<html>
<head>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 10 (filtered)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{color:purple;
text-decoration:underline;}
span.EmailStyle17
{font-family:Arial;
color:navy;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.25in 1.0in 1.25in;}
div.Section1
{page:Section1;}
-->
</style>
</head>
<body lang=EN-US link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>I have also had this happen to me, but have
not had any luck in narrowing down the exact culprit. As you stated, it does
not appear to just be tied to MS patches. I have a series of virtual machines
running at various patch levels, and none of them will crash. Running it on my
fully patched laptop, however, will crash every time. If you happen to
find the answer off this list, please post it. I’d love to know more
about it. Thanks</span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'> </span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>John</span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'> </span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'> </span></font></p>
<p class=MsoNormal style='margin-left:.5in'><font size=2 face=Tahoma><span
style='font-size:10.0pt;font-family:Tahoma'>-----Original Message-----<br>
<b><span style='font-weight:bold'>From:</span></b>
full-disclosure-bounces@lists.grok.org.uk
[mailto:full-disclosure-bounces@lists.grok.org.uk] <b><span style='font-weight:
bold'>On Behalf Of </span></b>oh face<br>
<b><span style='font-weight:bold'>Sent:</span></b> </span></font><font size=2 face=Tahoma><span style='font-size:10.0pt;font-family:Tahoma'>Friday,
September 02, 2005</span></font><font size=2 face=Tahoma><span
style='font-size:10.0pt;font-family:Tahoma'> </span></font><font
size=2 face=Tahoma><span style='font-size:10.0pt;font-family:Tahoma'>11:42 AM</span></font><font
size=2 face=Tahoma><span style='font-size:10.0pt;font-family:Tahoma'><br>
<b><span style='font-weight:bold'>To:</span></b>
full-disclosure@lists.grok.org.uk<br>
<b><span style='font-weight:bold'>Subject:</span></b> [Full-disclosure]
LSADump2 Crashing Windows</span></font></p>
<p class=MsoNormal style='margin-left:.5in'><font size=3 face="Times New Roman"><span
style='font-size:12.0pt'> </span></font></p>
<p class=MsoNormal style='margin-left:.5in'><font size=3 face="Times New Roman"><span
style='font-size:12.0pt'>In my recent experience, LSADump2 has been crashing
Windows boxes. I was able to verify this on fully patched Windows XP and 2003.
In further examination, LSADump2, when executed, killed the "lsass"
process, and with the "winlogon" process still running, the system
was forced to reboot. As far as I know, LSADump2 is utilizing a DLL injection
technique to dump the contents of LSA secrets.<br>
<br>
Question:<br>
1. Has anyone had this experience? If so, is there a safe method to execute this
tool?<br>
2. When I tested LSADump2 on various Windows boxes, not all fully patched boxes
were affected by this issue. What configuration of Windows is exactly causing
"lsass" to fail? </span></font></p>
</div>
</body>
</html>