What is LSASS?
When I run Task Manager, I see a process named lsass.exe that is active. I'm worried that this might be a virus... should I get rid of it?
Is LSASS.EXE a Virus or Spyware?
I can give you an authoritative "Probably Not" answer to that question.
That's because lsass.exe is an essential part of the Windows operating system. LSASS, the Local Security Authority Subsystem Service, is responsible for helping Windows manage security and logins. You should be able find the lsass.exe file in the C:\windows\system32 or C:\winnt\system32 folder, depending on your version of Windows. You should NOT delete this file, and in fact, Task Manager will not allow you to terminate the lsass task.
However, system crashes involving LSASS.EXE may indicate a virus or spyware infection. In April 2004, the Sasser worm exploited an LSASS vulnerability in Microsoft Windows XP and Windows 2000. Microsoft had already released a patch for this vulnerability, but many people failed to apply the Windows Updates patch in a timely manner and got hit with Sasser. Faulty code used in the Sasser worm caused seemingly random crashes of LSASS, but even on Sasser-affected systems, the LSASS.EXE file itself was not modified or infected. Word spread about Sasser and the LSASS vulnerability, and hysteria gripped many who were not affected, but noticed lsass.exe running on their system.
I have heard reports of a virus, trojan horse or spyware bearing the lsass.exe filename, so it IS possible to have a rogue LSASS on your system. The best way to be sure your system is clean is to run up-to-date anti-virus and anti-spyware software. If you don't have good anti-virus and anti-spyware software that does regular scans and auto-updates itself, you are vulnerable to much more than Sasser. See my article Should I Buy Anti-Spyware or Anti-Virus Software? for my recommendation on protecting yourself from these threats.
Got comments about LSASS.EXE or something in this article? Post them below.
This article was posted by Bob Rankin on 3 Mar 2006
|For Fun: Buy Bob a Snickers.|
Urban Legends and Hoaxes
The Top Twenty
Sharing a Printer
Post your Comments, Questions or Suggestions
Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter
Copyright © 2005 - Bob Rankin - All Rights Reserved
Article information: AskBobRankin -- What is LSASS? (Posted: 3 Mar 2006)
Copyright © 2005 - Bob Rankin - All Rights Reserved
Most recent comments on "What is LSASS?"
08 Mar 2006
Would it be correct that if you did a search for all files and folders for lsass and found it anywhere except C:\windows\system32 or C:\winnt\system32 folders that would be a reason for concern?
EDITOR'S NOTE: I think it normally shows up in I386 (with .EX_ extension) and maybe the DLL cache folder, too. Where did you find it?
12 Oct 2006
Very Useful information.
Thanks, Durga Charan Ojha
12 Jul 2007
Recently, MSN messenger has been starting up automatically with my computer, tries to connect to the internet and won't close (claiming another program is using it, so I must close that program first) unless I go to the Close Program window and close "Lsass" (which has never infact shown up in the close program window before). Is this supposed to happen?
EDITOR'S NOTE: I would run a good virus and spyware scan...
08 Sep 2007
I too had lsass.exe running on my system for several hours at bootup, taking over 30% of my cpu. It turned out that I somehow got over 1,200,000 files in
documents and settings\user name\application data\microsoft\protect
put there by a rogue program. These files were being inspected one by one by lsass.exe and the process was taking over my machine.
They all were created in January 2006 and didn't seem to serving a useful purpose so I took a chance and deleted them. Once I cleaned them out using CCleaner (taking over 3 hours) everything went A LOT faster. Since then I have gone through my c: drive and deleted over 75,000 other useless files, mostly MSMessenger ignore lists. My virus scan went from 3 hours down to 20 minutes.
13 Sep 2007
I think I have the same problem.. While using messenger 7.5, lsass.exe is stable and working fine... when my messenger didn't allow me to be online before upgrading the messenger (this starten happening today), I did upgrade it to microsoft live messenger.. After the install, when I tried to connect , it couldn't.. The pc was slower so I looked to the taskmaneger and there was lsass.exe, using my %67 CPU power..
Whenewer I try to connect, the same thing happens.. How can I solve this problem ? Thanks..
EDITOR'S NOTE: How about removing the Messenger software that seems to be causing the problem? Uninstall it or use System Restore.
23 Sep 2007
If I enable the Messenger option to store my address book on the local machine then lsass.exe takes 100% CPU for several minutes while Windows Live Messenger is connecting. Disabling this option cured the problem. I didn't notice it with any earlier Messenger.
15 Nov 2007
I am increasingly disgusted by Microsoft's refusal to make software that isn't prepackaged with security vulnerabilities. Why does Microsoft get away with selling defective products? Its as if they do this purposefully for malevolent hackers and 3rd party software vendors to make money. My question is this, why are logon credentials among other things intentionally accessible to anyone on the internet? After a fresh install and offline update lsass and msdtc port 135 light up my firewall egress filter and its not doing so on 127.0.0.1. After detecting internet connectivity all this sensitive info is thrown out on the net without user consent.
EDITOR'S NOTE: It quite a leap of logic to say that just because a DLL is connecting to the Internet that logon credentials and other sensitive info is being broadcast on the internet. What makes you believe that?
30 Jul 2009
if u have a rfi/emi problem, lsass goes to high cpu usages. wish i knew that info b4.