How to configure and troubleshoot external password filters in Windows 8 and in Windows Server 2012

In Windows 8 and in Windows Server 2012, processes can opt into Safe DLL Search mode. By default, processes that are running in this mode only try to load binaries in the following folder:The Local Security Authority Subsystem Service (LSASS) process hosts the password filter notification logic. By default, Safe DLL Search mode is enabled for the LSASS process in Windows 8 and in Windows Server 2012. This is for improved security. Therefore, the registration instructions for external password filters that apply to earlier versions of Windows are insufficient if you want to enable notifications in Windows 8 or in Windows 2012.

This article describes how to configure external password filters in Windows 8 and in Windows Server 2012. This article also contains information about how to troubleshoot external password filter issues.

To use password notification DLLs that are not in the %windir%\system32 folder, follow these steps:

1. Make sure that you are running one of the following operating systems:
   • Windows 8
   • Windows Server 2012
   • Windows 8 Release Preview
   • Windows Server 2012 Release Candidate
2. Verify that the Notification Packages registry entry contains the full or absolute path of each external password notification package. The registry entry should be configured as follows:
   Registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA
   Registry entry: Notification Packages
   Registry type: Multi_SZ
   Registry value:

   <Drive>:\<Path>\<File1 name>.dll
   <Drive>:\<Path>\<File2 name>.dll
   <Drive>:\<Path>\<File3 name>.dll
3. Verify that all related or supporting files for each password notification DLL are located in the same folder as the password notification DLL or in the %windir%\system32 folder.
4. Verify that the System security context has Read access to the following folders and files:
   • The parent folders that contain the external password notification DLLs
   • The external password notification DLLs
   • All related files in each external password notification directory

If an external password notification DLL cannot be loaded in Windows 8 or in Windows Server 2012, an event that resembles the following is logged in the System�log:

Event Source: System
Event ID: 16953
Event Message Text:

The password notification DLL File name failed to load with error Error code. Please verify that the notification DLL path defined in the registry, %2%3, refers to a correct and absolute path (<drive>:\<path>\<filename>.<ext>) and not a relative or invalid path. If the DLL path is correct, please validate that any supporting files are located in the same directory, and that the system account has read access to both the DLL path and any supporting files. Contact the provider of the notification DLL for additional support. Further details can be found on the web at http://go.microsoft.com/fwlink/?LinkId=245898.

The following table lists the possible error codes that may appear in the 16953 event, the causes of each error code, and how to resolve each error code: