About

Here you can find all forums, blogs and similar sections, that are meant for different types of communication.

Banner Hide banner

#180

Simbiat
Simbiat

If you are using Windows (most likely 11, but could 10 can be affected, too), and you have a habit of looking into your Event Viewer for whatever reason you might have seen warnings like this:

LSA package is not signed as expected. This can cause unexpected behavior with Credential Guard.

PackageName: negoexts

And in XML view it will look something like this:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">     <System>         <Provider Name="LsaSrv" Guid="{199fe037-2b82-40a9-82ac-e1d46c792b99}" />          <EventID>6155</EventID>          <Version>0</Version>          <Level>3</Level>          <Task>0</Task>          <Opcode>0</Opcode>          <Keywords>0x8000000000000000</Keywords>          <TimeCreated SystemTime="2023-03-25T06:00:15.1740341Z" />          <EventRecordID>48454</EventRecordID>          <Correlation />          <Execution ProcessID="1200" ThreadID="1204" />          <Channel>System</Channel>          <Computer>Simbiat-PC</Computer>          <Security UserID="S-1-5-18" />      </System>     <EventData>         <Data Name="PackageName">negoexts</Data>      </EventData> </Event>

And it's possible that you see a bunch of such messages (more precisely 10) pop-up on initial cold boot (that is from complete shutdown, not from sleep/hibernation). The affected packages are: negoexts, kerberos, msv1_0 (mentioned twice), tspkg, pku2u, cloudap, wdigest, schannel, sfapm.

If you do you may get worried that there is something wrong with your system, you may start searching and come upon threads like this, which do not really solve the issue. I dug a little deeper and I can say, that it is highly possible, that you do not need to worry about them, unless you are experiencing some issues besides just these entries in Event Viewer.

I stumbled upon these warnings when I had another unrelated issue with LSA, and nothing I did helped, so I tried searching for these packages, to learn what they do. In my search I learnt, that they are related to some specific protocols, and searching for those led me to this "known issue" in Microsoft's knowledgebase here. In short, these protocols are used in SSO authentication processes, are considered vulnerable (because they can have password in plain text) and thus are being phased out by Microsoft. Part of the process of phasing them out is blocking them through Credential Guard, a feature in Windows, that is supposed to protect your credentials.

This means, that if you see these warnings, they may as well be false positive, because they wrongly indicate block of the whole package, and not a protocol, that you probably are not using (if you are a consumer), or should not be using (if you are a corporate). I have submitted a suggestion to address the wording in Feedback Hub, and you can upvote it here.

This does not mean that these warnings will always be false positives. If you are experiencing any other issues in parallel, most likely related to authentication over network - there is a chance, that the packages have been compromised somehow. Based on my understanding, it would most likely be a rootkit or some vulnerability in UEFI/BIOS, and we did recently learn of the 1st UEFI bootkit (BlackLotus). But, again, if you are a regular consumer, you are most likely fine and can ignore these warnings.