What is lsass.exe and Why is it Running?

So you’ve found lsass.exe running on your Windows system. You’d probably like to know if it’s a virus or if it’s something that is supposed to be there. Well, we’ve got good news. This process is not a virus. lsass.exe was created by Microsoft and is a core system called “Local Security Authority Process” built into Windows. However, there are some risks of a copycat file; for more details, read on.

lsass.exe in the task manager windows 7

Known as the local security authentication server, this file generates the process responsible for authenticating users in the WinLogon service. The process is performed by using authentication packages such as the default msgina.dll. When authentication is successful, lsass.exe generates a user access token, which is used to launch the initial shell. Other processes that the user initiates inherit this token.

A look at lsass.exe in Process Explorer reveals it handles three primary authentication services in Windows:

  • EFS (Encrypting File System)
    • Provides the core file encryption technology used to store encrypted files on NTFS file system volumes. If this service is stopped or disabled, the application will be unable to access encrypted files.
  • KeyIso (CNG Key Isolation)
    • The CNG key isolation is hosted in the LSA process. The service provides key process isolation to private keys and associated cryptographic operations as required by the Common Criteria. The service stores and uses long-lived keys in a secure process complying with Common Criteria requirements.
  • SamSs (Security Accounts Manager)
    • The startup of this service signals other services that the Security Accounts Manager (SAM) is ready to accept requests. Disabling this service will prevent other services in the system from being notified when SAM is ready, which may, in turn, cause those services to fail to start correctly. This service should not be disabled.

Also handled by lsass.exe is the local IPSEC Policy. This manages and starts the ISAKMP/Oakley (IKE) and the IP security driver in Windows Server.


On a security note, this process is safe. However, a copycat virus has been known to infect systems. Predominantly, the malicious process is named isass.exe (Isass.exe = bad), which looks similar to Lsass.exe (lsass.exe = good). If you find the process starts with a capital “i” instead of a lowercase “L” then your system is likely infected.

This “isass.exe” is a trojan virus known as the Sasser worm. The purpose of the worm is to covertly infect your system and begin harvesting data. This virus will log every keystroke typed and, in particular, go after account usernames, passwords, credit card numbers, and other sensitive data that can be used for fraudulent financial gain. If you find your computer is infected, this virus is removable using the Microsoft Malware Removal tool.

Fortunately, the copycat “isass.exe” virus hasn’t been seen in a few years. Microsoft has long since patched the vulnerability that allowed the virus to infect Windows. This is why it is important to always keep your system updated.


Overall, lsass.exe is a default startup process that controls log-on security. This process is safe and essential to the function of Windows. It has a light system footprint; however, its memory usage is irrelevant because Windows cannot run properly without it. If your computer is behind on updates, there is a chance you could get infected with a copycat virus, but even then, it is unlikely unless you are still running Windows XP or earlier.

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *


To Top