What's going on here? Should I be scared? The .exe is in system32, seems legit, MBAM and Virustotal say it's clean. But why is it running without a user? If killed it doesn't seem to do anything, but it reappears under a different PID within a few minutes.
Also, what is Lsalso.exe? Also in system32, signed by MS, description reads "Credential Guard" - but MBAM can't scan it (rightclick scan of file returns a scan that finishes with 0 files scanned, 0 threats found) and it can't be uploaded to virustotal (does not display in upload browser).
Please help. I'm all but gnawing my elbows off here.
>running without a user
its mostly a loading/display bug, sometimes task manager reports that if its running as/on a non-admin account
>reappears under a different PID within a few minutes
thats because its running as a service that restarts uppon failure. you can totally disable that service if you want
>lsalso.exe
you mean lsass? thats normal, its a process that manages security stuff (password storage, etc.). it can (or at least could in older versions of windows) be disabled/removed but i dont think thats a good idea
everything look normal, i would be far more bothered by running w10 with all its phone-home and ad-injection thing-ma-gigs than all that
>>298895
It's the new font decoder sandbox in W10.
It runs without a username because it's dropped all privileges so that when someone compromises the font engine with a cleverly-crafted font, all they can do is fuck up your font instead of rootkitting your system.
>>298905
Thank you for playing. If you don't know, maybe google it instead of just guessing?
>>298895
LSAlso is the core of LSASS, also broken out into a sandbox, but for the opposite reason.
LSAlso guards all your passwords. In older Windowses you'd authenticate with LSASS when you logged on, and LSASS would check the passwords it stored to see if you were who you said you were.
In the new W10, LSASS still does this, but it's not trusted to store any passwords. The passwords live in LSAlso, and the only way anything can communicate with LSAlso is by asking it questions about passwords. This means you can have the entire OS compromised, and it still can't get the secrets out of LSAlso.
That's also why you can't scan it: you can't do anything to it other than ask it about passwords.
>>298908
>If you don't know
uh? dont know what?
>>298908
OP here. Thanks for the reply.
Something else I've noticed about fontdrvhost.exe: whenever I run a scan with MBAM, fontdrvhost.exe starts using 3-4% CPU. This drops to 0% immediately once the scan is complete. I haven't installed any custom fonts on this machine. Is this normal behaviour for the process?