Iyini i-lsass.exe, isetshenziselwa ini, futhi ungayilungisa kanjani?

Informatec Digital » Ukuphepha » Iyini i-lsass.exe, isetshenziselwa ini, futhi ungayilungisa kanjani?

Uma usebenzisa iWindows, i-lsass.exe ikusebenzela kusukela kusekhondi lokuqala., nakuba cishe ungakaze uyibone. Le nqubo, ebizwa nge-Local Security Authority Subsystem Service, iyingxenye emaphakathi yesistimu: isebenzisa izinqubomgomo zokuphepha, iqinisekisa abasebenzisi, iphathe amagama ayimfihlo, futhi iqinisekise izimvume ngaphambi kokukuvumela ukuthi ufinyelele izikhathi zakho, izinsiza, nezinhlelo zokusebenza.

Uma ukhuluma nge-lsass.exe kubalulekile ukuhlukanisa ukolweni namakhoba: Ngendlela yayo esemthethweni ibalulekile futhi iphephile, kodwa ukubaluleka kwayo futhi kuyenza iqondiswe njalo uhlelo olungayilungele ikhompuyutha ezama ukuzenza ongeyena noma igebe umsebenzi wayo. Ngezansi, uzobona ukuthi ungayikhomba kanjani, yiziphi izinkinga ezijwayelekile engazibangela noma ezihlupheke (njengokusetshenziswa okuphezulu kwe-CPU kuzilawuli zesizinda noma ukuphahlazeka ngaphansi kwezimo ezithile zefa le-NTLM), kanye nezinyathelo ezithile ezituswa yimithombo esemthethweni ukuze kuphenywe futhi kuxazululwe izinkinga eziyinkimbinkimbi.

Iyini i-lsass.exe ku-Windows?

I-Lsass.exe iyisevisi ye-Subsystem yesigunyazo sokuvikeleka kwasendaweni IWindows. Umgomo wayo ukuphoqelela inqubomgomo yezokuphepha yesistimu yokusebenza: iqinisekisa iziqinisekiso zokungena, ihlola izimvume, ilawule izinqubomgomo zephasiwedi (ukuba yinkimbinkimbi, ukuphelelwa yisikhathi, nezinguquko), futhi ixhumanisa kokubili ukuqinisekiswa kwendawo kanye nenethiwekhi.

Ku-Microsoft architectures, i-lsass.exe iyingxenye ye I-Security Subsystem Architecture futhi isebenza njengenhliziyo ye Ukuqinisekiswa kwe-LSA, ukuhlanganisa nezingxenye ze I-MS Identity ManagementKalula nje, inquma ukuthi umsebenzisi noma isevisi ingubani nokuthi yini abangayenza ngaphakathi kwesistimu nesizinda.

Kuzilawuli zesizinda se-Active Directory, i-lsass.exe ithatha izibopho ezengeziwe: Inikezela ngokubheka umkhombandlela, ibamba iqhaza ekuphindaphindweni kwesizindalwazi, futhi icubungula ukuqinisekiswa kwe-LDAP/NTLM/Kerberos kusuka kumakhasimende wesizinda.

Akuyona inqubo okufanele uyiqede, uyisuse, noma uyisuse. Ukumisa i-lsass.exe kungashiya isistimu yakho ingazinzile futhi kubangele ukuqalisa kabusha., ukulahlekelwa ukufinyelela noma ukuhluleka kokuqinisekisa.

Izici Eziyinhloko nokuthi Kungani Kubaluleke Kangaka

Ukuqinisekiswa kwabasebenzisi namasevisi: Iqinisekisa imininingwane lapho ungena noma lapho isevisi idinga ukufinyelela esisetshenziswa, endaweni yangakini noma kunethiwekhi.

Ukusebenzisa izinqubomgomo zokuphepha: Iqinisekisa ukuthi ubunkimbinkimbi bephasiwedi, ukuphelelwa yisikhathi, nemithetho yokuzungezisa kuyahlangatshezwana nayo, nokuthi izimvume ziyahlonishwa ngaphambi kokunikeza ukufinyelela.

Ukuphathwa kwe-akhawunti nokuphepha kwendawo: Isebenzisana nesizindalwazi sokuphepha sasendaweni (i-SAM) futhi, ezindaweni zesizinda, Nohlu Lwemibhalo Olusebenzayo ukubonisa izinguquko kuma-akhawunti nezinqubomgomo.

Imisebenzi yenethiwekhi: Isebenzisana nezinye izinqubo zesistimu (isibonelo, i-Nettlogon kuzilawuli zesizinda) ukuze kube lula ukufakazela ubuqiniso benethiwekhi kanye nokuphathwa kokhiye bokuqinisekisa ubunikazi namathokheni.

Ubungozi, ukuzenza ongeyena, kanye nendlela yokuqinisekisa ukuthi kusemthethweni

Ngenxa yokubaluleka kwayo, I-lsass.exe iyithagethi evamile yohlelo olungayilungele ikhompuyutha ehlose ukweba imininingwane noma ukuthola ukuphikelela. Amasu ajwayelekile ahlanganisa ukukhohlisa amagama afanayo kakhulu (isb., "lass.exe" ngaphandle kohlamvu lokuqala) noma ukusingatha amabhanari anonya ngaphandle kwendawo yawo yangempela.

Ukususa ukuzenza ongeyena, Qinisekisa ukuthi okusebenzisekayo okusemthethweni kuhlala ku-C:\\Windows\System32Noma iyiphi ikhophi enegama elifanayo kwenye ifolda ngokuvamile iyasolisa. Gcina isofthiwe yakho ye-antivirus isesikhathini futhi ushejule ukuskena okugcwele uma uthola ukuziphatha okungajwayelekile.

Ukwengeza, imibiko yezenzakalo eziningi ze-lsass.exe iyazungeza. Ukubona izikhathi ezingaphezu kwesisodwa kungase kube uphawu lokutheleleka., nakuba ezimweni eziqondile kakhulu isistimu ingase iqalise izinqubo ezihlobene nemisebenzi ethile. Uma ungabaza, phenya umsuka, isiginesha, nendlela yenqubo ngayinye.

Esikhathini esedlule, izinsongo ziye zabonwa zibhalisa ngokwazo njenge-lsass.exe noma ziyisebenzisa njengenkohliso. Phakathi kwamagama ahlobene avela: Trojan.W32.Webus, Trojan.W32.Satiloler (kanye nokunye), Trojan.W32.KELVIR, Trojan.W32.Windang, Trojan.W32.Spybot, backdoor.W32.ratsou, Trojan.W32.Downloader neTrojan.W32.

Izinkinga ezivamile nezimpawu ongase uziqaphele

Kumakhompyutha amaklayenti, Izinkinga zivame ukuvela njengamaphutha okungena ngemvume, ukwehla kwezikhathi ezithile, noma izexwayiso ze-antivirus. Kwesinye isikhathi, i-lsass.exe isolwa ngenkinga ebangelwa izinhlelo zokusebenza ezingqubuzanayo noma uhlelo olungayilungele ikhompuyutha oluzama ukuzifihla.

Kumaseva, ikakhulukazi abalawuli besizinda, Ungathola ukusetshenziswa okungavamile kwe-CPU nge-lsass.exe, izimpendulo ezihamba kancane oseshweni noma ekuqinisekiseni ubuqiniso, kanye namaklayenti athuthela kwamanye ama-DC ngenxa yokuthi awawo amanje akaphenduli ngokushelela.

NgeWindows Server 2003 bekunesimo esibhaliwe lapho I-lsass.exe iyekile ukuphendula uma inani lokungena ngasikhathi sinye liphindwe ngenani lama-trust lidlula i-1.000. Ukubambezeleka kokuqinisekiswa kwefa (NTLM) kanye namamethrikhi e-Netlogon angaqondakali nakho kwachazwa.

Umkhondo wokuxilonga kulezi zimo kwakuwukuhlola Ilogi yokususa iphutha ye-Netgon bese usesha okufakiwe kwe-SamLogon kohlobo oluthi "\u003c null \u003e\\\\username", olubonise izicelo zokuqinisekisa ezifike ngaphandle kwesizinda esihlotshaniswa nomsebenzisi, okuphoqelela ukusesha okulandelanayo kobudlelwane bokwethembana ngakunye.

Izimbangela zobuchwepheshe ezaziwayo kuzilawuli zesizinda

Ezindaweni ezinamaklayenti asebenzisa i-NTLM yefa, Inkinga iba yimbi kakhulu uma izicelo zingasicacisi isizindaI-DC kufanele ithole isizinda esifanele isebenzisa izindlela zefa, yenze imibuzo elandelanayo esizindeni ngasinye esithenjwayo, okwandisa umthwalo lapho kunama-trust amaningi kanye nevolumu ephezulu yokuqinisekisa.

IMicrosoft ibhale ukuthi, kuWindows Server 2003, Ingcindezi ehlanganisiwe yokuqalisa kanyekanye nama-trust kungaqeda izinsiza ku-lsass.exe. Lokhu kuziphatha kwalungiswa ku-Service Pack 2, kodwa amalogi athile e-hotfix nama-tweaks okunciphisa ayatholakala ezinguqulweni ezithintekile.

Omunye umthombo wezindleko yi- imibuzo ebizayo noma eklanywe kabi ye-LDAP evela ezinhlelweni zokusebenza noma amakhompyutha endaweni. Kulezi zimo, ama-lsass.exe CPU spikes abonisa ukuthi i-DC imatasa ixazulula izicelo eziqinile, hhayi ukwehluleka kwenqubo.

Uma ukucushwa kwesisekelo kunganele, amapharamitha afana ne-MaxConcurrentApi siza ukushuna ukusebenza kokuqinisekisa kwe-NTLM. I-Microsoft ichaza ukuthi libalwa kanjani inani eliphelele kuma-athikili obuchwepheshe azinikele.

Izixazululo nezinqubo ezihamba phambili zabalawuli

Ku-Windows Server 2008 nakamuva, iMicrosoft incoma ukuthi usebenzise i Isethi Yokuqoqwa Kwedatha Yohlu Lwemibhalo Esebenzayo kusuka ku-Performance Monitor ngenkathi inkinga ikhona. Leli qoqo lisebenzisa izinto zokubala kanye nemikhondo, futhi likhiqiza umbiko oqondisiwe onokutholiwe nemikhondo yophenyo.

Izinyathelo ezifingqiwe zokuqalisa i-suite (inguqulo egcwele ye-Windows Server 2008 noma ngaphezulu): vula i-Perfmon.msc (Isiphathi Seseva noma Qala → Run, noma kusuka ngokushesha komyalo), nwebisa Isistimu → Amasethi Okuqoqwa Kwedatha → Ukwethembeka Nokusebenza → Ukuxilongwa, chofoza kwesokudla u-Active Directory Diagnostics, bese uchofoza okuthi Qala.

Ukucushwa okuzenzakalelayo iqoqa idatha imizuzwana engu-300 (imizuzu emi-5) bese uhlanganisa umbiko. Isikhathi sokuhlanganisa sincike kumthamo wedatha ethwetshiwe; bekezela, kungase kuthathe isikhashana ezindaweni ezimatasa.

Uma itholakala, yiya ku Imibiko Yokusebenza Kwesistimu → Ukuxilongwa Kwemibhalo EsebenzayoBuyekeza "Imiphumela Yokuxilonga," ikakhulukazi izigaba ezimayelana nokusebenza kukonke, Uhla Lwemibhalo Olusebenzayo (imibuzo ye-LDAP enesisindo esikhulu), kanye Nenethiwekhi (ekhuluma ne-DC kakhulu ewindini elihlaziyiwe).

Odabeni oluthile lwe-Server 2003 ethintwa ifa le-NTLM ngaphandle kwesizinda, kube nokuncishiswa okubizwa ngokuthi NeverPing. Yayihlanganisa ukungeza inani le-DWORD kurejista: HKLM\\SYSTEM\\CurrentControlSet\\Services\\Netlogon\\Parameters → NeverPing = 1. Yisebenzise kuphela uma uhlangabezana nemibandela echazwe, uqonda imiphumela yayo emibi.

Izexwayiso Ezibalulekile ze-MicrosoftUkuhlela ukubhalisa ngokungalungile kungabangela izinkinga ezinkulu; isekele kuqala. Lesi silungiselelo singaba nemiphumela engathandeki uma unamakhasimende angazicacisi izizinda (isibonelo, amaklayenti amadala e-Windows 98 noma e-OWA). Isebenza kahle uma ama-akhawunti esesizinda se-DC noma kukhathalogi yomhlaba wonke; ukungqubuzana kwenzeka nama-akhawunti ezizindeni zangaphandle.

Ngaphezu kwalokho, iMicrosoft ishicilelwe amaphakethe wesevisi nama-hotfixes Yeseva ka-2003. Isincomo esijwayelekile kwakuwukufaka i-Service Pack yakamuva (i-SP2 iqale yalungisa inkinga echaziwe) futhi kuphela uma kunesidingo sebenzisa i-hotfix ethile evela ku-KB ehambisanayo, njengoba idinga ukuqinisekiswa okwengeziwe.

Ngokuqondene ne-NTLM, uma amabhodlela eqhubeka ngisho ne-NeverPing, setha i-MaxConcurrentApi ibe yinani eliphezulu ulandela imihlahlandlela esemthethweni yokulinganisa indawo okuyo. Lokhu kulungiswa kunganciphisa izikhathi zokulinda nezikhathi zokuphendula phakathi neziqongo zokufakazela ubuqiniso.

Isaziso Sokushintsha Kwerejista Nezinkomba Eziwusizo

Ngaphambi kokuthi uthinte noma yini funda indlela yokulondoloza nokubuyisela ukubhalisaIkhophi yasenqolobaneni yokubhalisa amadokhumenti e-Microsoft kanye nokubuyiselwa ezihlokweni eziyisethenjwa (isibonelo, imibhalo yokuchaza ukubhalisa ku-Microsoft Windows).

Ku-Server 2003, kubhekiselwa ku- I-KB Yephakethe Lesevisi yakamuva Iya ekhasini lokuxhumana nabosekelo ukuze uthole i-hotfix uma ingatholakali ukuze ilandwe ngokuqondile ngolimi lwakho.

Ezimweni ezifanayo ze-Windows 2000 uphawu olufana nalo lwachazwa lapho I-lsass.exe iyekile ukuphendula ngamatrust amaningi angaphandle. Kukhona nama-athikili akhuluma ngezinkinga zokuqinisekisa ngezikhathi ezithile noma ukuphela kwesikhathi lapho uxhumeka kumasevisi aqinisekisiwe.

Uma usebenzisa i-hotfix, khumbula amanothi: ngokuvamile ayinazo izimfuneko, futhi idinga ukuqalisa kabusha ngemva kokufakwa. Ngokuvamile ayithathi indawo yamanye ama-hotfixes, futhi ifomu elithi "Hotfix Iyatholakala" likhawulela izilimi ngokusekelwe ekutholakaleni.

Imininingwane yefayela lomlando (Iseva 2003)

Kulabo abadinga ukufanisa izinguqulo ekucwaningweni kwamabhuku, I-Microsoft eshicilelwe izibaluli zefayela okuhlotshaniswa ne-hotfix ku-Server 2003. Izitembu zesikhathi zivezwa nge-UTC futhi ziguqulelwa kusikhathi sasendaweni lapho ubuka izakhiwo.

Platform	Faka kungobo yomlando	I-Versión	Tamaño	Idethi (UTC)	Isikhathi (UTC)	Amanothi
x86	I-Netgon.dll	5.2.3790.573	Amabhayithi we-419.328	I-08-Aug-2006	13:01	Iseva 2003
IA-64	I-Netgon.dll	5.2.3790.573	Amabhayithi we-959.488	I-07-Aug-2006	21:58	I-RTMQFE
x86 (WOW ku-IA-64)	Wnetlogon.dll	5.2.3790.573	Amabhayithi we-419.328	I-07-Aug-2006	22:01	HEWU

Njengoba iMicrosoft ibonisa, ukuqinisekiswa kwenkinga nokuxazululwa kwayo zafakwa emikhiqizweni esohlwini lwezigaba ezithi "Isebenza ku-", futhi zaqale zalungiswa ku-Windows Server 2003 SP2.

Okufanele ukwenze uma i-antivirus yakho ibika izinsongo ku-lsass.exe

Kuyinto evamile ukufunda izimo ezifana nezomsebenzisi nazo Isexwayiso se-Avast mayelana ne-Win32:HarHarMiner-P ku-lsass.exe, ngokwehla kokusebenza kanye ne-ping ephezulu. Uma lokhu kwenzeka kuwe, kufanele usebenzise indlela yokuhlukanisa i-positive, i-spoofing, noma isifo sangempela.

Okokuqala, Hlola indlela eqondile yokusebenziseka ekhonjwa yi-antivirusUma kungeyona C:\\Windows\\System32, sola. Hlola amasiginesha edijithali ye-binary bese uqhathanisa ama-hashe nokufakwa okuhlanzekile uma kungenzeka.

Ngemuva yenza ukuhlaziya okugcwele ngezinjini eziningi (Ngaphezu kwesithwebuli sabahlali; ungasebenzisa isithwebuli esingaxhunyiwe ku-inthanethi noma amathuluzi adingeka kakhulu.) Futhi qiniseka ukuthi abashayeli bakho kanye neWindows banolwazi lwakamuva ngezibuyekezo zakamuva.

Uma ikhompuyutha ikusizinda, hlola ukuthi ukusebenza okonakele kuyahambisana yini Umbuzo we-LDAP uyakhuphuka noma izinguquko zokulayisha ku-DC. Ezimweni ezinjalo, uphawu lungase luqale kuseva hhayi kuklayenti.

Okokugcina, khumbula: Ungazami ukunqamula noma ukususa i-lsass.exeUma usola ukungena ebucayini, hlukanisa umshini kunethiwekhi, qoqa ubufakazi (amalogi, imicimbi, amasampula), futhi uqhubeke nezinqubo zokuphendula isigameko noma ukwesekwa kochwepheshe.

Imibuzo ejwayelekile

Kungani i-lsass.exe inginika amaphutha? Ngokuvamile ngenxa yezinhlelo zokusebenza ezingqubuzanayo, abashayeli abaphelelwe yisikhathi, noma uhlelo olungayilungele ikhompuyutha. Cabangela ukukhipha isofthiwe engasetshenzisiwe, ukuqala kabusha, nokuqinisekisa ubuqotho bamafayela esistimu.

Kungani ngibona izimo eziningi ze-lsass.exe? Ngokuvamile, akufanele ubone izimo eziningi ezisemthethweni. Kungase kube nezinqubo ezihlobene noma izinsiza ezisizayo, kodwa izimo eziningi ze-"lsass.exe" ngokuvamile zibonisa ukutheleleka noma umzamo wokucasha. Hlola indlela, isiginesha, nomthombo.

Yimuphi umehluko phakathi kwezindaba ze-client-side kanye ne-DC-side? Kuklayenti, uzobona amaphutha okungena noma izixwayiso zohlelo lokuvikela amagciwane; ku-DC, lokhu ngokuvamile kubonisa ukusetshenziswa okuphezulu kwe-CPU, ukubambezeleka ekusesheni/ukuqinisekisa, kanye nezinguquko zokuhlobana kweklayenti kwezinye izilawuli.

Ngingakwazi ukukhubaza i-lsass.exe ukuze ihlolwe? Cha. Kuyingxenye ebalulekile; ukuyikhubaza kungaqalisa kabusha isistimu yakho noma kuyenze ingasebenzi. Uma udinga ukuhlolwa, sebenzisa izindawo zelebhu noma imishini ebonakalayo engayodwa.

Imikhuba emihle yokugcina i-lsass.exe ingekho

• Gcina iWindows neziphakeli zakho zivuselelwe ngezibuyekezo zakamuva ze-Service Pack/cumulative.
• Hlola imibuzo ye-LDAP futhi ithuthukise izinhlelo zokusebenza ezenza ukusesha okumba eqolo noma okukhulu.
• Hlola izilungiselelo ze-NTLM zefa; uma kungenzeka, thuthela ezindleleni zesimanje, ezicacile ngobuciko.
• Sebenzisa ukuqapha okusebenzayo nge-Perfmon, izexwayiso zokusetshenziswa kwe-CPU, nabaqoqi bedatha ye-AD.
• Isungula izinqubo zokuphendula ngokumelene nokutholwa kwe-antivirus okubandakanya izinqubo zesistimu.

I-lsass.exe iyinsika yokuphepha kweWindows: Yenza kube semthethweni, ivikele futhi inikeze ukuqinisekiswa. Uma kuphakama izinkinga, cishe njalo zibangelwa umthwalo othile wokusebenza, ukulungiselelwa kwefa (okufana ne-NTLM engaphansi kwesizinda), noma ukuzenza ongeyena okunonya. Ngokuqapha okufanele, ama-patches akamuva, ukunciphisa okuqondwa kahle (NeverPing, MaxConcurrentApi), kanye nemikhuba emihle yenhlanzeko yezokuphepha, kungenzeka ukunciphisa izinkinga futhi ugcine kokubili indawo yokusebenza nezilawuli zesizinda zizinzile.