Security Basics mailing list archives
RE: pwdump3e and windows 2003
From: "Simpson, Brett" <Brett.Simpson () hsn net>
Date: Thu, 22 Dec 2005 08:06:26 -0500
-----Original Message----- From: Hodgson, Charles [mailto:charles.hodgson () luton gov uk] When running pwdump3e the server restarts with the following message: Comment: The system process 'C:\WINDOWS\system32\lsass.exe' terminated unexpectedly with status code -2147483645. The system will now shut down and restart. It might be coiincidental that the machine rebooted when I used pwdump3e, but Id like to work out all possible solutions.
This is due to Hardware based DEP. Allocated memory not flagged as executable which DEP doesn't like. See this link. http://lists.virus.org/pen-test-0509/msg00232.html
Using pwdump3 I have been able to obtain hash files from W2k DCs without any issues in the past, but switched to 3e for the W2k3 DCs.
That's because Hardware based DEP wasn't present.
On the homepage for pwdump6 and fgdump (http://www.foofus.net/fizzgig/fgdump/) it mentions crashes caused by lsass, but nothing more then that. I have yet to try fgdump or pwdump6 so again, any feedback would be much appreciated.
Eventually I'm to test this version on the newer hardware to verify it works correctly but it should since the patches are present. Thanks, Brett Simpson HSN Security Operations CCSE Plus, RHCT (727) 872-7212 --------------------------------------------------------------------------- EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations. http://www.msia.norwich.edu/secfocus ----------------------------------------------------------------------------
Current thread:
- pwdump3e and windows 2003 Hodgson, Charles (Dec 21)
- <Possible follow-ups>
- RE: pwdump3e and windows 2003 Simpson, Brett (Dec 26)