There are a number of ways that you can detect pwdump when it is run either locally or remotely, especially if you have some way to correlate multiple event log events.
If you audit object access, privilege use, and process tracking in the event logs you will see access to lsass.exe and pwdump.exe (or pwservice.exe remotely). You will also see use of SeDebugPrivilege. A number of these events in a row will alert you to someone using pwdump with very high certainty. I also noticed that Windows Defender creates an event in the System event log when pwdump runs. Mark Burnett -----Original Message----- From: Simon Taplin [mailto:[EMAIL PROTECTED] Sent: Thursday, April 13, 2006 9:03 AM To: Focus-Ms Subject: Detecting PwDump Is there anyway to detect if someone is using pwdump3/6 using the network feature to dump passwords from a Windows 2000/2003 Server? Simon --------------------------------------------------------------------------- --------------------------------------------------------------------------- --------------------------------------------------------------------------- ---------------------------------------------------------------------------
