lsass.exe

Local Security Authority Subsystem Service

System Critical Security

CPU Usage

0-5%

Memory

10-30 MB

Location

System32

Publisher

Microsoft

Quick Answer

lsass.exe is safe and critical. It's the Local Security Authority Subsystem Service that handles user logins, password changes, and enforces security policies. Often targeted by malware.

Is it a Virus?

✔ SAFE (if legitimate)

Frequently impersonated by malware

Warning

Critical System Process

Terminating it causes immediate reboot

Can I Disable?

✘ NEVER - System Critical

Required for Windows security

What is lsass.exe?

lsass.exe (Local Security Authority Subsystem Service) is one of the most critical Windows processes. It handles authentication, password changes, access token creation, and enforces local security policy. Every time you log in, lsass.exe verifies your credentials.

LSASS is so critical that ending it causes Windows to immediately reboot within 60 seconds. It runs with SYSTEM privileges and has deep integration with Windows security. Unfortunately, it's also one of the most commonly targeted processes by malware and credential-stealing attacks.

Main Functions

User Authentication - Verifies login credentials
Password Management - Handles password changes and resets
Access Token Generation - Creates security tokens for logged-in users
Security Policy Enforcement - Applies local and domain security policies
Credential Storage - Manages cached credentials
Smart Card Authentication - Handles certificate-based logins

Is lsass.exe Safe?

Yes, the legitimate lsass.exe is completely safe when it's the authentic Microsoft process.

How to Verify Legitimacy

File Location: MUST be C:\Windows\System32\lsass.exe (NEVER System32 without Windows prefix!)
Digital Signature: Microsoft Windows Publisher
User Account: SYSTEM only
Single Instance: Only ONE lsass.exe should ever run
Parent Process: wininit.exe

Warning: CRITICAL: lsass.exe in any location except C:\Windows\System32 is MALWARE. Multiple lsass.exe processes = malware. File in C:\Windows\System32 (without Windows parent folder) is fake. Malware often uses similar names like 'lssas.exe', 'lsaas.exe', or 'lsass32.exe'. Terminate and scan immediately.

High CPU or Memory Usage

High resource usage by lsass.exe can occur under certain conditions.

Common Causes

Malware Attack - Credential dumping tools target lsass.exe
Domain Authentication - Active Directory operations
Group Policy Updates - Applying security policies
Smart Card Operations - Certificate authentication
Password Changes - User credential updates
Memory Leak - Very rare but possible corruption

Solutions

Verify Location - Confirm file is in C:\Windows\System32\lsass.exe
Check Digital Signature - Must be signed by Microsoft
Scan for Malware - Use multiple antivirus tools if suspicious
Monitor with Process Explorer - Check parent process is wininit.exe
Enable Credential Guard - Windows 10 Enterprise: protects lsass memory
Update Windows - Security patches protect against lsass exploits