• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2768
  • Last Modified:


I found this dll in the system32 folder: pwdmon.dll.  It also has an entry in the Notification Packages key of  HKLM\SYSTEM\CurrentControlSet\Control\Lsa .  I can't find any information on this dll.  Can anyone shed some light on its purpose and where it comes from?
1 Solution
That is a registry key for windows security.

I am not sure what the file does but if you right click on the file and look at the properties you should be able to find out the manufacturer if it is legit. Some information about it should be found in the properties.
dhenderson12Author Commented:
Thanks for the reply.  There are NO values listed in the properties of this file ... none.
Look at the creation date. Did you install anything on that date? I would be very suspicious of the file. Maybe save your registry and then remove the key and see what happens. What other processes are running? Or just try renaming the file and see if a program complains. Do you have anything like a finger print reader on your computer?

Search Google for Rootkit analyzer and see if that DLL is hooking your keyboard or something..
Increase Security & Decrease Risk with NSPM Tools

Analyst firm, Enterprise Management Associates (EMA) reveals significant benefits to enterprises when using Network Security Policy Management (NSPM) solutions, while organizations without, experienced issues including non standard security policies and failed cloud migrations

You could assume that it is spyware or adware, or possibly a component for some obscure program, because I have a virus-free laptop and the file does not exist on it. I am running xp(pro)sp2.
What I usually do with files like these is the following:
- Create a backupcopy of the file and place it somewhere easy to acces from the command line (eg the c:\ root)
- Then rename the file in the system32 dir. Will it allow it? If not it is in use.
- if you cannot rename the file.. boot into safemode and try then
- if you can rename it that's cool. Now delete it. Does windows put it back?
- if so it might be a system file.
- after you've renamed it test your system for a while. Does it give any errors anywhere?

hope that'll help somewhat.

I've found this: http://www.brightstrand.com/simple.html

It uses a pwdmon program.

PAQed with no points refunded (of 125)

EE Admin
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

WEBINAR: GDPR Implemented - Tips & Lessons Learned

Join the WatchGuard team on Thursday, March 29th as we recount some valuable lessons learned in weighing the needs of a business against the new regulatory environment, look ahead at the two months left before implementation, and help you understand the steps you can take today!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now