LSA protected mode working?

Question

LSA protected mode working?

Alex-Busch opened this issue 2 years ago · 6 comments

I know that since version [1.0.7236] the support of LSA protected mode should be given.
However if I try that, it doesn't succeed. It gives error 577 on load of lithnetpwdf in systemlog.
The corresponding log entry in Code Integrity is related to the required VCRuntime. But this is already version 14.32.31332 which is quite up to date.
Code Integrity determined that a process (\Device\HarddiskVolume2\Windows\System32\lsass.exe) attempted to load \Device\HarddiskVolume2\Windows\System32\vcruntime140.dll that did not meet the Microsoft signing level requirements.
So I wonder if anyone got that running?

Best regards
Alex

Answer 1 · 2022-08-10T21:00:17.000Z

Hi Alex,

We're not seeing this in our environments, but have another open case when a user is seeing this one on of their DCs but not the other. What does the signature on vcruntime140 look like?

Can you provide me with some information on the OS version and build number?

Answer 2 · 2022-08-11T07:15:56.000Z

Hi Ryan,
thank you for your answer. Sure, here you got some details.

System 1:

Windows 2012R2 Datacenter, german language, running on VMware

The vcruntime details:

System 2:

Windows 2016 Standard, german, running on VMware

vcruntime is same as above.

Original there was an older vcruntime on the systems, which came with vmware tools. As I suspected a connection to that I updated to the latest release, but the issue persists.

Best regards
Alex

Answer 3 · 2022-08-17T04:02:04.000Z

Hi Alex,

I've been able to reproduce this on Server 2012 R2. The issue doesn't seem to appear on Windows Server 2019. I'm still investigating what is going on, but there is definitely something up with that version of c runtime. I'm going to try making a new build and linking it to the latest c runtime. I'm currently having some EV signing certificate issues that I'm trying to sort out with my vendor, so it will be a few days before I have updates on this.

Answer 4 · 2022-08-24T10:43:34.000Z

An update on this issue - We've been working with Microsoft and have confirmed that Windows Server 2012 R2 and Windows Server 2016 are impacted, and Windows Server 2019+ is not. This appears to be related to a recent change in signing certificate Microsoft have used for the Visual C runtime.

Answer 5 · 2022-08-30T08:03:06.000Z

We've released a fix to workaround the issue with the Microsoft signing certificate

https://github.com/lithnet/ad-password-protection/releases/tag/v1.0.7242

Answer 6 · 2022-08-31T07:09:05.000Z

Thank you for the update. It's working now as expected. I appreciate your work.