see also:How Interactive Logon Works
LSA工作过程概述
1.winlogon从用户处手机登录身份凭据
2.lsass获取这些身份凭据,并在kerberos或者NTLM的帮助下使用这些凭据来验证用户身份
3.LSASS构建一个访问令牌,它定义用户的访问权限和系统权限
4.安全性参考监视器(security reference Monitor,SRM)将这个令牌与对象的安全描述符中的访问控制列表(ACL)进行比较,判断是否允许用户访问。
这是“授权”阶段。
5.最后。LSASS和SRM配合,监视对安全对象的访问,并生成报告来记录部分或者全部访问事件。这是"审核"阶段。
see also:LSASecretsView v1.20
LSASecretsView is a small utility that displays the list of all LSA secrets stored in the Registry on your computer.
The LSA secrets key is located under HKEY_LOCAL_MACHINE\Security\Policy\Secrets and may contain your RAS/VPN passwords, Autologon password, and other system passwords/keys.
Local Security Authority (LSA) is a subsystem in Windows 2000 and later that enforces security policies on the domain controller it's running on.
LSA provides security tokens to processes and threads, and it stores the user passwords it deals with in the LSA Secrets area of the Registry. That area is nominally referred to by the keyname HKEY_LOCAL_MACHINE\Security\Policy\Secrets, but it's not conventionally visible through a tool like Regedit.
There have been a few other tools (some provided by Microsoft) for probing the LSA Secrets area, but the best of the bunch are two tools from Nir Sofer. Readers of my tips know him as the creator of a seemingly endless series of terrific utilities. New to his kit are LSASecretsView and LSASecretsDump, two tools for examining and exporting the contents of the LSA Secrets area. (This can be useful for recovering passwords for system accounts.)
Like the majority of Sofer's tools, both programs are self-contained and can run from any directory without installation. Launch LSASecretsView, and you'll be given a list of all the entries in the LSA Secrets area, their length in bytes and their contents (in both a hex and ASCII dump). Among the entries you might see are DefaultPassword (typically the password for the admin account), and passwords for subsystems such as the ASP.NET framework. The results can be exported to an HTML report.
Note: Passwords stored in the LSA Secrets area are stored as UTF-16 strings. If you type in a conventional password and it's stored in the LSA Secrets area, its ASCII dump will look like p.a.s.s.w.o.r.d. (not password). The dots indicate the upper byte for each pair of bytes in a UTF-16 string. This is normal. The companion application, LSASecretsDump, is a console executable, not a GUI program, which dumps out the contents of the LSA Secrets area to the command line. If you want to dump the contents to a file, simply use a redirect, i.e., LSASecretsDump.exe>output.txt.