4.9.1. lsarpc interface

The lsarpc interface is used to communicate with the LSA (Local Security Authority) subsystem.

Before Windows 2000, the lsarpc interface is only available on the lsarpc named pipe endpoint:


C:\> ifids -p ncacn_np -e \pipe\lsarpc \\.

Interfaces: 4
  12345778-1234-abcd-ef00-0123456789ab v0.0

[...]

In Active Directory domains (and particularly, Active Directory domain controllers) and Windows Server 2003 systems, the lsarpc interface is also available (and used) over a TCP endpoint:

C:\> ifids -p ncacn_ip_tcp -e 1025 127.0.0.1

Interfaces: 12
  12345778-1234-abcd-ef00-0123456789ab v0.0

[...]

Starting with Windows Server 2003 SP1, some operations of the lsarpc interface can only be used over a specific protocol sequence.

IDL (Interface Definition Language) for the lsarpc interface is available in Samba 4 [53].

Table 4.15. lsarpc operations

InterfaceOperation numberOperation nameWindows API
12345778-1234-abcd-ef00-0123456789ab v0.0: lsarpc   
 0x00LsarCloseLsaClose
 0x01LsarDelete 
 0x02LsarEnumeratePrivileges 
 0x03LsarQuerySecurityObject 
 0x04LsarSetSecurityObject 
 0x05LsarChangePassword 
 0x06LsarOpenPolicyLsaOpenPolicy
 0x07LsarQueryInformationPolicyLsaQueryInformationPolicy
 0x08LsarSetInformationPolicyLsaSetInformationPolicy
 0x09LsarClearAuditLog 
 0x0aLsarCreateAccount 
 0x0bLsarEnumerateAccounts 
 0x0cLsarCreateTrustedDomain 
 0x0dLsarEnumerateTrustedDomains 
 0x0eLsarLookupNamesLsaLookupNames
 0x0fLsarLookupSidsLsaLookupSids
 0x10LsarCreateSecret 
 0x11LsarOpenAccount 
 0x12LsarEnumeratePrivilegesAccountLsaEnumerateAccountRights
 0x13LsarAddPrivilegesToAccountLsaAddAccountRights
 0x14LsarRemovePrivilegesFromAccountLsaRemoveAccountRights
 0x15LsarGetQuotasForAccount 
 0x16LsarSetQuotasForAccount 
 0x17LsarGetSystemAccessAccount 
 0x18LsarSetSystemAccessAccount 
 0x19LsarOpenTrustedDomain 
 0x1aLsarQueryInfoTrustedDomain 
 0x1bLsarSetInformationTrustedDomain 
 0x1cLsarOpenSecret 
 0x1dLsarSetSecret 
 0x1eLsarQuerySecret 
 0x1fLsarLookupPrivilegeValue 
 0x20LsarLookupPrivilegeName 
 0x21LsarLookupPrivilegeDisplayName 
 0x22LsarDeleteObject 
 0x23LsarEnumerateAccountsWithUserRight 
 0x24LsarEnumerateAccountRights 
 0x25LsarAddAccountRights 
 0x26LsarRemoveAccountRights 
 0x27LsarQueryTrustedDomainInfoLsaQueryTrustedDomainInfo
 0x28LsarSetTrustedDomainInfoLsaSetTrustedDomainInformation
> Windows 20000x29LsarDeleteTrustedDomainLsaDeleteTrustedDomain
-0x2aLsarStorePrivateDataLsaStorePrivateData
-0x2bLsarRetrievePrivateDataLsaRetrievePrivateData
-0x2cLsarOpenPolicy2LsaOpenPolicy
-0x2dLsarGetUserName 
-0x2eLsarQueryInformationPolicy2 
-0x2fLsarSetInformationPolicy2 
-0x30LsarQueryTrustedDomainInfoByName 
-0x31LsarSetTrustedDomainInfoByName 
-0x32LsarEnumerateTrustedDomainsEx 
-0x33LsarCreateTrustedDomainEx 
-0x34LsarCloseTrustedDomainEx 
-0x35LsarQueryDomainInformationPolicyLsaQueryDomainInformationPolicy
-0x36LsarSetDomainInformationPolicyLsaSetDomainInformationPolicy
-0x37LsarOpenTrustedDomainByName 
-0x38LsarTestCall 
-0x39LsarLookupSids2LsaLookupSids
-0x3aLsarLookupNames2LsaLookupNames2
-0x3bLsarCreateTrustedDomainEx2 
> Windows 2000 Service Pack 3 (SP3)0x3cCredrWriteCredWrite
-0x3dCredrReadCredRead
-0x3eCredrEnumerateCredEnumerate
-0x3fCredrWriteDomainCredentialsCredWriteDomainCredentials
-0x40CredrReadDomainCredentialsCredReadDomainCredentials 
-0x41CredrDeleteCredDelete 
-0x42CredrGetTargetInfoCredGetTargetInfo 
-0x43CredrProfileLoaded  
-0x44LsarLookupNames3  
-0x45CredrGetSessionTypesCredGetSessionTypes 
-0x46LsarRegisterAuditEvent  
-0x47LsarGenAuditEvent  
-0x48LsarUnregisterAuditEvent  
-0x49LsarQueryForestTrustInformation  
-0x4aLsarSetForestTrustInformation  
-0x4bCredrRenameCredRename 
-0x4cLsarLookupSids3  
-0x4dLsarLookupNames4  
-0x4eLsarOpenPolicySce  
> Windows Server 20030x4fLsarAdtRegisterSecurityEventSource  
-0x50LsarAdtUnregisterSecurityEventSource  
-0x51LsarAdtReportSecurityEvent  
> Windows Vista0x52CredrFindBestCredential  
-0x53LsarSetAuditPolicy  
-0x54LsarQueryAuditPolicy  
-0x55LsarEnumerateAuditPolicy  
-0x56LsarEnumerateAuditCategories  
-0x57LsarEnumerateAuditSubCategories  
-0x58LsarLookupAuditCategoryName  
-0x59LsarLookupAuditSubCategoryName  
-0x5aLsarSetAuditSecurity  
-0x5bLsarQueryAuditSecurity  
-0x5cCredReadByTokenHandle  
-0x5dCredrRestoreCredentials  
-0x5eCredrBackupCredentials  

To obtain a handle to the LSA rpc server, one of the following operations must be used:

Opened handle are supposed to be closed with the following operation:

To resolve SID to names and vice-versa, the following operations are supported:

To obtain system names (Se*) of security privileges supported by the LSA, the following operation can be used:

To convert between privileges system names, numeric values and descriptions, the following operations can be used:

To query or set parameters of the LSA policy, the following operation are supported:

To open an account, given its SID, the following operation is used:

The following operations can be used with an opened handle returned by the LsarOpenAccount operation:

To manage trusted domains, the following operations are available:

To manipulate LSA secrets, the following operations are available:

To get and set ACL on LSA objects, the following operations are available: