What is the Windows lsass.exe file and process?

What is lsass.exe?

A Microsoft Windows file stored in the c:\windows\system32 or c:\winnt\system32 directory that is short for Local Security Authority Subsystem Service and has the file description: LSA shell. This file is responsible for how Microsoft Windows handles security and security related policies, authority domain authentication, and Active Directory management on your computer.

Is this file a spyware, trojan, or virus?

The lsass.exe (l not an i) file included with Microsoft Windows is not spyware, a trojan, or a virus. However, like any file on your computer it can become corrupted by a virus or trojan. antivirus programs can detect and clean this file if it has become infected. Because this file is part of Microsoft Windows users should never delete or remove this file if they think it is infected, let the antivirus program handle it.

This file has had security vulnerabilities in the past, as mentioned at: Microsoft Security Bulletin (MS04-11). Make sure your computer is up-to-date with all the latest Microsoft Windows updates.

Finally, the files and processes: isass.exe or Isassa.exe (that is a capital 'i' and not an 'l'), lsassa.exe and lsasss.exe are infected files. If you see any of these file on your computer or listed in the Task Manager processes your computer is infected with the Sasser worm. See steps below for additional information about cleaning the computer from this file.

Is it safe to remove lsass.exe from the Task Manager processes?

No. The lsass.exe is a critical system process that cannot be removed from the Task Manager without causing issues with Windows. When attempting to End Process the lsass.exe you will receive the Unable to Terminate Process window with the error This is a critical system process. Task Manager cannot end this process.It is normal to receive this error.

Computer restarting because of lsass.exe error.

If your computer is continuously rebooting because of an error in the lsass.exe file, you encounter an lsass.exe error when attempting to change your password, or you have any of the files mentioned above that are infected files follow the steps below.

  1. After booting into Windows click Start and then Run
  2. In the run line type: shutdown -a and press enter.

This will abort the restart from occurring. After completing the above steps continue with the steps below.

  1. Open your web browser and visit the Microsoft Security Bulletin (MS04-11) for a list of updates to help correct this issue. If you're unable to open any of Microsoft's pages or Windows update pages skip to the next section.
  2. After the file has been downloaded double-click the file to install it.
  3. Make sure your computer has a hardware firewall (such as a NAT router) or software firewall program installed and running. If you do not have a firewall or are not sure and have Windows XP you can always enable the firewall installed with Windows XP.
  4. Make sure your computer has all the available Windows updates.
  5. Finally, make sure you have an antivirus program installed on the computer and that it is up-to-date.

Note: If at anytime you need to reboot the computer because of updates that have been installed on your computer it's ok to reboot the computer but you may need to run shutdown -a again to prevent the computer from automatically restarting again.

Hosts file modified

If you're unable to open any of Microsoft's pages, Windows update pages, or antivirus protection pages its possible that the Sasser worm has modified your lmhosts hosts file. Follow the steps below to edit and verify this file has not been modified.

  1. Locate and open the file. Because this file can be in different locations its usually easiest to open the Windows search and search for "lmhosts.sam" file. Additional information about locating this file can also be found on our lmhosts definition page.
  2. Once found, edit the file by double-clicking the file. If Windows prompt you for what program to use to open the file select Notepad or WordPad.
  3. Once the file is file is open make sure no lines are listed that do not begin with a pound (#) and contain microsoft.com, windowsupdate, or any antivirus protection sites such as Norton or McAfee.
  4. If the file does list one or more of the above sites it's likely corrupted. Close the lmhosts.sam file and get back to the Search results window. Once in the window right-click on the lmhosts.sam file and click rename and rename the file to lmhosts.ch
  5. After the file has been renamed, close the find window, click Start, Run, and type: nbtstat -R and press enter. You should see a brief window appear and disappear. After this has been done complete the above steps.

Additional information