# GetLsaPidFromRegistry

```
typedef NTSTATUS(NTAPI* NTOPENKEY)(PHANDLE, ACCESS_MASK, POBJECT_ATTRIBUTES);
typedef NTSTATUS(NTAPI* NTQUERYVALUEKEY)(HANDLE, PUNICODE_STRING, KEY_VALUE_INFORMATION_CLASS, PVOID, ULONG, PULONG);
typedef NTSTATUS(NTAPI* NTCLOSE)(HANDLE);

DWORD MpfGetLsaPidFromRegistry(VOID)
{
	NTOPENKEY NtOpenKey = NULL;
	NTQUERYVALUEKEY NtQueryValueKey = NULL;
	NTCLOSE NtClose = NULL;
	UNICODE_STRING LsaRegistryPath = { 0 };
	UNICODE_STRING LsaValue = { 0 };
	OBJECT_ATTRIBUTES Attributes = { 0 };
	HANDLE hKey = NULL;
	NTSTATUS Status = STATUS_SUCCESS;
	HMODULE hModule = NULL;
	DWORD LsassPid = ERROR_SUCCESS;
	UCHAR Buffer[sizeof(KEY_VALUE_INFORMATION_CLASS) * sizeof(DWORD)] = { 0 };
	PKEY_VALUE_PARTIAL_INFORMATION ValueObject = (PKEY_VALUE_PARTIAL_INFORMATION)Buffer;
	DWORD BufferLength = 0;
	PDWORD dwDispose = NULL;

	hModule = GetModuleHandleW(L"ntdll.dll");
	if (hModule == NULL)
		goto EXIT_ROUTINE;

	NtOpenKey = (NTOPENKEY)GetProcAddress(hModule, "NtOpenKey");
	NtQueryValueKey = (NTQUERYVALUEKEY)GetProcAddress(hModule, "NtQueryValueKey");
	NtClose = (NTCLOSE)GetProcAddress(hModule, "NtClose");

	if (!NtOpenKey || !NtQueryValueKey || !NtClose)
		goto EXIT_ROUTINE;
	
	RtlInitUnicodeString(&LsaRegistryPath, L"\\Registry\\Machine\\SYSTEM\\CurrentControlSet\\Control\\Lsa");
	RtlInitUnicodeString(&LsaValue, L"LsaPid");
	InitializeObjectAttributes(&Attributes, &LsaRegistryPath, OBJ_CASE_INSENSITIVE, NULL, NULL);

	Status = NtOpenKey(&hKey, KEY_QUERY_VALUE, &Attributes);
	if (!NT_SUCCESS(Status))
		goto EXIT_ROUTINE;

#pragma warning( push )
#pragma warning( disable : 6260)
	Status = NtQueryValueKey(hKey, &LsaValue, KeyValuePartialInformation, Buffer, (sizeof(KEY_VALUE_INFORMATION_CLASS) * sizeof(DWORD)), &BufferLength);
	if (!NT_SUCCESS(Status))
		goto EXIT_ROUTINE;
#pragma warning( pop ) 

	LsassPid = *(PDWORD)&ValueObject->Data[0];
	// = *dwDispose;

EXIT_ROUTINE:

	if (hKey)
		NtClose(hKey);

	return LsassPid;
}
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://malwaresourcecode.com/home/lsass-related/getlsapidfromregistry.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.