The lsarpc interface is used to communicate with the LSA (Local Security Authority) subsystem.
Before Windows 2000, the lsarpc interface is only available on the lsarpc named pipe endpoint:
C:\> ifids -p ncacn_np -e \pipe\lsarpc \\. Interfaces: 4 12345778-1234-abcd-ef00-0123456789ab v0.0 [...]
In Active Directory domains (and particularly, Active Directory domain controllers) and Windows Server 2003 systems, the lsarpc interface is also available (and used) over a TCP endpoint:
C:\> ifids -p ncacn_ip_tcp -e 1025 127.0.0.1 Interfaces: 12 12345778-1234-abcd-ef00-0123456789ab v0.0 [...]
Starting with Windows Server 2003 SP1, some operations of the lsarpc interface can only be used over a specific protocol sequence.
IDL (Interface Definition Language) for the lsarpc interface is available in Samba 4 [53].
Table 4.15. lsarpc operations
| Interface | Operation number | Operation name | Windows API | |
|---|---|---|---|---|
| 12345778-1234-abcd-ef00-0123456789ab v0.0: lsarpc | ||||
| 0x00 | LsarClose | LsaClose | ||
| 0x01 | LsarDelete | |||
| 0x02 | LsarEnumeratePrivileges | |||
| 0x03 | LsarQuerySecurityObject | |||
| 0x04 | LsarSetSecurityObject | |||
| 0x05 | LsarChangePassword | |||
| 0x06 | LsarOpenPolicy | LsaOpenPolicy | ||
| 0x07 | LsarQueryInformationPolicy | LsaQueryInformationPolicy | ||
| 0x08 | LsarSetInformationPolicy | LsaSetInformationPolicy | ||
| 0x09 | LsarClearAuditLog | |||
| 0x0a | LsarCreateAccount | |||
| 0x0b | LsarEnumerateAccounts | |||
| 0x0c | LsarCreateTrustedDomain | |||
| 0x0d | LsarEnumerateTrustedDomains | |||
| 0x0e | LsarLookupNames | LsaLookupNames | ||
| 0x0f | LsarLookupSids | LsaLookupSids | ||
| 0x10 | LsarCreateSecret | |||
| 0x11 | LsarOpenAccount | |||
| 0x12 | LsarEnumeratePrivilegesAccount | LsaEnumerateAccountRights | ||
| 0x13 | LsarAddPrivilegesToAccount | LsaAddAccountRights | ||
| 0x14 | LsarRemovePrivilegesFromAccount | LsaRemoveAccountRights | ||
| 0x15 | LsarGetQuotasForAccount | |||
| 0x16 | LsarSetQuotasForAccount | |||
| 0x17 | LsarGetSystemAccessAccount | |||
| 0x18 | LsarSetSystemAccessAccount | |||
| 0x19 | LsarOpenTrustedDomain | |||
| 0x1a | LsarQueryInfoTrustedDomain | |||
| 0x1b | LsarSetInformationTrustedDomain | |||
| 0x1c | LsarOpenSecret | |||
| 0x1d | LsarSetSecret | |||
| 0x1e | LsarQuerySecret | |||
| 0x1f | LsarLookupPrivilegeValue | |||
| 0x20 | LsarLookupPrivilegeName | |||
| 0x21 | LsarLookupPrivilegeDisplayName | |||
| 0x22 | LsarDeleteObject | |||
| 0x23 | LsarEnumerateAccountsWithUserRight | |||
| 0x24 | LsarEnumerateAccountRights | |||
| 0x25 | LsarAddAccountRights | |||
| 0x26 | LsarRemoveAccountRights | |||
| 0x27 | LsarQueryTrustedDomainInfo | LsaQueryTrustedDomainInfo | ||
| 0x28 | LsarSetTrustedDomainInfo | LsaSetTrustedDomainInformation | ||
| > Windows 2000 | 0x29 | LsarDeleteTrustedDomain | LsaDeleteTrustedDomain | |
| - | 0x2a | LsarStorePrivateData | LsaStorePrivateData | |
| - | 0x2b | LsarRetrievePrivateData | LsaRetrievePrivateData | |
| - | 0x2c | LsarOpenPolicy2 | LsaOpenPolicy | |
| - | 0x2d | LsarGetUserName | ||
| - | 0x2e | LsarQueryInformationPolicy2 | ||
| - | 0x2f | LsarSetInformationPolicy2 | ||
| - | 0x30 | LsarQueryTrustedDomainInfoByName | ||
| - | 0x31 | LsarSetTrustedDomainInfoByName | ||
| - | 0x32 | LsarEnumerateTrustedDomainsEx | ||
| - | 0x33 | LsarCreateTrustedDomainEx | ||
| - | 0x34 | LsarCloseTrustedDomainEx | ||
| - | 0x35 | LsarQueryDomainInformationPolicy | LsaQueryDomainInformationPolicy | |
| - | 0x36 | LsarSetDomainInformationPolicy | LsaSetDomainInformationPolicy | |
| - | 0x37 | LsarOpenTrustedDomainByName | ||
| - | 0x38 | LsarTestCall | ||
| - | 0x39 | LsarLookupSids2 | LsaLookupSids | |
| - | 0x3a | LsarLookupNames2 | LsaLookupNames2 | |
| - | 0x3b | LsarCreateTrustedDomainEx2 | ||
| > Windows 2000 Service Pack 3 (SP3) | 0x3c | CredrWrite | CredWrite | |
| - | 0x3d | CredrRead | CredRead | |
| - | 0x3e | CredrEnumerate | CredEnumerate | |
| - | 0x3f | CredrWriteDomainCredentials | CredWriteDomainCredentials | |
| - | 0x40 | CredrReadDomainCredentials | CredReadDomainCredentials | |
| - | 0x41 | CredrDelete | CredDelete | |
| - | 0x42 | CredrGetTargetInfo | CredGetTargetInfo | |
| - | 0x43 | CredrProfileLoaded | ||
| - | 0x44 | LsarLookupNames3 | ||
| - | 0x45 | CredrGetSessionTypes | CredGetSessionTypes | |
| - | 0x46 | LsarRegisterAuditEvent | ||
| - | 0x47 | LsarGenAuditEvent | ||
| - | 0x48 | LsarUnregisterAuditEvent | ||
| - | 0x49 | LsarQueryForestTrustInformation | ||
| - | 0x4a | LsarSetForestTrustInformation | ||
| - | 0x4b | CredrRename | CredRename | |
| - | 0x4c | LsarLookupSids3 | ||
| - | 0x4d | LsarLookupNames4 | ||
| - | 0x4e | LsarOpenPolicySce | ||
| > Windows Server 2003 | 0x4f | LsarAdtRegisterSecurityEventSource | ||
| - | 0x50 | LsarAdtUnregisterSecurityEventSource | ||
| - | 0x51 | LsarAdtReportSecurityEvent | ||
| > Windows Vista | 0x52 | CredrFindBestCredential | ||
| - | 0x53 | LsarSetAuditPolicy | ||
| - | 0x54 | LsarQueryAuditPolicy | ||
| - | 0x55 | LsarEnumerateAuditPolicy | ||
| - | 0x56 | LsarEnumerateAuditCategories | ||
| - | 0x57 | LsarEnumerateAuditSubCategories | ||
| - | 0x58 | LsarLookupAuditCategoryName | ||
| - | 0x59 | LsarLookupAuditSubCategoryName | ||
| - | 0x5a | LsarSetAuditSecurity | ||
| - | 0x5b | LsarQueryAuditSecurity | ||
| - | 0x5c | CredReadByTokenHandle | ||
| - | 0x5d | CredrRestoreCredentials | ||
| - | 0x5e | CredrBackupCredentials |
To obtain a handle to the LSA rpc server, one of the following operations must be used:
Opened handle are supposed to be closed with the following operation:
To resolve SID to names and vice-versa, the following operations are supported:
To obtain system names (Se*) of security privileges supported by the LSA, the following operation can be used:
To convert between privileges system names, numeric values and descriptions, the following operations can be used:
To query or set parameters of the LSA policy, the following operation are supported:
To open an account, given its SID, the following operation is used:
The following operations can be used with an opened handle returned by the LsarOpenAccount operation:
To manage trusted domains, the following operations are available:
To manipulate LSA secrets, the following operations are available:
To get and set ACL on LSA objects, the following operations are available: