lsass.exe

Local Security Authority Subsystem Service

System ProcessEssentialSecurity & Logon

CPU Usage

0-20%

Memory

100-600 MB

Location

System32

Publisher

Microsoft Windows

Quick Answer

lsass.exe is essential. It’s the Local Security Authority Subsystem Service that enforces security policies, authenticates users, and creates tokens for logon sessions. It is a core Windows component and should not be terminated.

Is it a Virus?

✔ NO - Safe

Must be located at C:\Windows\System32\lsass.exe

Warning

Core system process

During login and authentication, LSASS handles token creation for user sessions. Abnormal behavior can indicate corruption or malware masquerading as lsass.exe.

Can I Disable?

✔ NO

Disabling or terminating lsass.exe will crash Windows and compromise security. Do not attempt.

What is lsass.exe?

lsass.exe is the Local Security Authority Subsystem Service in Windows. It authenticates users, enforces security policy, issues access tokens, and validates credentials during logon and domain interactions. It runs as a protected system process in System32.

It operates in its own process to validate credentials (Kerberos/NTLM), enforce policy, and generate user tokens during logon. This isolation enhances security and stability by preventing credential exposure to user-mode applications.

Quick Fact: LSASS is foundational for Windows authentication and can be a target for attacks; tampering typically triggers security alerts and system integrity checks.

Types of LSASS Roles

Authentication: Validates credentials during logon and token creation
Policy Enforcement: Applies security policies and domain rules
Credential Handling: Interacts with credential providers and SAM database
Security Token Service: Issues Kerberos/NTLM tokens for processes
Audit and Verification: Supports security auditing and policy verification

Is lsass.exe Safe?

Yes, lsass.exe is safe when it is the legitimate Microsoft Windows system file located in C:\Windows\System32 with a valid digital signature from Microsoft. Do not terminate unless diagnosing with professional guidance.

Is lsass.exe a Virus or Malware?

The real lsass.exe is NOT a virus. However, malware may masquerade under similar names. Always verify location and signature.

How to Tell if lsass.exe is Legitimate or Malware

File Location:: Must be in C:\Windows\System32\lsass.exe. Any lsass.exe elsewhere is suspicious.
Digital Signature:: Right-click the file in File Explorer → Properties → Digital Signatures. Should show signer "Microsoft Windows".
Executable Path:: Open Task Manager → Details → lsass.exe and verify the path is C:\Windows\System32\lsass.exe.
Resource Usage:: Normal usage is modest; sudden, sustained high CPU or memory without user activity may indicate malware.

Red Flags: If lsass.exe is not in C:\Windows\System32, lacks a valid signature, or triggers security alerts, run a full system malware scan and verify system integrity.

Why Is lsass.exe Running on My PC?

lsass.exe runs as part of Windows authentication and security policy enforcement. It may be active during logon, domain authentication, or when security policies and credentials are validated.

Reasons it's running:

Active Logon Sessions: Windows uses LSASS to authenticate and create access tokens as users log in.
Policy Enforcement: Local and group policy evaluation occurs through LSASS to ensure policy compliance.
Credential Management: Interacts with credential providers and stores/validates credentials for sessions.
Ticket and Token Generation: Generates Kerberos/NTLM tickets required for network authentication.
Domain and DC Communication: On domain-joined machines, LSASS communicates with domain controllers for authentication and policy updates.

Can I Disable or Remove lsass.exe?

No, you should not disable lsass.exe. It is a core Windows component essential for authentication and security. Attempting to disable it will destabilize or crash Windows.

How to Stop lsass.exe

Do Not End the Process: LSASS is a protected system process; attempting to end it can crash Windows.
If Suspected Malware: Run a full system antivirus/malware scan from a trusted security product.
Update Windows: Ensure Windows is fully updated to fix known LSASS-related vulnerabilities.
Repair System Files: Run sfc /scannow and DISM to repair corrupted Windows files.
Consult Support: If authentication issues persist, seek professional assistance from Microsoft Support.

Common Problems: LSASS High CPU/Memory, Crashes, and Security Alerts

LSASS issues can manifest as high resource usage, logon failures, or system instability. The following common problems and solutions help diagnose and mitigate risks.

Common Causes & Solutions

Malware masquerading as LSASS: Run a comprehensive malware scan, verify file location, and check digital signatures.
Excessive logon attempts or domain authentication: Check domain controllers, review authentication policies, and ensure proper network connectivity.
Corrupted system files: Run sfc /scannow and DISM to repair Windows images.
Credential Guard or security feature conflicts: Review security features and temporarily adjust settings if necessary, then re-enable after troubleshooting.
Outdated Windows build: Install pending Windows updates to patch LSASS-related issues.
Unauthorized modifications to LSASS: Restore from known-good backup or perform an in-place upgrade to revert changes.

Quick Fixes:
1. Quick Fixes:
2. 1. Open Task Manager (Ctrl+Shift+Esc) and identify suspect LSASS-related activity
3. Run Windows Defender or your antivirus to perform a full system scan
4. Update Windows and drivers to the latest build
5. Run: sfc /scannow and DISM /Online /Cleanup-Image /RestoreHealth
6. If issues persist, perform a repair install (in-place upgrade) of Windows

Frequently Asked Questions

Is lsass.exe a virus?

No, the legitimate lsass.exe from Microsoft is a core Windows component. Verify its location at C:\Windows\System32 and ensure a valid digital signature from Microsoft.

Why is lsass.exe using so much CPU?

High CPU usage can occur during authentication bursts or when domain policies are updated. If usage remains high, check for malware, corrupted files, or misconfigured security settings.

Can I delete lsass.exe?

No. Deleting or renaming LSASS will crash Windows and compromise security. It is a protected system process required for logon and security.

Can I disable lsass.exe?

Disabling LSASS is not supported and will render Windows unusable. If there are issues, troubleshoot with updates and system repairs rather than disabling the process.

What happens if LSASS crashes?

If LSASS crashes, Windows may log you off or lock you out. Run system integrity checks (sfc/dism), review event logs, and ensure system reliability before rebooting.

How can I protect LSASS from malware?

Keep Windows updated, run reputable security software, perform regular scans, and avoid tampering with core system processes. Verify file integrity and digital signatures if anomalies appear.