Jump to content

lsass.exe and µTorrent


Recommended Posts

(yes I used search, didn't find a good answer ;) )


My firewall popped up today asking me if it's ok for lsass.exe (LSA Shell 'Export Version') to accept INCOMING connection (to work as a server) on port 500 UPD.

I ofcourse denied it since I'm slightly paranoid :) but seconds after that µTorrent popped up saying "Error: Element not found" (yes, I've read the FAQ and I have diskio.compact_allocation not on, actually I don't even have that option in µTorrent). I can restart the .torrent but then I get more lsass.exe requests.

This happens on the same .torrent (and only on that one).

I have µTorrent 1.6 Stable and Kerio firewall (the new Sunbelt version 4.3).

I'm not looking for a firewall discussion, I'm also not looking for a virus discussion ;)

I'm interested in this lsass.exe and µTorrent link and I'm wondering if it's safe to enable lsass.exe (which is a legit Windows component).

Thanks !


Link to comment
Share on other sites

Does Kerio say were incoming connections for UDP port 500 / lsass.exe are coming from? As far as I know, you do not want to accept incoming packets from the internet to that specific port / service as it is part in logging on remotely. Probably best to make a few packet-filtering rules (Usefull for using p2p through Kerio anyway).

Link to comment
Share on other sites

Yes, they're coming from the internet, one IP is I dunno if it's the only IP. Kerio also says it's a "isakmp" port (maybe that's just the general name of port 500 ?).

First I though that it was just someone trying to hack me (picked my IP as he saw me download pieces from him and then just tried some various known vulnerabilities) but why would µTorrent complain with "Element not found" then? And why does the hacker try the same thing over and over? (a bot?)

I quess it could be a coincident: the .torrent is bad AND someone tries to hack me at the same time.

The .torrent contains LOTS of files so I can imagine something going wrong with pieces or bytes triggering the element error.

Any thoughts?

Coincident or not?

Hacking or not?

Link to comment
Share on other sites

Just noticed;

Everytime I get the element error message I see this added to the logger:

"ReadFile error: [filename]:0:44868:3408472:2"

and sometimes (for a different file)

"ReadFile error: [filename]:240195:3778327:4194304:2"

where [filename] is the name and path of a file.

Hmm, what's this about then?

I'm starting to believe in the Coincidence theory :P

Link to comment
Share on other sites

use ZoneAlarm Free. works perfectly for me and my router.

i recommend you allow LSASS to access the net but deny Server access. works for me.

many will tell you ZA Firewall is garbage. don't believe it. just like every piece of software

it depends on what system it runs on. for me, i've been using ZA since 2002 and no problems at all.

Link to comment
Share on other sites

ZoneAlarm, Kerio, I don't think it'll make a difference. I like ZoneAlarm and now I'm trying Kerio. (Argh, firewall discussion).

I no longer believe there is a direct connection between the "element error" and lsass.exe. I'm getting many element errors without lsass.exe activity. They are separate issues, the "element error" is a bug in µTorrent (IMO) and the lsass.exe activity is indirectly related to µTorrent (because my IP is "out there" due to using filesharing programs (µTorrent)).

After some digging I found that "lsass.exe port 500 UDP" is for VPNs (Virtual Private Network). Either someone is trying to use my computer as a proxy (VPN) or someone has configured their µTorrent to use port 500 which is causing lsass.exe (which is listening to port 500) to get µTorrent data.

This is my theory, sounds plausible, no?

btw, it's the same IP constantly hitting me. the packets come in bursts (often 5 in a row) repeating every 15-30 mins or so.

The numbers in the logger... yeah I wanna know too. (byte position?, file handle?, file type?, error type?, file lock status?).

Link to comment
Share on other sites

this is my idea...

somebody is hacking your uTorrent (since it acts as a server so a hacker can see the port and open to hacking),

so the IP that does the hacking (perhaps even unintentionally due to a worm infection or trojan) sends its command to your UT port....the command then makes UT hijack the LSASS port 500 (which is know to fail when infected with the SVCHOST.exe virus)....you block LSASS, UT can't hijack, the session dies.

in this case changing firewall won't help.

the best thing you can do is to not give LSASS server access but give it normal Internet access.

that should do it....please try and let us know because i've always done this. :)

another thing could be UT for some reason shares the same memory space of LSASS because of some issue.

Link to comment
Share on other sites

In generalm, you do not want to allow access by an unknown party to any executetable running on your computer for which you don't know the exact purpose. It is a sure way to get hacked. Unless you have a very specific configuration, there is no reason why anyone would want to connect to you on that port for that service, especially not a broadband ip based in Thailand.

As for the whole firewall discussion, ZoneAlarm, Kerio, Outpost, etc, They all have there flaws. If you really need one, pick the one which gives you the least amount of trouble.

Link to comment
Share on other sites

I'm fairly certain that I'm not infected, and I know my system quite well.

Although there hasn't been much discussion about the main topic (lsass.exe's relation with µTorrent) I've come to the conclusion that the relation is purely coincidental and that the lsass.exe activity that I've had is not directly related to µTorrent but rather it being an indirect effect of having my IP exposed on the BitTorrent P2P network.

Furthermore, the "element error" is not a result of the lsass.exe activity nor the result of blocking lsass.exe from acting as a server. I believe the "element error" is simply caused by a bad .torrent or a bug in µTorrent.

As for wheter I'm being hacked or not I don't really care, they can pound on my firewall all they want. It could also be a misconfigured computer/service. None the less I've perm-blocked it now.

So the bottom line is, there is no connection between µTorrent and lsass.exe (conclusion based on this thread and Google ;) ).

In the meanwhile, I still get the "element error" every 1 hour or so and I have to "Start" the torrent everytime it happens. I quess I have to make a bug-report out of that.

Case closed? Unless someone has some more input.


Link to comment
Share on other sites


This topic is now archived and is closed to further replies.

  • Create New...