<meta charset="UTF-8">
<meta name="robots" content="noindex,nofollow" />
<link rel="shortcut icon" type="image/x-icon" href="/wiki/images/favicon.ico" />
<link rel="icon" type="image/x-icon" href="/wiki/images/favicon.ico" />

<pre>
!!! Overview
[{$pagename}] ([LSASS]) stores [credentials] in memory on behalf of users with active [Microsoft Windows] [sessions]. 

[{$pagename}] allows [Single Sign-On] and [Access Control] to [network] [resources], such as file shares, Exchange Server mailboxes, and SharePoint sites, without re-entering their [credentials] for each remote service.

[{$pagename}] can store credentials in multiple forms, including:
* Reversibly encrypted plaintext
* [Kerberos] tickets ([TGTs], service tickets)
* [NT hash|NTLM]
* [LM hash]

If the user logs on to Windows by using a smart card, [LSASS] will not store a plaintext [password], but it will store the corresponding [NTLM] [hash] value for the account and the plaintext [PIN] for the [Smart Card]. 

If the [User-Account-Control Attribute Value] attribute is enabled for a [SMARTCARD_REQUIRED] for interactive logon, a random [NTLM] [hash] value is automatically generated [{$pagename}] for the account instead of the original password [hash]. The password hash that is automatically generated when the attribute is set does not change.

If a user logs on to Windows with a password that is compatible with [LM hash], this authenticator will be present in memory.

Beginning with [Windows Server 2008 R2] and [Windows 7], the storage of plaintext credentials in memory cannot be disabled, even if the credential providers that require them are disabled.

The stored credentials are directly associated with the [LSASS] logon sessions that have been started since the last restart and have not been closed. 

For example, [LSA] sessions with stored [LSA] [credentials] are created when a user does any of the following:
* Logs on to a local session or [RDP] session on the computer
* Runs a task by using the RunAs option
* Runs an active Windows service on the computer
* Runs a scheduled task or batch job
* Runs a task on the local computer by using a remote administration tool

!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
</pre>