Some security tools and system utilities on Windows 11 can read LSASS memory, while others are blocked and fail with an access denied error. This happens because Windows 11 includes a security feature called LSASS Protected Process Light, or PPL, that limits which processes can interact with the Local Security Authority Subsystem Service. The specific behavior depends on whether a tool is signed with the correct anti-malware Early Launch Anti-Malware signature and runs as a protected process itself. This article explains how LSASS PPL works, why it blocks certain tools, and what you can do if a trusted tool is being blocked.
Key Takeaways: LSASS PPL and Tool Access on Windows 11
- LSASS Protected Process Light PPL: A Windows security feature that restricts process access to LSASS memory to prevent credential theft
- Anti-malware ELAM driver signature: The only signature that allows a tool to run as a protected process and access LSASS
- Tools without PPL status or ELAM signature: Blocked from reading LSASS memory, causing access denied errors
How LSASS Protected Process Light Controls Tool Access
LSASS Protected Process Light is a Windows security mechanism that protects the Local Security Authority Subsystem Service from unauthorized access. LSASS handles authentication, password changes, and token creation. Attackers who gain access to LSASS memory can extract password hashes, Kerberos tickets, and other credentials. PPL prevents this by restricting which processes can open a handle to LSASS with specific access rights.
The key rule is that only processes that are themselves running as a protected process can open LSASS with PROCESS_VM_READ access. To run as a protected process, a tool must be signed with a valid Early Launch Anti-Malware certificate. This certificate is issued only to legitimate security software vendors that meet Microsoft’s requirements. Tools that are not signed this way, even if they run as Administrator, are blocked.
This design creates a clear split. Security tools such as Microsoft Defender for Endpoint, CrowdStrike Falcon, and SentinelOne are signed with ELAM certificates and run as protected processes. They can read LSASS memory for legitimate monitoring and threat detection. System utilities like Process Explorer, Process Hacker, and Mimikatz are not ELAM-signed. They are blocked from reading LSASS memory, which is exactly the intended behavior.
What Happens When a Tool Is Blocked
When a non-PPL tool attempts to open LSASS with PROCESS_VM_READ, Windows returns error code STATUS_ACCESS_DENIED. The tool may show an error message, fail to list LSASS in its process tree, or display incomplete information. This is not a bug. It is the expected result of PPL enforcement. Some tools, such as Process Explorer, can still show LSASS in the process list but cannot dump its memory or read its strings.
Steps to Determine Why a Tool Is Blocked by LSASS PPL
If you need to understand why a particular tool cannot access LSASS, follow these steps to check its signing status and PPL level.
- Open an elevated Command Prompt or PowerShell
Press Win + X and select Terminal Admin. Confirm the User Account Control prompt. This gives you the permissions needed to inspect process details. - Check LSASS process protection level
Run the command:tasklist /m /fi "PID eq lsass.exe". Look for the PID of lsass.exe. Then run:wmic process where processid="PID" get processid, name, processprotectiontype. Replace PID with the actual LSASS process ID. A value of 1 or 2 indicates PPL is active. - Check the tool’s signature and PPL status
Run the tool that is being blocked. Then open another elevated PowerShell window and run:Get-CimInstance Win32_Process -Filter "name='toolname.exe'" | Select-Object Name, ProcessId, ProcessProtectionType. Replace toolname.exe with the actual executable name. If ProcessProtectionType is 0, the tool is not running as a protected process and cannot access LSASS. - Verify the tool’s digital signature
Right-click the tool’s .exe file in File Explorer, select Properties, then go to the Digital Signatures tab. Check if the signer is a Microsoft-affiliated anti-malware vendor. If the signer is not an ELAM-certified vendor, the tool cannot be made PPL-compatible without a new signature from Microsoft. - Check Windows event logs for block events
Open Event Viewer and navigate to Windows Logs > Security. Filter by Event ID 4674. This event logs when a process attempts an operation on a protected process. Look for entries where Object Name contains lsass.exe and Access Mask includes PROCESS_VM_READ. This confirms the block.
Common Issues When LSASS PPL Blocks Tools
Process Explorer cannot dump LSASS memory on Windows 11
Process Explorer by Sysinternals is a popular tool for viewing process details. When you right-click lsass.exe and select Create Dump, you may receive an error stating Access Denied. This happens because Process Explorer is not signed with an ELAM certificate and does not run as a protected process. The only workaround is to disable LSASS PPL, which reduces security. Microsoft does not recommend disabling PPL. Instead, use a security tool that supports PPL if you need LSASS memory access for forensic analysis.
Security auditing tools fail to read LSASS tokens
Some third-party auditing tools attempt to enumerate security tokens from LSASS. These tools also fail with access denied if they are not PPL-compatible. The fix is to contact the vendor and request an ELAM-signed version. Alternatively, use Windows built-in auditing tools such as wevtutil and PowerShell cmdlets that do not require direct LSASS memory access.
Mimikatz cannot extract credentials on Windows 11 with PPL enabled
Mimikatz is a well-known credential extraction tool. On Windows 11 with PPL enabled, Mimikatz cannot read LSASS memory and returns an error. This is by design. PPL is specifically intended to block tools like Mimikatz. If you are a security researcher testing defenses, you can disable PPL temporarily in a controlled lab environment by modifying the registry key HKLM\SYSTEM\CurrentControlSet\Control\Lsa\RunAsPPL and setting it to 0, then rebooting. Do not do this on a production system.
LSASS PPL vs Non-PPL Tool Access: Key Differences
| Item | Tool Signed with ELAM Certificate | Tool Without ELAM Certificate |
|---|---|---|
| Process protection level | Runs as a protected process PPL | Runs as a standard or admin process |
| LSASS memory read access | Allowed | Blocked with access denied |
| Examples | Microsoft Defender, CrowdStrike Falcon, SentinelOne | Process Explorer, Process Hacker, Mimikatz |
| Permission required | ELAM signature from Microsoft | Administrator privileges only |
| Security impact | Low risk of credential theft | High risk if allowed access |
| Can be made PPL-compatible | Already compatible | Requires vendor to obtain ELAM certificate |
The table shows that ELAM-signed tools are the only ones that can access LSASS memory. All other tools are blocked regardless of administrator rights. This is a fundamental security boundary that cannot be bypassed by running a tool as administrator or disabling User Account Control.
You can now identify why a specific tool is blocked by LSASS PPL on Windows 11. Check the tool’s digital signature and its process protection type using the steps above. If you need LSASS access for a legitimate purpose, contact the tool vendor about obtaining an ELAM certificate. For system administration tasks that do not require LSASS memory access, use the built-in Windows tools like Get-LocalUser in PowerShell or the Local Users and Groups snap-in. Disabling PPL is not recommended because it weakens protection against credential theft attacks.