What Is lsass.exe and What Does It Do?
“lsass.exe” is a safe file in Windows that plays a vital part in your PC’s day-to-day operations. It’s used to enforce security policies and has to do with password changes and login verifications. “lsass.exe” stores credentials in memory to enable a single sign-in, where the user does not have to reenter credentials for services inside the domain. This service is also active on domain controller computers (servers responsible for managing networks). On server computers, lsass.exe is responsible for storing thousand of passwords and IDs and monitoring resource access. As a result, you will notice that the process uses more CPU, RAM, and IO resources on a domain controller computer. Even so, you shouldn’t observe quite as significant an impact on a computer that isn’t a domain controller. Therefore, something is wrong if the process still uses too much RAM on your computer. The most frequent scenario would be that the supposedly lsass.exe process is not what it first seems to be, in which case the likelihood that you have gotten a virus is relatively high. Malware frequently renames the file to something similar to trick you into believing “lsass.exe” is not a virus. Fortunately, there are ways to tell a genuine Windows process from a duplicate. If you’re worried about viruses taking over your PC, check out this list of more genuine Windows processes that can look like malware.
1. Check the Spelling
A malicious “lsass.exe” process might use an uppercase “i” (I), whereas the genuine process uses a lowercase “L” (l). Names may appear similar, depending on how your computer displays them, making it easy to confuse one for the other. You can check whether the filename is incorrect by using a case converter tool, such as the one offered by Microsoft Word. There are other variations of the genuine “lsass.exe” process, and you should keep an eye out for them as well:
lsass .exe lsassa.exe lsasss.exe Isassa.exe
2. View Its Location
The true “lsass.exe” file is only found in one place: “C:\Windows\System32\”. If you locate it elsewhere, it is most certainly malicious and should be deleted immediately. You can find out where the process is running if you spot it in the Task Manager:
3. Check the File Size
As viruses and other malicious software frequently use program-sized files to distribute malware, you can determine whether “lsass.exe” is the real service by looking at how much space the file takes up. Image credit: Unsplash. All screenshots by Farhad Pashaei.
Perform an antivirus scan Use DISM and SFC commands in PowerShell (Admin) Update Windows Perform a System Restore Delete the “Isass.exe” virus file
Don’t like the idea of installing a third-party antivirus program on your PC? With Windows’s built-in Defender, you don’t have to. Next, go back to the “Task Manager,” right-click on the “lsass.exe” process, and select “End Task,” then go back to the “lsass.exe” file location and delete it.