What is lsass.exe and is it safe?

Imagine a car with thousands of moving parts and look under the hood to see all the parts whizzing and turning. Until one of them does something unexpected, it’s hard to know what to expect. Yet you know for sure when something is not right.

Some Windows processes are like this, and lsass.exe is one of them. When lsass.exe does its job, nobody cares. When lssas.exe has high CPU usage or crashes, we notice it and wonder why it is there.

What is lsass.exe and is it safe?

All tools, in the wrong hands, are weapons. The lsass in lssas.exe is an acronym of Local Security Authorization Subsystem Service† Local Security Authorization is a system to authenticate and log in users. It also keeps track of security policies and generates system log alerts for security-related events.

You can imagine that when lsass.exe does its job, it is a powerful tool and very safe. You can also imagine that if it doesn’t do its job, it goes bad.

How to remove lsass.exe from Windows 11/10

Do not remove lsass.exe from Windows unless you are sure it is a fake lsass.exe. It is so crucial to Windows 11/10. If you try to end the lsass.exe process in Windows 11/10 you will get the error message Do you want to terminate the system process ‘Local Security Authority Process’?

If you choose to do this, Windows will shut down and any unsaved work will be lost. If lsass.exe fails for any reason, Windows will likely close immediately.

How to check if lsass.exe is genuine or not

If you suspect that lsass.exe is causing problems, first check if it is the genuine lsass.exe.

Carefully check the lsass.exe name

The small L, the capital i (I) and the number 1 can be deceiving to the eye. Hackers will replace one for another. What you think is the real lsass.exe could be Isass.exe or 1sass.exe.

The name of the fake process may also have a slight spelling variation. Maybe there’s an S too many, a space, or some other small, easily overlooked difference.

Check the digital signature and file location of Lsass.exe

  1. Press Ctrl Shift esc to open task management† Select More detail
  1. Scroll down and find Local Safety Authority Process† Right click on it and select Properties
  1. On the General tab, next to Place it should read C:\Windows\System32 or the equivalent for your system. Mate should be very close to 58 KB. If it’s more than double, you probably have a problem.
  1. On the Digital Signatures tab, the Name of the signer should be Microsoft Windows Publisher

Scan Lsass.exe with Microsoft Defender

  1. Search in Task Manager Local Safety Authority Process again. Right click on it and select Open file location
  1. The file explorer opens and lsass.exe is selected. Right click on it and select Scan with Microsoft Defender
  1. The result should be: No current threats

If there are still concerns, do the same scan with another one trusted antivirus or antimalware application.

If any of the above checks fail, start by removing viruses or malware from your computer.

Can lsass.exe cause high CPU, RAM or other high usage of system resources?

Most critical Windows processes don’t use a lot of resources. They have limited jobs and need little to perform them. However, lsass.exe may spike when handling something like a login, but it should be using almost nothing in a second or two.

If the CPU usage by lsass.exe on a domain controller (DC) server is quite high, it is probably because it handles the security of a large number of users. It controls the Active Directory database. If you’re familiar with Active Directory (AD), it’s not surprising that lsass.exe uses more resources on a DC than on an average computer.

On a DC, expect lsass.exe to stay well below 10% CPU, except during peak times of people logging in or out. On a PC, expect lsass.exe to stay below 1% most of the time.

If the RAM or network usage by lsass.exe seems high, there is a chance that it is not the real lsass.exe or that it is infected. Take the usual precautions such as run an offline virus scan with Microsoft Defender

Anything that affects security can affect how many resources lsass.exe uses. Time differences between a DC and a system connected to it. Accurate time is crucial for things like security certificates. Check the DC and connected systems for time differences. You may want to use a Network Time Protocol (NTP) server to synchronize the time for all devices in the domain.

Corrupted system files can also be the cause of the high resource usage of a legitimate lsass.exe. Try using the SFC and DISM commands to: clean and repair system files

If an offline virus scan and using the SFC and DISM commands don’t fix the problem, the only option may be to wipe and reinstall Windows.

Where can I learn more about Windows processes?

Thank you for showing an interest in how your Windows device works! We have many articles about Windows processes, whether they can be deleted and why the process is a CPU, memory, network or disk usage that is too high

We also show how to use SysInternals Process Monitor and Process Explorer to troubleshoot issues. If you don’t see an article for the process you’re curious about, let us know. We are happy to write it for you.

Leave a Reply

Your email address will not be published.