[Boards: 3 / a / aco / adv / an / asp / b / bant / biz / c / can / cgl / ck / cm / co / cock / d / diy / e / fa / fap / fit / fitlit / g / gd / gif / h / hc / his / hm / hr / i / ic / int / jp / k / lgbt / lit / m / mlp / mlpol / mo / mtv / mu / n / news / o / out / outsoc / p / po / pol / qa / qst / r / r9k / s / s4s / sci / soc / sp / spa / t / tg / toy / trash / trv / tv / u / v / vg / vint / vip / vp / vr / w / wg / wsg / wsr / x / y ] [Search | Free Show | Home]

W10 - Process with no user?

This is a blue board which means that it's for everybody (Safe For Work content only). If you see any adult content, please report it.
  1. Home
  2. /wsr/ - Worksafe Requests
  3. W10 - Process with no user?
Thread replies: 7
Thread images: 1

Anonymous
W10 - Process with no user? 2017-04-17 04:22:53 Post No.
[Report] Image search: [Google]
File: spoopy.jpg (34KB, 803x95px) Image search: [Google]
spoopy.jpg
34KB, 803x95px
W10 - Process with no user? Anonymous 2017-04-17 04:22:53 Post No. [Report]
What's going on here? Should I be scared? The .exe is in system32, seems legit, MBAM and Virustotal say it's clean. But why is it running without a user? If killed it doesn't seem to do anything, but it reappears under a different PID within a few minutes.

Also, what is Lsalso.exe? Also in system32, signed by MS, description reads "Credential Guard" - but MBAM can't scan it (rightclick scan of file returns a scan that finishes with 0 files scanned, 0 threats found) and it can't be uploaded to virustotal (does not display in upload browser).

Please help. I'm all but gnawing my elbows off here.
>>
Anonymous 2017-04-17 04:36:07 Post No.298905
[Report]
Anonymous 2017-04-17 04:36:07 Post No.298905 [Report]
>running without a user
its mostly a loading/display bug, sometimes task manager reports that if its running as/on a non-admin account
>reappears under a different PID within a few minutes
thats because its running as a service that restarts uppon failure. you can totally disable that service if you want
>lsalso.exe
you mean lsass? thats normal, its a process that manages security stuff (password storage, etc.). it can (or at least could in older versions of windows) be disabled/removed but i dont think thats a good idea

everything look normal, i would be far more bothered by running w10 with all its phone-home and ad-injection thing-ma-gigs than all that
>>
Anonymous 2017-04-17 04:42:09 Post No.298908
[Report]
Anonymous 2017-04-17 04:42:09 Post No.298908 [Report]
>>298895
It's the new font decoder sandbox in W10.

It runs without a username because it's dropped all privileges so that when someone compromises the font engine with a cleverly-crafted font, all they can do is fuck up your font instead of rootkitting your system.

>>298905
Thank you for playing. If you don't know, maybe google it instead of just guessing?
>>
Anonymous 2017-04-17 04:48:38 Post No.298913
[Report]
Anonymous 2017-04-17 04:48:38 Post No.298913 [Report]
>>298895
LSAlso is the core of LSASS, also broken out into a sandbox, but for the opposite reason.

LSAlso guards all your passwords. In older Windowses you'd authenticate with LSASS when you logged on, and LSASS would check the passwords it stored to see if you were who you said you were.

In the new W10, LSASS still does this, but it's not trusted to store any passwords. The passwords live in LSAlso, and the only way anything can communicate with LSAlso is by asking it questions about passwords. This means you can have the entire OS compromised, and it still can't get the secrets out of LSAlso.

That's also why you can't scan it: you can't do anything to it other than ask it about passwords.
>>
Anonymous 2017-04-17 05:49:30 Post No.298944
[Report]
Anonymous 2017-04-17 05:49:30 Post No.298944 [Report]
>>298908
>If you don't know
uh? dont know what?
>>
Anonymous 2017-04-18 01:38:39 Post No.299243
[Report]
Anonymous 2017-04-18 01:38:39 Post No.299243 [Report]
>>298908
>>298913
Not OP, but thanks for this. I've always wondered why some programs show up without a username. Also generally mystified by all the cryptic, nebulous program names.
>>
Anonymous 2017-04-18 10:29:39 Post No.299479
[Report]
Anonymous 2017-04-18 10:29:39 Post No.299479 [Report]
>>298908
OP here. Thanks for the reply.

Something else I've noticed about fontdrvhost.exe: whenever I run a scan with MBAM, fontdrvhost.exe starts using 3-4% CPU. This drops to 0% immediately once the scan is complete. I haven't installed any custom fonts on this machine. Is this normal behaviour for the process?
Thread posts: 7
Thread images: 1
[Boards: 3 / a / aco / adv / an / asp / b / bant / biz / c / can / cgl / ck / cm / co / cock / d / diy / e / fa / fap / fit / fitlit / g / gd / gif / h / hc / his / hm / hr / i / ic / int / jp / k / lgbt / lit / m / mlp / mlpol / mo / mtv / mu / n / news / o / out / outsoc / p / po / pol / qa / qst / r / r9k / s / s4s / sci / soc / sp / spa / t / tg / toy / trash / trv / tv / u / v / vg / vint / vip / vp / vr / w / wg / wsg / wsr / x / y] [Search | Top | Home]

I'm aware that Imgur.com will stop allowing adult images since 15th of May. I'm taking actions to backup as much data as possible.
Read more on this topic here - https://archived.moe/talk/thread/1694/


If you need a post removed click on it's [Report] button and follow the instruction.
DMCA Content Takedown via dmca.com
All images are hosted on imgur.com.
If you like this website please support us by donating with Bitcoins at 16mKtbZiwW52BLkibtCr8jUg2KVUMTxVQ5
All trademarks and copyrights on this page are owned by their respective parties.
Images uploaded are the responsibility of the Poster. Comments are owned by the Poster.
This is a 4chan archive - all of the content originated from that site.
This means that RandomArchive shows their content, archived.
If you need information for a Poster - contact them.