RE: Sniffer information to track LSASS activity.
From: Bill-MT (BillMT_at_discussions.microsoft.com)
Date: Sun, 10 Apr 2005 19:37:02 -0700
First, Thanks to all of you for responding.
Per your recommendations I have done the following.
- Enabled specific auditing of failures for certain events on the DC in
- Downloaded and tried both Process Explorer and TcpView.
- -Examined/modified my capture filter by selecting on specific MS TCP/UDP
Yesterday (Saturday) I rebooted the DC in question. So far (Sunday night)
more than 24hours later the unusual CPU activity associated with this event
has not re-occurred (which tells me that this event is not caused by any
systems normally running on the weekend (i.e. the 24x7 systems) so I have not
been able to use any of your advice yet.
Although at this point I have nothing to report per your recommendations
above, I do have an one additional question at this time. Per the response I
got to my original posting on this issue, do any of you believe it is good
practice to install Anti Virus software on a Domain Controller. And if yes,
are there any caveats to doing so.
Thanks again for your suggestions. - bill