 Hello, in this video I want to show you how Mimikatz can manipulate protected processes. So I'm going to run process explorer as an administrator and here if I look for the local security authority process, this process here and I look at its properties, security tab here, you can see protected here, it has a value PS protected signer LSA in light and this means that the local security authority here is running as a protected process. So protected processes were introduced with Windows Vista for DRM reasons. So to give the ability to the music industry and the movie industry to create media players that were protected from all other processes so that their memory could not be read and that they could guarantee the copyright protections. So accounts like even system were not able to read that memory. Now protected processes were not popular at all actually as far as I know no media players were developed that used that protected process mechanism but with Windows 8 Microsoft introduced a new flavor of protected processes they call it protected processes light and these can be used for security reasons. Now if we go into strings here of the LSA process and we go into memory here you can see error opening process. So even as I'm running as administrator here I cannot read the memory of the local security authority because it is running as a protected process light and that is because of a setting in the registry that I made. So here on Windows 10 local machine system current control set control LSA I created a double word entry a D word entry run SPPL and I set its value to 1. Then I restart at Windows 10 and because of this setting so LSASS.exe is running as a protected process. Now with many Mimicats you can change this and I'm first going to demonstrate that with Notepad. So I'm going to run Mimicats as an administrator like this and let me start Notepad and if I go into process explorer I have Notepad running here looking at its properties it's not protected a protected node and strings I can access the memory. Here are the strings found in memory. Now with Mimicats I can change the status I can turn this process into a protected process and for that I need the driver so the driver is already installed on this machine and now I use the kernel command process protect and then I need to give it the process I wanted to protect you can give a process ID or a process name here I'm going to provide a process name notepad.exe and now this Notepad process as being protected it is a protected process so this means if I go into a process explorer now if I look at the properties here security it still says no but that's because process explorer has not updated this information it doesn't expect that this information that changes so it doesn't read that information again but if we go into strings memory now we get an error opening process and if we start process explorer again I will run it as administrator it will read information again for Notepad and if I look into its properties now you can see here that it is a protected process so that is how you can protect a process with Mimicats an unprotected process you can also remove that protection again and that is the same command but with argument remove and by doing this you turn the process again into a normal process and now if I go into the properties okay so it still says that it's protected but we know that's not true if we go to strings memory now again we can read the memory we get no error let me start process explorer again and here in the properties this time security you can see it's no longer a protected process so that's how in Mimicats you can change this now let's come back to our local security authority here so we have not changed anything to that process it's still a protected process now the implication for that if I want to dump the secrets is that Mimicats will not be able to access those secrets so let me first enable my debug privilege and if I now dump the LSA secrets with the inject method here sorry double quotes often forget the double quote okay so now I get an error now you get this error because it's a protected process so we can remove that protection so the kernel command process protect the process is the local security authority and I want to remove it's a protected process settings like this and now if I run the command again here I can get the hashes