![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(12.8, 66%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJL%3C/text%3E%3C/svg%3E)
Sysinternals
Advanced system utilities to manage, troubleshoot, and diagnose Windows and Linux systems and applications.
1,090 questions
Crash Timeline: foobar.exe > WerFault.exe > procdump.exe. > lsass.exe
Normally, the kernel's memory dumps are done by WerFault.exe as the SYSTEM account, and procdump is run by the user.
Memory exists in the kernel, and lsass provides access to it via the LSA. Procdump is calling lsass for its core functions. It's running a few checks, like (debug) privileges.
WinInternals definition says lsass is used to send system audits to the event log, and I have these events in the System Log.
Debug privileges are higher than admin, and lsass enumerates permissions. Procdump is run by the user, so lsass has to run to access the kernel.
WinInternals by Russinovich,
Local Security Authority subsystem (LSASS) A user-mode process running the image
%SystemRoot%\System32\Lsass.exe that is responsible for the local system security policy
(such as which users are allowed to log on to the machine, password policies, privileges
granted to users and groups, and the system security auditing settings), user authentication,
----and sending security audit messages to the Event Log.
The Local Security Authority service (Lsasrv—%SystemRoot%\System32\Lsasrv.dll), a library that LSASS loads, implements most of
this functionality.