So you’ve found lsass.exe running on your Windows system. You’d probably like to know if it’s a virus, or if it’s something that is supposed to be there. Well, we’ve got good news. This process is not a virus, lsass.exe was created by Microsoft and is a core system “Local Security Authority Process” built into Windows. However, there are some risks of a copy-cat file. For more details read on.
Known as the local security authentication server, this file generates the process responsible for authenticating users in the WinLogon service. The process is performed by using authentication packages such as the default msgina.dll. When authentication is successful, lsass.exe generates a user access token, which is used to launch the initial shell. Other processes that the user initiates inherit this token.
A look at lsass.exe in process explorer reveals it handles 3 primary authentication services in Windows:
- EFS (Encrypting File System)
- Provides the core file encryption technology used to store encrypted files on NTFS file system volumes. If this service is stopped or disabled, application will be unable to access encrypted files.
- KeyIso (CNG Key Isolation)
- The CNG key isolation is hosted in the LSA process. The service provides key process isolation to private keys and associated cryptographic operations as required by the Common Criteria. The service stores and uses long lived keys in a secure process complying with Common Criteria requirements.
- SamSs (Security Accounts Manager)
- The startup of this service signals other services that the Security Accounts Manager (SAM) is ready to accept requests. Disabling this service will prevent other services in the system from being notified when SAM is ready, which may in turn cause those services to fail to start correctly. This service should not be disabled.
Also handled by lsass.exe is the local IPSEC Policy. This manages and starts the ISAKMP/Oakley (IKE) and the IP security driver in Windows Server.
On a security note, this process is safe. However a copy-cat virus has been known to infect systems. Predominantly, the malicious process is named isass.exe (Isass.exe = bad) which looks similar to Lsass.exe (lsass.exe = good). If you find the process starts with a capital “i” instead of a lower case “L” then your system is likely infected.
This “isass.exe” is a trojan virus known as the Sasser worm. The purpose of the worm is to covertly infect your system and begin harvesting data. This virus will log every keystroke typed, and particular go after account usernames, passwords, credit card numbers, and other sensitive data that can be used for fraudulent financial gain. If you find your computer is infected this virus is removable using the Microsoft Malware Removal tool.
Fortunately, the copycat “isass.exe” virus hasn’t been seen in a few years. Microsoft has long since patched the vulnerability that allowed the virus to infect Windows. This is why it is important to always keep your system updated.
Overall lsass.xe is a default startup process which controls log on security. This process is safe and essential to the function of Windows. It has a light system footprint however its memory usage is irrelevant because Windows cannot run properly without it. If your computer is behind on updates there is a chance you could get infected with a copy-cat virus, but even then it is unlikely unless you are still running Windows XP or earlier.