Dear list
I have been having problems getting output using pwdump3e on a W2k3 DC.
When running pwdump3e the server restarts with the following message:
Comment: The system process 'C:\WINDOWS\system32\lsass.exe' terminated
unexpectedly with status code -2147483645. The system will now shut down and
restart.
It might be coiincidental that the machine rebooted when I used pwdump3e, but
Id like to work out all possible solutions.
Using pwdump3 I have been able to obtain hash files from W2k DCs without any
issues in the past, but switched to 3e for the W2k3 DCs.
I did find the following doing a google search:
In pwdump2 and pwdump3/pwdump3e programs are some errors, that do not allow
import hashes from localized versions of Windows NT/2000/XP/2003.
taken from here http://www.lcpsoft.com/english/FAQ.htm.
I have the files that page also mentions but have yet to try them out, as I was
wondering if anyone else has come accross problems using pwdump on w2k3
servers, or has any information as to why using it may case the lsass error.
Id like to try to understand why the error was caused. I understand that pwdump
works by using dll injection to run under the lsass process. I would assume in
this case that the LSAExt.dll somehow caused the lsass process to get upset and
restart the machine.
If that is the case, then where would be a good place to find out about changes
to the dlls, or obtain ones that work with w2k3? If the answer is google for
them, so be it!
On the homepage for pwdump6 and fgdump (http://www.foofus.net/fizzgig/fgdump/)
it mentions crashes caused by lsass, but nothing more then that. I have yet to
try fgdump or pwdump6 so again, any feedback would be much appreciated.
Thanks
Charles
IMPORTANT: Luton Borough Council routinely monitors the content of e-mail sent
and received by its e-mail systems, to ensure compliance with its policies and
procedures.
E-mails that contain encrypted material, program files, are obscene,
inflammatory,
criminal, offensive, in breach of copyright or contain a virus or threat to
Council`s
computer systems may be intercepted and/or deleted.
Internet communications are not secure.
The Council is not responsible for any changes made to the message after it has
been sent.
This message is intended only for the addressee. Any unauthorised copying or
distribution may be unlawful.
If you are not the intended recipient, please notify the sender at
Luton Borough Council
Town Hall
Luton LU1 2BQ.
Tel. (01582) 546000
or by using the reply option to this e-mail.
Then delete this message from your system.
Website: www.luton.gov.uk
---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.
http://www.msia.norwich.edu/secfocus
----------------------------------------------------------------------------
