What is LSASS?

Category: Security

When I run Task Manager, I see a process named lsass.exe that is active. I'm worried that this might be a virus... should I get rid of it?

class="imgmain" />

Is LSASS.EXE a Virus or Spyware?


I can give you an authoritative "Probably Not" answer to that question.

That's because lsass.exe is an essential part of the Windows operating system. LSASS, the Local Security Authority Subsystem Service, is responsible for helping Windows manage security and logins. You should be able find the lsass.exe file in the C:\windows\system32 or C:\winnt\system32 folder, depending on your version of Windows. You should NOT delete this file, and in fact, Task Manager will not allow you to terminate the lsass task.

However, system crashes involving LSASS.EXE may indicate a virus or spyware infection. In April 2004, the Sasser worm exploited an LSASS vulnerability in Microsoft Windows XP and Windows 2000. Microsoft had already released a patch for this vulnerability, but many people failed to apply the Windows Updates patch in a timely manner and got hit with Sasser. Faulty code used in the Sasser worm caused seemingly random crashes of LSASS, but even on Sasser-affected systems, the LSASS.EXE file itself was not modified or infected. Word spread about Sasser and the LSASS vulnerability, and hysteria gripped many who were not affected, but noticed lsass.exe running on their system.


I have heard reports of a virus, trojan horse or spyware bearing the lsass.exe filename, so it IS possible to have a rogue LSASS on your system. The best way to be sure your system is clean is to run up-to-date anti-virus and anti-spyware software. If you don't have good anti-virus and anti-spyware software that does regular scans and auto-updates itself, you are vulnerable to much more than Sasser. See my article Should I Buy Anti-Spyware or Anti-Virus Software? for my recommendation on protecting yourself from these threats.

Got comments about LSASS.EXE or something in this article? Post them below.

 
Ask Your Computer or Internet Question

 
  (Enter your question in the box above.)

It's Guaranteed to Make You Smarter...

AskBob Updates: Boost your Internet IQ & solve computer problems.
Get your FREE Subscription!


Email:

Check out other articles in this category:



Link to this article from your site or blog. Just copy and paste from this box:

This article was posted by on 3 Mar 2006


For Fun: Buy Bob a Snickers.

Prev Article:
Urban Legends and Hoaxes

The Top Twenty
Next Article:
Sharing a Printer

Most recent comments on "What is LSASS?"

Posted by:

Terry Noble
08 Mar 2006

Would it be correct that if you did a search for all files and folders for lsass and found it anywhere except C:\windows\system32 or C:\winnt\system32 folders that would be a reason for concern?

EDITOR'S NOTE: I think it normally shows up in I386 (with .EX_ extension) and maybe the DLL cache folder, too. Where did you find it?


Posted by:

Durga
12 Oct 2006

Very Useful information.

Thanks, Durga Charan Ojha


Posted by:

Kat
12 Jul 2007

Recently, MSN messenger has been starting up automatically with my computer, tries to connect to the internet and won't close (claiming another program is using it, so I must close that program first) unless I go to the Close Program window and close "Lsass" (which has never infact shown up in the close program window before). Is this supposed to happen?

EDITOR'S NOTE: I would run a good virus and spyware scan...


Posted by:

Jan
08 Sep 2007

I too had lsass.exe running on my system for several hours at bootup, taking over 30% of my cpu. It turned out that I somehow got over 1,200,000 files in

documents and settings\user name\application data\microsoft\protect

put there by a rogue program. These files were being inspected one by one by lsass.exe and the process was taking over my machine.

They all were created in January 2006 and didn't seem to serving a useful purpose so I took a chance and deleted them. Once I cleaned them out using CCleaner (taking over 3 hours) everything went A LOT faster. Since then I have gone through my c: drive and deleted over 75,000 other useless files, mostly MSMessenger ignore lists. My virus scan went from 3 hours down to 20 minutes.


Posted by:

scarf
13 Sep 2007

I think I have the same problem.. While using messenger 7.5, lsass.exe is stable and working fine... when my messenger didn't allow me to be online before upgrading the messenger (this starten happening today), I did upgrade it to microsoft live messenger.. After the install, when I tried to connect , it couldn't.. The pc was slower so I looked to the taskmaneger and there was lsass.exe, using my %67 CPU power..

Whenewer I try to connect, the same thing happens.. How can I solve this problem ? Thanks..

EDITOR'S NOTE: How about removing the Messenger software that seems to be causing the problem? Uninstall it or use System Restore.


Posted by:

Denis Howe
23 Sep 2007

If I enable the Messenger option to store my address book on the local machine then lsass.exe takes 100% CPU for several minutes while Windows Live Messenger is connecting. Disabling this option cured the problem. I didn't notice it with any earlier Messenger.


Posted by:

M$HATRED
15 Nov 2007

I am increasingly disgusted by Microsoft's refusal to make software that isn't prepackaged with security vulnerabilities. Why does Microsoft get away with selling defective products? Its as if they do this purposefully for malevolent hackers and 3rd party software vendors to make money. My question is this, why are logon credentials among other things intentionally accessible to anyone on the internet? After a fresh install and offline update lsass and msdtc port 135 light up my firewall egress filter and its not doing so on 127.0.0.1. After detecting internet connectivity all this sensitive info is thrown out on the net without user consent.

EDITOR'S NOTE: It quite a leap of logic to say that just because a DLL is connecting to the Internet that logon credentials and other sensitive info is being broadcast on the internet. What makes you believe that?


Posted by:

jack
30 Jul 2009

if u have a rfi/emi problem, lsass goes to high cpu usages. wish i knew that info b4.


Post your Comments, Questions or Suggestions

*     *     (* = Required field)

    (Your email address will not be published)
(you may use HTML tags for style)

YES... spelling, punctuation, grammar and proper use of UPPER/lower case are important! Comments of a political nature are discouraged. Please limit your remarks to 3-4 paragraphs. If you want to see your comment posted, pay attention to these items.

All comments are reviewed, and may be edited or removed at the discretion of the moderator.

NOTE: Please, post comments on this article ONLY.
If you want to ask a question click here.


Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter

Copyright © 2005 - Bob Rankin - All Rights Reserved
About Us     Privacy Policy     RSS/XML


Article information: AskBobRankin -- What is LSASS? (Posted: 3 Mar 2006)
Source: https://askbobrankin.com/what_is_lsass.html
Copyright © 2005 - Bob Rankin - All Rights Reserved