Some of you have requested we post an article on the Lsass.exe process – hope this helps!
What is lsass.exe?
“lsass.exe” is the Local Security Authentication Server. It verifies the validity of user logons to your PC or server. Lsass generates the process responsible for authenticating users for the Winlogon service. This is performed by using authentication packages such as the default, Msgina.dll. If authentication is successful, Lsass generates the user’s access token, which is used to launch the initial shell. Other processes that the user initiates then inherit this token.
Lsass.exe has been infected in the past
The Sasser worm exploited a vulnerability in LSASS to spread via a remote buffer overflow in computers running Microsoft Windows XP and Windows 2000. The worm is particularly potent in that it can spread without any interaction with humans, nor does it ‘travel by email’ like many other worms.
Should the lsass.exe program end, for example, by the Sasser worm’s effects, then a countdown timer will appear on the screen, advising the user to save his work and close all programs before Windows shuts down. Read more…