For those that are not aware, LSA is Local Security Authority Protection. It is designed to prevent a few credential harvesting techniques that involve LSASS.exe (Local Security Authority Subsystem Service). This service handles authentication services and enforces security policy on a device. Attackers can dump memory of the LSASS process and potentially grab authentication tokens, password hashes and other fun things like that. It is a sensitive process and a well-known target for threat actors.

Microsoft has flipflopped on LSA as part of defender for a while including removing the name of the feature while leaving it active in the background (by default). Instead of LSA security, they now have a much more serious sounding Kernel-mode Hardware-enforced Stack Protection. The change was allegedly only supposed to be pushed to insider previews copies of Windows 11 but was rolled out to 22H2 as well. The buggy fix came when Microsoft rolled out KB5007651. This update was supposed to fix the prompts that many were getting about the reboot, but in the end, it has created problems, so Microsoft is no longer pushing it out.

Things get worse as we have heard that the new Krenel-mode Hardware-enforced stack Protection service is conflicting with some anti-cheat software. The issue is significant enough that when the anti-cheat mechanism tries to do its job it can result in a BSOD (Blue Screen of Death) and/or a reboot. This sure makes gaming a pain in the ass. On the other side, I still cannot fathom why an anti-cheat piece of software needs to do anything with the memory space around the LSASS process in the first place. Having worked for an Anti-Malware company that had memory protection, when I first saw these calls and reads of memory from popular anti-cheat software, they made no sense. Even after talking to some developers, they still made no sense. The calls, reads, and dumps of and to the memory space around a secure process should not be happening and to require them, to me, is just bad coding.

Microsoft’s current remedy for this “feature” is to completely disable the security protection. This leaves users in an awkward position, they can either decrease the security of their device, or stop playing the game. That is a very fun choice. For companies that allow BYOD, or for their users to treat corporate assets like their own, things are even worse. Of course, the reality is that there should be stricter controls over any device that has access to corporate data. If this means that gaming needs to be blocked, so be it. Still in the end modern anti-cheat software/processes also need to be much more security conscious. There should not be a need to mess with LSASS or the memory space it is using. Full Stop.