Windows: module is blocked from loading into Local Security Authority (DPPassFilter.dll)

PATRICK
6 min readJan 18, 2025

--

DPPassFilter dll — Enable LSA (local security authority) — RunAsPPL & RunAsPPLBoot

MAYBE this FINALLY Works for anyone/everyone getting this error since SPRING 2023 (no one is seeing this error in ANY kind of predictable or consistent manner. It did not affect me and start presenting the DPPassFilter security message until Dec 2024…)!!! Wasted MOST of today on this microcrap Windows issue:

INSTEAD of WORKING ON MY GEN AI / AWS ML ENGINEERING training…..

Uploaded a PDF to Dropbox for now — it will be deleted at a later date. I use ‘microcrap’ in place of microsoft because this microcrap Defender bug (KB5007651) should have been resolved NEARLY TWO YEARS ago. Also, my Wordpress page may be a better presentation.

.

Windows 11 security error cause update (for some of the content below) Comodo.com MARCH 2023 — — Elevenforum was used as reference in the comodo.com content.

First thing folks need to know… (pulled definitions from a couple of places):

  • RunAsPPL” — — a registry key on Windows systems that is used to enable a security feature called “LSA Protection,” which essentially prevents unauthorized processes from accessing sensitive information stored in the LSASS (Local Security Authority Subsystem Service) process, like user passwords, thereby protecting against credential dumping attacks like those often attempted by malware like Mimikatz; essentially acting as a safeguard against unauthorized access to critical system memory areas.
  • — - Designed to prevent normal applications, even with administrator privileges, from accessing protected processes. This explains why most common techniques for bypassing such protection require the use of a driver
  • — — a built-in security feature that protects against credential dumping attacks targeting a user’s credentials
  • RunAsPPLboot” — — a Windows registry key setting that allows administrators to specify which user account should be used to run the “Protected Processes for Enhanced Security” (PPL) feature at system startup, essentially controlling which user privileges are applied to critical system processes during boot-up

.

win 11: You will need to run regedt as admin — — to edit the registry and manually enable LSA with the registry tweak.

From a microcrap ‘Learn site, Mar 2023.

Prior to yesterday (Jan 17, 2025), I did not find this earlier.

Once in the registry:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
RunAsPPL”=dword:00000002 — — — hexadecimal/decimal, does not matter, it reverts to HEX
RunAsPPLBoot”=dword:00000002

.

This microcrap site walks one through enabling LSA:

Enable LSA protection on a single computer

You can enable LSA protection on a single computer by using the registry or by using Local Group Policy.

Enable by using the registry

  1. Open the Registry Editor RegEdit.exe, and navigate to the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa.
  2. Set the value of the registry key to:
  • “RunAsPPL”=dword:00000001 — — to configure the feature with a UEFI variable.
  • “RunAsPPL”=dword:00000002 — — to configure the feature without a UEFI variable, only enforced on Windows 11 build 22H2 and higher.
  • “RunAsPPLBoot”=dword:00000002 — — (you NEED to edit this as well)

(my highlighting, not Microsoft)

Enable by using Local Group Policy on Windows 11 version 22H2 and later

Blah, blah, blah — check out the page if you need this section….

— — screenshots of registry….

.

From the Comodo.com site

If messing around with the registry is too tricky, you can run the following PowerShell script in administrator mode.
It will make the necessary changes to the registry.

reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v RunAsPPL /t REG_DWORD /d 2 /f;reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v RunAsPPLBoot /t REG_DWORD /d 2 /f;

.

Registry key AFTER editing

.

Info from: MAY 2023 — — Local Security Authority is off. Your device may be vulnerable

S.Sengupta 21,476 Reputation points • MVP May 14, 2023, 11:22 PM

Open Windows Registry Editor.

Navigate to the following location: Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

Make sure you have RunAsPPL and RunAsPPLBoot. If you don’t have RunAsPPLBoot listed, create DWORD entries for RunAsPPL and RunAsPPLBoot.

Value for both entries should be 2.

Reboot and warnings should stop

.

Hania Lian 20,436 • Microsoft Vendor May 15, 2023

Hi@FrankTurner-3752.

PLEASE NOTE: Backup the registry or create a system restore point before making any changes to the system through the registry editor.

In addition to enabling LSA in the registry, you can also try to enable it locally. The steps are as follows:

1) Go to windows settings & click Privacy & Security.

2) Click Windows Security option at the top of screen

3) Click Device Security

4) Click Core isolation details link under the Core isolation section.

5) Turn the toggle button On for the Local Security Authority protection option.

6) Click Yes in the User Account Control prompt

7) Reboot your PC to apply the changes.

.

My NOTES:

To test it, I went to toggle core integrity off and on but it would not toggle back on.

This driver caused it to NOT enable:

  • ftdibus.sys
  • ftdi
  • oem176.inf

So as admin, I uninstalled it using the following in POWERSHELL:

pnputil /delete-driver oem176.inf /uninstall /force

Did another SCAN in the core isolation and the MEMORY INTEGRITY is back on.

Had to do a restart (not shut down) of the PC (hp zbook 17 g6)

.

AND OF COURSE, LAST but not least, one MORE LSA module error popped up:

  • A driver cannot load on this device
  • Driver : cpuz146_x64.sys ç link
  • A security setting is detecting this as a vulnerable driver and blocking it from loading. You’ll need to adjust your settings to load this driver.

So, I went to the CPUID maker site, a Canadian / French company and downloaded the latest win11 x64 driver of cpuz146_x64.sys.

And now, it is too soon to tell how successful this all was, but so far, a day later — no LSA security error pop-up…..

To be safe, do TWO restarts, checking the core integrity each time, as well as the registry settings. Only check the registry after the first restart, it will be fine after the 2nd restart.

.

And my apologies, I had to revise most of this paper because I was livid, very livid when I wrote up the initial content.

.

.

Tags: CPUID, cpuz146_x64.sys, lsa, local security authority, LSA, windows 11, win 11, hp, bios, ftdibus.sys, ftdi, oem176.inf, core integrity, bitlocker, comodo.com, RunAsPPL, RunAsPPLBoot, Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa, regedit,

--

--

PATRICK
PATRICK

Written by PATRICK

Data Engineer, Cloud Architect, Intelligence & Cyber guy: -- Innovation, Change, Improvement & Equality - 4 ALL! See my ABOUT https://patrick642.wordpress.com/

No responses yet