What is the Windows lsass.exe file and process?
What is lsass.exe?
In Microsoft Windows, the file lsass.exe in the directory c:\windows\system32 or c:\winnt\system32 is the Local Security Authority Subsystem Service. It has the file description LSA shell, and is a crucial component of Microsoft Windows security policies, authority domain authentication, and Active Directory management on your computer.
Is this file a spyware, trojan, or virus?
The lsass.exe (L not an i) file included with Microsoft Windows is not spyware, a trojan, or a virus. However, like any file on your computer it can become corrupted by a virus or trojan. Antivirus programs can detect and clean this file if it has become infected. Because this file is part of Microsoft Windows users should never delete or remove this file if they think it is infected, let the antivirus program handle it.
As mentioned at: Microsoft Security Bulletin (MS04-11) this file has had security vulnerabilities. Make sure your computer is up-to-date with all the latest Microsoft Windows updates.
Finally, the files and processes: isass.exe or Isassa.exe (that is a capital 'i' and not an 'l'), lsassa.exe and lsasss.exe are infected files. If you see any of these file on your computer or listed in the Task Manager processes your computer is infected with the Sasser worm. See steps below for additional information about cleaning the computer from this file.
Is it safe to remove lsass.exe from the Task Manager processes?
No. The lsass.exe is a critical system process that cannot be removed from the Task Manager without causing issues with Windows. When attempting to End Task lsass.exe you will receive the Unable to Terminate Process window with the error "This is a critical system process. Task Manager cannot end this process." It is normal to receive this error.
Computer restarting because of lsass.exe error.
If your computer continuously reboots because of the lsass.exe file, you get an lsass.exe error when changing your password, or you have any of the files mentioned above follow the steps below.
- After booting into Windows click Start and then Run
- In the run line type: shutdown -a and press enter.
After completing the above steps continue with the steps below.
- Open your web browser and visit the Microsoft Security Bulletin (MS04-11) for a list of updates to help correct this issue. If you're unable to open any of Microsoft's pages or Windows update pages skip to the next section.
- After the file has been downloaded double-click the file to install it.
- Make sure your computer has a hardware firewall (such as a NAT router) or software firewall program installed and running. If you do not have a firewall or are not sure and have Windows XP you can always enable the firewall installed with Windows XP.
- Make sure your computer has all the available Windows updates.
- Finally, make sure you have an antivirus program installed on the computer and that it is up-to-date.
Note: If you need to reboot the computer because of updates that have been installed on your computer it's ok to reboot the computer. However, you may need to run shutdown -a again to prevent the computer from automatically restarting again.
Hosts file modified
If you're unable to open any of Microsoft's pages, Windows update pages, or antivirus protection pages its possible that the Sasser worm has modified your lmhosts hosts file. Follow the steps below to edit and verify this file has not been modified.
- Locate and open the file. Because this file can be in different locations its usually easiest to open the Windows search and search for "lmhosts.sam" file. Additional information about locating this file can also be found on our lmhosts definition.
- Once found, edit the file by double-clicking the file. If Windows prompt you for what program to use to open the file select Notepad or WordPad.
- Once the file is file is open make sure no lines are listed that do not begin with a pound (#) and contain microsoft.com, windowsupdate, or any antivirus protection sites such as Norton or McAfee.
- If the file does list one or more of the above sites it's likely corrupted. Close the lmhosts.sam file and get back to the Search results window. Once in the window right-click on the lmhosts.sam file and click rename and rename the file to lmhosts.ch.
- After the file has been renamed, close the find window, click Start, Run, and type: nbtstat -R and press enter. You should see a brief window appear and disappear. After this has been done complete the above steps.
- See the nbtstat command page for further information on this command.