default in the future for new, enterprise-joined Windows 11 devices making it significantly more difficult for attackers to steal credentials by ensuring LSA loads only trusted, signed code.
If you don't have the Local Security Authority protection (LSA) setting available in Windows Security and/or not sure if LSA protection is enabled, you can verify by looking in Event Viewer.
Reference:
Configure added LSA protection
Learn how to configure added protection for the Local Security Authority (LSA) process to prevent code injection that could compromise credentials.
learn.microsoft.com
Here's How:
1 Open Event Viewer (eventvwr.msc).
2 In the left pane, expand open Windows Logs, and click/tap on System. (see screenshot below)
3 When the logs for System populate in the middle pane, right click/on System in the left pane, and click/tap on Filter Current Log. (see screenshot below)
It may take a moment before the logs populate in the middle pane.
4 Type 12 in the <All Event IDs> box, and click/tap on the Event sources drop menu arrow. (see screenshot below)
5 Check Wininit in the drop menu, and click/tap on an empty area on the "Filter Current Log" dialog to close the drop menu. (see screenshot below)
6 Click/tap on OK. (see screenshot below)
7 Click/tap on a log with the Date and Time timestamp for when you last booted or restarted the computer. (see screenshot below)
If the event log shows LSASS.exe was started as a protected process with level: 4, then LSA started in protected mode when Windows started at the date and time of the selected timestamp.
You can restart the computer, and then check the event log to make sure you have a new current timestamp available to verify with.
That's it,
Shawn Brink
Attachments
Last edited:
