The genuine lsass.exe file is a software component of Microsoft Windows by Microsoft Corporation. If "lsass.exe" resides in "C:\Windows\System32", it is the Microsoft Windows Operating System's Local Security Authority Subsystem Service. Six critical Windows services involved in the computer's security management are dynamic link library (.dll) files which are called by "lsass.exe". These include "vaultsvc.dll", which controls access to credentials of users and applications; "efssvc.dll", central to storage of encrypted files on NTFS-type disk volumes; and "samsrv.dll", the Security Accounts Manager. If the real "lsass.exe" is forcibly stopped the machine is forced into a restart because the Welcome screen loses its account(s). It also cannot be uninstalled. In other locations, assume "lsass.exe" is disguised malware, which may include extremely dangerous Trojans or worms. A spyware or malware removal program may be needed to remove such files.
LSASS stands for Local Security Authority Subsystem Service
The .exe extension on a filename indicates an executable file. Executable files may in some cases harm your computer. Therefore, please read below to decide for yourself whether the lsass.exe on your computer is a Trojan that you should remove, or whether it is a file belonging to the Windows operating system or to a trusted application.
Since 2005, file.net has helped users better understand and correctly identify Windows processes. Our own analysis, research, and the collective experience of our community provide reliable, easy-to-understand information. Around 10,000 users trust us every day.
Description: The original lsass.exe from Microsoft is an important part of Windows, but often causes problems. The lsass.exe file is located in the C:\Windows\System32 folder.
Known file sizes on Windows 10/11/7 are 13,312 bytes (68% of all occurrences), 22,528 bytes and 18 more variants.
The program is not visible. It is a Microsoft signed file. The process uses ports to connect to or from a LAN or the Internet.
Therefore the technical security rating is 13% dangerous, however you should also read the user reviews.
Is lsass.exe a virus? No, it is not. The true lsass.exe file is a safe Microsoft Windows system process, called "Local Security Authority Process".
However, writers of malware programs, such as viruses, worms, and Trojans deliberately give their processes the same file name to escape detection. Viruses with the same file name are for instance Trojan.Gen or W32.Imaut (detected by Symantec), and TROJ_GEN.R47C3LG or Mal_OtorunN (detected by TrendMicro).
To ensure that no rogue lsass.exe is running on your PC, click here to run a Free Virus Scan.
How to recognize suspicious variants?
If lsass.exe is located in a subfolder of C:\Windows, the security rating is 87% dangerous. The file size is 1,591,808 bytes (13% of all occurrences), 3,902,464 bytes and 25 more variants.
The lsass.exe file is not a Windows core file. The program is not visible. The lsass.exe file is located in the Windows folder, but it is not a Windows core file. The program has no file description.
Lsass.exe is able to monitor applications, record keyboard and mouse inputs and manipulate other programs.
If lsass.exe is located in a subfolder of C:\, the security rating is 62% dangerous. The file size is 551,669 bytes (15% of all occurrences), 552,448 bytes and 23 more variants.
The lsass.exe file is not a Windows system file. There is no description of the program. The program has no visible window. The process starts when Windows starts (see Registry key: MACHINE\Run, Run, Userinit, User Shell Folders, Winlogon\Shell, TaskScheduler).
Lsass.exe is able to monitor applications, record keyboard and mouse inputs and manipulate other programs.
If lsass.exe is located in a subfolder of the user's profile folder, the security rating is 63% dangerous. The file size is 42,687 bytes (15% of all occurrences), 42,713 bytes and 24 more variants.
If lsass.exe is located in a subfolder of "C:\Program Files", the security rating is 75% dangerous. The file size is 4,606,976 bytes (39% of all occurrences), 196,919 bytes and 11 more variants.
If lsass.exe is located in the C:\Windows folder, the security rating is 80% dangerous. The file size is 528,398 bytes (25% of all occurrences), 983,552 bytes, 13,179,660 bytes or 185,344 bytes.
If lsass.exe is located in the Windows folder for temporary files, the security rating is 90% dangerous. The file size is 24,064 bytes (33% of all occurrences), 6,790,656 bytes or 1,591,808 bytes.
If lsass.exe is located in a subfolder of C:\Windows\System32, the security rating is 96% dangerous. The file size is 460,288 bytes (50% of all occurrences) or 471,040 bytes.
If lsass.exe is located in the user's profile folder, the security rating is 70% dangerous. The file size is 473,001 bytes (50% of all occurrences) or 101,888 bytes.
If lsass.exe is located in the "C:\Program Files\Common Files" folder, the security rating is 40% dangerous. The file size is 32,256 bytes.
If lsass.exe is located in the C:\Windows\System32\drivers folder, the security rating is 72% dangerous. The file size is 32,768 bytes.
External information from Paul Collins: There are different files with the same name:
"MicrosoftSourceSafe" definitely not required. Added by the WEBUS.B TROJAN! Note - this is not the legitimate lsass.exe process, which should not appear in Msconfig/Startup!
"lsass" definitely not required. Added by the RATSOU.B TROJAN! Note - this is not the legitimate Lsass.exe system file should normally NOT figure in Msconfig/Startup!
"Microsoft UPDATER32" definitely not required. Added by the RANDEX.AR WORM! Note - this is not the legitimate Lsass.exe system file should normally NOT figure in Msconfig/Startup!
"System Handler" definitely not required. Added by the NIMOS WORM! Note - this is not the legitimate Lsass.exe system file should normally NOT figure in Msconfig/Startup!
"Traybar" definitely not required. Added by the MYDOOM.L WORM! Note - this is not the legitimate Lsass.exe system file should normally NOT figure in Msconfig/Startup!
Important: Some malware disguises itself as lsass.exe, particularly when not located in the C:\Windows\System32 folder. Therefore, you should check the lsass.exe process on your PC to see if it is a threat. We recommend Security Task Manager for verifying your computer's security. This was one of the Top Download Picks of The Washington Post and PC World.
Score
User Comments
This is a safe file if it on c:\windows\system32 folder, but some virus and malwares disguises. Sasser virus attack it!
It is very important as it controls user info and security, but if not in C:/Windows/system32 or C:/Windows/sysWOW64, it is disguised malware.
If its process crashes, then you are no longer able to reboot, you can only log off or switch users, unless you use the power button. See the attached video for more info. (Note: If you want to just go straight to why, skip to 3:46) TheAwesomePurple111 (further information)
really important for windows but only if in c:\windows\system32 or syswow64
This process is critical. If you end it, You will not get a BSoD, only a restarting message. iestinas (further information)
lsass.exe is a pretty critical windows process that will cause forced shutdown if ended with task manager i have no idea about what happens if its missing on the computer lsass.exe
Summary: Average user rating of lsass.exe:
based on 723 votes with 9 user comments.
273 users think lsass.exe is essential for Windows or an installed application.
32 users think it's probably harmless.
134 users think it's neither essential nor dangerous.
82 users suspect danger.
202 users think lsass.exe is dangerous and recommend removing it.
74 users don't grade lsass.exe ("not sure about it").
Best practices for resolving lsass issues
A clean and tidy computer is the key requirement for avoiding problems with lsass. This means running a scan for malware, cleaning your hard drive using 1cleanmgr and 2sfc /scannow, 3uninstalling programs that you no longer need, checking for Autostart programs (using 4msconfig) and enabling Windows' 5Automatic Update. Always remember to perform periodic backups, or at least to set restore points.
Should you experience an actual problem, try to recall the last thing you did, or the last thing you installed before the problem appeared for the first time. Use the 6resmon command to identify the processes that are causing your problem. Even for serious problems, rather than reinstalling Windows, you are better off repairing of your installation or executing the 7DISM.exe /Online /Cleanup-image /Restorehealth command. This allows you to repair the operating system without losing data.
To get your computer running as fast as it did on day one, you can 8reset your PC. Your personal files will remain intact, but any programs you installed will need to be reinstalled.
To help you analyze the lsass.exe process on your computer, the following programs have proven to be helpful: ASecurity Task Manager displays all running Windows tasks, including embedded hidden processes, such as keyboard and browser monitoring or Autostart entries. A unique security risk rating indicates the likelihood of the process being potential spyware, malware or a Trojan. A good Bantivirus software detects and removes sleeping spyware, adware, Trojans, keyloggers, malware and trackers from your hard drive.
Score
User Comments
TheAwesomePurple111 (further information)
(further information)
ttaute
iestinas (further information)
lsass.exe
(further information)
Summary: Average user rating of lsass.exe: based on 723 votes with 9 user comments. 273 users think lsass.exe is essential for Windows or an installed application. 32 users think it's probably harmless. 134 users think it's neither essential nor dangerous. 82 users suspect danger. 202 users think lsass.exe is dangerous and recommend removing it. 74 users don't grade lsass.exe ("not sure about it").