LSASS AND THE WINDOWS OPERATING SYSTEM

The Windows Local Security Authority Subsystem (LSASS) uses a type of virtual machine similar to the InPrivate Desktop sandbox. LSASS handles many of the security features of Windows. The reason it’s kept in a virtual environment is to protect it from malware. The “lsass.exe” process can be seen from the Windows Task Manager and must run to keep Windows from shutting down to the login screen. 

Passwords, password changes, hashes, and access tokens are all kept in Windows virtual machine to protect it from malware. Should a computer be compromised by malware, it’s unable to access critical data running on the operating system. Some attackers attempt to trick users into running a fraudulent executable that looks like the official exe. For example, “Lsass.exe” (capital “L” instead of lowercase “l”) is often distributed tricking users into running it as an official Windows application.

VIRTUAL MACHINES AND SANDBOX ENVIRONMENTS

Virtual machines (VMs) have long been a way for developers to host content that might be buggy or crash an operating system. Sandboxed environments cut off the rest of a network from the environment running the untrusted application. For instance, companies that analyze and develop applications to defend against malware or remove it from a system will use a sandbox environment for testing. You wouldn’t install malware on a machine that has access to the network, because the malware can spread across the network. Instead, these developers place malware and antivirus applications that remove it on a computer that has no access to the main network.

When an administrator sets up a virtual machine, it virtualizes the operating system, memory and computer resources. The underlying operating system is not affected, and administrators can be assured that anything running in the VM won’t be able to gain access to the underlying file system. The administrator can create and destroy the virtual machine as-needed, but destroying the VM also destroys any files stored within the sandbox. This is a benefit for some activities, such as testing and viewing results from running untrusted applications.

WHAT THE WINDOWS 10 SANDBOX VIRTUAL MACHINE OFFERS

The new Windows 10 VM sandbox will run similarly to a traditional VM environment with one exception: the new sandbox will have threads assigned a priority similar to the way a Windows application is given a priority. This priority system makes a Windows 10 machine more responsive should a higher priority application need resources currently in use by a low priority thread.

When a VM is running, it is assigned a priority that can be changed by the administrator. If the VM is given low priority, then an application with higher priority can “steal” the resources giving the high priority application better ability to stay functional even with a VM that uses too many resources.

InPrivate Desktop has some elements of a true virtual machine, but it also has features similar to Windows Containers. It still has a hardware boundary that separates VM resources from the host computer and virtualizes resources from the underlying machine. However, applications running on the same operating system as the local machine will share memory and disk resources, which is similar to Windows Containers.

Windows 10 Home users won’t see this new feature; it’s only available to Pro and Enterprise Windows 10 editions. 

WHAT THIS MEANS FOR DEVELOPERS

Developers work with testing environments usually in a VM or possibly in the newer container architecture. With the new Windows 10 feature, developers can more easily test applications directly on their desktop instead of moving files to a server to test. They can still run applications in debug mode to view any errors, but compiled versions of software can be run in the VM. This saves time for developers that make several version changes and upgrades to corporate software.

This new feature also gives end users a better way to install untrusted applications. Should the user prefer to install an application but is unsure of its validity, the user can run it in the VM to identify how it interacts with a computer. Should the application be identified as malware, the VM can be destroyed and the application sandboxed from the main operating system. Microsoft’s feature gives Windows 10 much better safety from malware should this get released to all editions of the operating system.