Local Security Authority Subsystem Service (LSASS) is a process in Microsoft Windows operating systems that is responsible for enforcing the security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens. It also writes to the Windows Security Log.
Change Auditor agent is installed on DCs. The agent process NPSrvHost.exe injects dlls into the LSASS process. We inject dlls to hook into different aspects of the system to be able to collect audit data. Once data is grabbed, agent will then forward the events to coordinator and then coordinator to SQL.
So, in conclusion, without injecting into Lsass, change auditor cannot collect audit data and product cannot work. So injecting into Lsass by NPSrvHost.exe is normal and expected.
