Video Screencast Help
Endpoint Virtualization Community Blog

LSASS and SWV 6.1

Created: 16 Apr 2009 • Updated: 29 Jul 2010
Jordan's picture
+2 2 Votes
Login to vote

Recently I posted about a change in capture behavior for SWV which is one of two bigs changes on what we capture, the other is that SWV no longer ignores LSASS by default (you can always add it to the program ignore list) for both capture and regular use, this is a big change and it will allow you to capture security policies in a layer as well as allow certain apps, such as Microsoft SQL Sever, to capture in a layer.  For security polices in a layer to take affect you need to set the layer to start on system startup.

SVS always has, and still does, ignore LSASS because earlier builds would get into endless boot cycles when any security policy information got captured into a layer, but SWV 6.1 no longer has this issue.  And while you can capture security policies in a layer that doesn't mean you should do so, there can be consequences so throughly test any layer with such content before deploying it.  Also capturing security policies in a layer is an unsuported feature, so you do so at your own risk.

To try out what you can do with security polices in a layer try out this steps in a test machine that has SWV 6.1.4063 or higher installed on it.  I'm leaving these steps some what vague so you actually have to know what your doing to test this, this is something that only those experienced with SWV should be attempting.

1. Create a new layer
2. EXEC a cmd prompt from the layer.
3. Run secpol.msc
4. Find the pid for mmc.exe, and exec it from the layer as well
5. In secpol find the policy for Interactive Logon: Do Not require
6. Set the policy to disabled (this will force the machine to require
7. Set the layer to Start automatically
8. Reboot
9. Remove Start layer on system startup flag
10. Reboot