Debugging LSASS

For some reason I had to debug LSASS (Local Security Authority Process) recently. Considering that LSASS is rather involved in the functioning of the system with respect to authorization checks, it is cumbersome to debug. The system deadlocks immediately. Try for example attaching to lsass.exe from WinDbg and click the start button when the debugger is paused. Yep. Nothing.

Consulting with one of our security developer support gurus lead to a quick workaround. Do it remotely.

1) The server (debuggee where LSASS needs to be debugged) is started with the following command: (No need to restart anything)

dbgsrv -t tcp:port=1025

2) On the debugger, start WinDbg as a client with this command:

Windbg -premote tcp:server=<servername>,port=1025 -p <lsass pid>

Thanks Prab.

Maarten