The security package manager (SPM) is an undocumented component of LSA. The SPM manages both the authentication package and security package DLLs that LSA loads. As far as I am aware, the SPM has not been previously written about.

As far back as NT 3.5, LSA has provided an API for interacting with authentication packages (e.g., the AU API) over LPC port \\LsaAuthenticationPort. Clients could interact with the API by either using an abstracted Win32 function (ex. LsaLookupAuthenticationPackage) or by submitting data to the port formatted as an LSAP_AU_API_MESSAGE structure. The ntoskrnl.exe has always provided Win32 function equivalents which are internally handled by the ksecdd.sys driver. The ksecdd.sys driver currently implements this functionality as an NTOS extension host (e.g., SepAuthExtensionHost).

Microsoft later added an SPM API which extends the AU API. The SPM API has been identified in NT 5.2 but may have existed as early as NT 5.0. Microsoft provides Win32 and ntoskrnl.exe exports for some SPM APIs but clients must submit data to the SPM directly to interact with all of the API’s functions.

Data for SPM API calls are formated as an SPM_LPC_MESSAGE structure. The first members of the LSAP_AU_API_MESSAGE and SPM_LPC_MESSAGE structures are binary compatible up until the structure member that identifies which API number is to be called. That allows the SPM to know which API is being requested and which structure definition should be used to interpret the remainder of the data.

Oddly, Microsoft continued to use the same LPC port for communication in NT 6.0 despite the introduction of ALPC. The APIs have only been updated in NT 6.1 when the SSPI RPC interface was added to LSA.

The LPC port was removed in NT 6.1 and clients must now use the SspirCallRpc operation of the SSPI RPC interface to send data directly to either API. Although the communication is now facilitated via RPC, the code for handling API requests has not been updated and still expects data to be formatted as an LSAP_AU_API_MESSAGE or SPM_LPC_MESSAGE structure. Additionally, some API functions were removed to become SSPI RPC operations while others were removed entirely. The only API function that was added was ChangeAccountPassword. Other than the API updates for NT 6.1 and slight name changes for functions over the years both APIs have remaned stable.

• SPM Security
• Authentication API (AU API)
  • CallPackage
  • DeregisterLogonProcess
  • LogonUser
  • LookupPackage
• SPM API
  • AcceptContext
  • AcquireCreds
  • AddCredentials
  • AddPackage
  • ApplyToken
  • Callback
  • DeleteContext
  • DeletePackage
  • EfsDecryptFek
  • EfsGenerateDirEfs
  • EfsGenerateKey
  • EfsGenerateSessionKey
  • EnumLogonSessions
  • EnumPackages
  • EstablishCreds
  • FindPackage
  • FreeCredHandle
  • GetBinding
  • GetCreds
  • GetLogonSessionData
  • GetUserInfo
  • GetUserNameX
  • InitContext
  • LookupAccountName
  • LookupAccountSidX
  • LookupWellKnownSid
  • LsaPolicyChangeNotify
  • QueryContextAttributes
  • QueryCredAttributes
  • QueryPackage
  • SaveCreds
  • SetContextAttributes
  • SetSession

LsapGetClientInfo checks for:

• userPrincipalName capability which is documented as required for GetUserNameEx.