Finding the PID of LSASS

Finding the PID of the LSASS process is a necessary prerequisite for a variety of interesting tasks – consider pwdump from Todd Sabin. In Sabin’s pwdump posting, he writes:

This newer version of pwdump2 is able to find the pid of lsass.exe automatically. Several people sen[t] me source code to do this, but they all required an extra DLL, which is why I never incorporated them. Recently, Gary Nebbett published Windows NT/2000 Native API Reference, an invaluable reference, documenting virtually every undocumented NT kernel call. Among other things, it demonstrates a method of determining pids without linking to more DLLs.

The source code for pwdump – and countless other source code listings – demonstrate how to use the native api to enumerate a list of all processes on a box and slog through them, looking for the pid for a process backed by a specific image. While there are documented means to do this – notably, the toolhelp and process helper apis, they do – as noted – require statically or dynamically linking to an additional library.

An alternate, although undocumented (and therefore subject to change without notice) method of determining the PID of LSASS is by reading the LsaPid DWORD value from the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

One means of reading this value is to use the Win32 registry APIs; this, however, has the side-disbenefit of requiring advapi32.dll, which is precisely the effect Sabin was trying to avoid in pwdump. Of course, the native api registry functionality can be imported from ntdll.

One potential use of this value is in batch scripting; reg.exe can be used to query the value without so much busywork parsing the output from tasklist or equivalent.

I have made no effort to use tools such as RegMon from Mark Russinovich at Sysinternals to determine which process, if any, uses this value. If anyone knows, I’d love to hear from you.