lsass.exe Process – What is lsass.exe?
Some of you have requested we post an article on the Lsass.exe process – hope this helps!
What is lsass.exe?
“lsass.exe” is the Local Security Authentication Server. It verifies the validity of user logons to your PC or server. Lsass generates the process responsible for authenticating users for the Winlogon service. This is performed by using authentication packages such as the default, Msgina.dll. If authentication is successful, Lsass generates the user’s access token, which is used to launch the initial shell. Other processes that the user initiates then inherit this token.
Lsass.exe has been infected in the past
The Sasser worm exploited a vulnerability in LSASS to spread via a remote buffer overflow in computers running Microsoft Windows XP and Windows 2000. The worm is particularly potent in that it can spread without any interaction with humans, nor does it ‘travel by email’ like many other worms.
Should the lsass.exe program end, for example, by the Sasser worm’s effects, then a countdown timer will appear on the screen, advising the user to save his work and close all programs before Windows shuts down.
When Is Lsass.exe dangourous?
The lsass.exe file is located in the folder C:WindowsSystem32. In other cases, lsass.exe is a virus, spyware, trojan or worm!
What can I do to check Lsass.exe and stop my computer automatically rebooting?
Forcible termination of lsass.exe will result in the Welcome screen losing its accounts and you will be prompted to restart your computer.
In most cases, lsass.exe system error and lsass.exe application error make the computer unusable, because the user authentication token cannot be obtained from the server. In some cases, the error may be caused by a trojan, that camouflages itself as the lsass process. If the system is not infected, the error is caused by missing or corrupt configuration file and Registry entries. You can fix the Registry using the free Auslogics Registry Cleaner.
Malware often pretends to be lsass.exe. For example, the Sasser worm found a vulnerability in LSASS and spreads via a remote buffer overflow in Windows XP and Windows 2000 computers. This worm can spread without any interaction with humans, nor does it ‘travel by email’ like many other worms.
If your computer enters a reboot loop because of an lsass.exe error, you get an lsass.exe error when trying to change your password, or the errors are caused by an infections, do the following:
1. After booting into Windows quickly click Start and then Run
2. Type in shutdown -a and press Enter.
This will prevent your computer from restarting continuously.
Now try scanning your PC with an up-to-date anti-virus program in Safe Mode (tap F8 repeatedly during startup). Also make sure that you have all Windows updates installed. If this doesn’t help, you might need to do a Windows repair or a clean Windows install.
Note: The lsass.exe file should be in the C:WindowsSystem32 folder. If you find it anywhere else, then lsass.exe is a virus, trojan, worm, or spyware!
Virus with same name:
W32.Nimos.Worm – Symantec Corporation
W32.Sasser.E.Worm (Lsasss.exe) – McAfee
W32.HLLW.Lovgate.C@mm – Symantec Corporation