What is lsass.exe?

The genuine lsass.exe file is a software component of Microsoft Windows by Microsoft Corporation.
If "lsass.exe" resides in "C:\Windows\System32", it is the Microsoft Windows Operating System's Local Security Authority Subsystem Service. Six critical Windows services involved in the computer's security management are dynamic link library (.dll) files which are called by "lsass.exe". These include "vaultsvc.dll", which controls access to credentials of users and applications; "efssvc.dll", central to storage of encrypted files on NTFS-type disk volumes; and "samsrv.dll", the Security Accounts Manager. If the real "lsass.exe" is forcibly stopped the machine is forced into a restart because the Welcome screen loses its account(s). It also cannot be uninstalled. In other locations, assume "lsass.exe" is disguised malware, which may include extremely dangerous Trojans or worms. A spyware or malware removal program may be needed to remove such files.

LSASS stands for Local Security Authority Subsystem Service

The .exe extension on a filename indicates an executable file. Executable files may, in some cases, harm your computer. Therefore, please read below to decide for yourself whether the lsass.exe on your computer is a Trojan that you should remove, or whether it is a file belonging to the Windows operating system or to a trusted application.

Click to Run a Free Scan for lsass.exe related errors

Lsass.exe file information

Windows Task Manager with lsass — Lsass.exe process in Windows Task Manager

The process known as Local Security Authority Process or LSA Shell (Export Version) or LSA Shell or pikachu or Windows host process (Rundll32) or Bonjour or CNG Key Isolation, Security Accounts Manager or igfxCUIService Module

belongs to software Microsoft Windows Operating System or IPSEC Services, Protected Storage, Security Accounts Manager or CNG Key Isolation, Security Accounts Manager or Encrypting File System (EFS), CNG Key Isolation, Security Accounts Manager or Project1 or CNG Key Isolation, Protected Storage, Security Accounts Manager or CNG Key Isolation, Security Accounts Manager, Credential Manager or NT LM Security Support Provider, IPSEC Services, Protected Storage, Security Accounts Manager

by Microsoft (www.microsoft.com) or www.microsoft.com or Nenad Hrg (SoftwareOK.com) or Blackburn Laocoon or NETGATE Technologies s.r.o (www.netgate.sk) or Ci78JjFt5o9WNk or qYpbf.

Description: The original lsass.exe from Microsoft is an important part of Windows, but often causes problems. The lsass.exe file is located in the C:\Windows\System32 folder. Known file sizes on Windows 10/11/7 are 13,312 bytes (68% of all occurrences), 22,528 bytes and 18 more variants.
The program is not visible. It is a Microsoft signed file. The process uses ports to connect to or from a LAN or the Internet. Therefore the technical security rating is 13% dangerous, however you should also read the user reviews.

Recommended: Identify lsass.exe related errors

Viruses with the same file name

Is lsass.exe a virus? No, it is not. The true lsass.exe file is a safe Microsoft Windows system process, called "Local Security Authority Process". However, writers of malware programs, such as viruses, worms, and Trojans deliberately give their processes the same file name to escape detection. Viruses with the same file name are for instance Trojan.Gen or W32.Imaut (detected by Symantec), and TROJ_GEN.R47C3LG or Mal_OtorunN (detected by TrendMicro).
To ensure that no rogue lsass.exe is running on your PC, click here to run a Free Virus Scan.

How to recognize suspicious variants?

If lsass.exe is located in a subfolder of C:\Windows, the security rating is 87% dangerous. The file size is 1,591,808 bytes (13% of all occurrences), 3,902,464 bytes and 25 more variants. The lsass.exe file is not a Windows core file. The program is not visible. The lsass.exe file is located in the Windows folder, but it is not a Windows core file. The program has no file description. Lsass.exe is able to monitor applications, manipulate other programs and record keyboard and mouse inputs.
If lsass.exe is located in a subfolder of C:\, the security rating is 62% dangerous. The file size is 551,669 bytes (15% of all occurrences), 552,448 bytes and 23 more variants. The lsass.exe file is not a Windows system file. There is no description of the program. The program has no visible window. The process starts when Windows starts (see Registry key: MACHINE\Run, Run, Userinit, User Shell Folders, Winlogon\Shell, TaskScheduler). Lsass.exe is able to monitor applications, record keyboard and mouse inputs and manipulate other programs.
If lsass.exe is located in a subfolder of the user's profile folder, the security rating is 63% dangerous. The file size is 42,687 bytes (15% of all occurrences), 42,713 bytes and 24 more variants.
If lsass.exe is located in a subfolder of "C:\Program Files", the security rating is 75% dangerous. The file size is 4,606,976 bytes (39% of all occurrences), 196,919 bytes and 11 more variants.
If lsass.exe is located in the C:\Windows folder, the security rating is 80% dangerous. The file size is 13,179,660 bytes (25% of all occurrences), 185,344 bytes, 983,552 bytes or 528,398 bytes.
If lsass.exe is located in the Windows folder for temporary files, the security rating is 90% dangerous. The file size is 1,591,808 bytes (33% of all occurrences), 24,064 bytes or 6,790,656 bytes.
If lsass.exe is located in a subfolder of C:\Windows\System32, the security rating is 96% dangerous. The file size is 460,288 bytes (50% of all occurrences) or 471,040 bytes.
If lsass.exe is located in the C:\Windows\System32\drivers folder, the security rating is 72% dangerous. The file size is 32,768 bytes.
If lsass.exe is located in the "C:\Program Files\Common Files" folder, the security rating is 40% dangerous. The file size is 32,256 bytes.
If lsass.exe is located in the user's profile folder, the security rating is 76% dangerous. The file size is 473,001 bytes.

External information from Paul Collins:
There are different files with the same name:

"MicrosoftSourceSafe" definitely not required. Added by the WEBUS.B TROJAN! Note - this is not the legitimate lsass.exe process, which should not appear in Msconfig/Startup!
"lsass" definitely not required. Added by the RATSOU.B TROJAN! Note - this is not the legitimate Lsass.exe system file should normally NOT figure in Msconfig/Startup!
"Microsoft UPDATER32" definitely not required. Added by the RANDEX.AR WORM! Note - this is not the legitimate Lsass.exe system file should normally NOT figure in Msconfig/Startup!
"System Handler" definitely not required. Added by the NIMOS WORM! Note - this is not the legitimate Lsass.exe system file should normally NOT figure in Msconfig/Startup!
"Traybar" definitely not required. Added by the MYDOOM.L WORM! Note - this is not the legitimate Lsass.exe system file should normally NOT figure in Msconfig/Startup!

Important: Some malware disguises itself as lsass.exe, particularly when not located in the C:\Windows\System32 folder. Therefore, you should check the lsass.exe process on your PC to see if it is a threat. We recommend Security Task Manager for verifying your computer's security. This was one of the Top Download Picks of The Washington Post and PC World.

Score

User Comments

This is a safe file if it on c:\windows\system32 folder, but some virus and malwares disguises. Sasser virus attack it!

It is very important as it controls user info and security, but if not in C:/Windows/system32 or C:/Windows/sysWOW64, it is disguised malware.

If its process crashes, then you are no longer able to reboot, you can only log off or switch users, unless you use the power button. See the attached video for more info. (Note: If you want to just go straight to why, skip to 3:46)
TheAwesomePurple111 (further information)

really important for windows but only if in c:\windows\system32 or syswow64

I think it is safe, see Virustotal report:
(further information)

Critical for Windows NT Operating systems.
ttaute

This process is critical. If you end it, You will not get a BSoD, only a restarting message.
iestinas (further information)

lsass.exe is a pretty critical windows process that will cause forced shutdown if ended with task manager i have no idea about what happens if its missing on the computer
lsass.exe

More comments can be found here:
(further information)

Summary: Average user rating of lsass.exe: based on 723 votes with 9 user comments. 273 users think lsass.exe is essential for Windows or an installed application. 32 users think it's probably harmless. 134 users think it's neither essential nor dangerous. 82 users suspect danger. 202 users think lsass.exe is dangerous and recommend removing it. 74 users don't grade lsass.exe ("not sure about it").

Best practices for resolving lsass issues

A clean and tidy computer is the key requirement for avoiding problems with lsass. This means running a scan for malware, cleaning your hard drive using 1cleanmgr and 2sfc /scannow, 3uninstalling programs that you no longer need, checking for Autostart programs (using 4msconfig) and enabling Windows' 5Automatic Update. Always remember to perform periodic backups, or at least to set restore points.

Should you experience an actual problem, try to recall the last thing you did, or the last thing you installed before the problem appeared for the first time. Use the 6resmon command to identify the processes that are causing your problem. Even for serious problems, rather than reinstalling Windows, you are better off repairing of your installation or executing the 7DISM.exe /Online /Cleanup-image /Restorehealth command. This allows you to repair the operating system without losing data.

To get your computer running as fast as it did on day one, you can 8reset your PC. Your personal files will remain intact, but any programs you installed will need to be reinstalled.

To help you analyze the lsass.exe process on your computer, the following programs have proven to be helpful: ASecurity Task Manager displays all running Windows tasks, including embedded hidden processes, such as keyboard and browser monitoring or Autostart entries. A unique security risk rating indicates the likelihood of the process being potential spyware, malware or a Trojan. A good Bantivirus software detects and removes sleeping spyware, adware, Trojans, keyloggers, malware and trackers from your hard drive.

Other processes

hkcmd.exe ascplugin_protection.dll steam.exe lsass.exe csrss.exe skypehost.exe hostappserviceupdater.exe armsvc.exe googleupdate.exe igfxtray.exe rpbrowserrecordplugin.dll [all]

	Do you have additional information?
What do you know about lsass.exe:
How would you rate it:
Link for more info:
Your Name: