The "lsass.exe" process is critical to the proper functioning of Windows and should not be modified in any way. However, malware has been known to infect legitimate files, even nest in them, or disguise itself as genuine in an attempt to trick users into allowing it to execute. This article discusses the function of the "lsass.exe" process and shows you how to check whether it has been infected by a virus.
What is lsass.exe and what does it do?
"lsass.exe" is a secure Windows file that plays a vital role in your computer's daily operations. It is used to enforce security policies and is associated with password changes and login verification processes. "lsass.exe" stores credentials in memory to enable a single logon, where the user does not have to re-enter credentials for services within the domain.
This service is also active on domain controller computers (servers responsible for managing networks). On server computers, lsass.exe is responsible for storing thousands of passwords and IDs and monitoring access to resources. As a result, you'll notice that the process uses more resources. CPU وRAM and IO on the domain controller computer.
However, you shouldn't notice such a significant impact on a computer that isn't a domain controller. Therefore, if the process is still using a lot of RAM on your computer, something is wrong. The most common scenario is that the supposed lsass.exe process isn't what it first appears to be, in which case the likelihood of you having a virus is relatively high.
Malware often renames the file to something similar to "lsass.exe" to trick you into believing it isn't a virus. Fortunately, there are ways to distinguish a genuine Windows process from a duplicate.
1. Spelling check
The malicious “lsass.exe” process may use a capital “i” (I), while the original process uses a lowercase “l.” The names may appear similar, depending on how they are displayed on your computer, making it easy to confuse one with the other.
You can check if the file name is incorrect by using a case converter tool, such as the one provided by Microsoft Word.
- copy file name , then paste it into a word processor.
- Click on the button Change status From the menu at the top, select UPPERCASE
There are other forms of the process. “lsass.exe” Original, and you should also watch:
- lsass.exe
- lsassa.exe
- lsasss.exe
- isassa.exe
2. Show its location
The real “lsass.exe” file is located in only one location: “C:\Windows\System32\”. If you find it somewhere else, it is definitely malicious and should be deleted immediately.
You can find out where a process is running if you find it in Task Manager:
- Open Task Manager by pressing Ctrl + Alt + Del And click the appropriate button.
- within Operations Scroll down until you find lsass process (Local Security Authority Process), right click on it and select Open file locationThis folder should open. “C:\Windows\System32\”.
- If you can't see it, go to the tab. "the details" and search for “Isass.exe” There. Click on "open the file location".
3. Check the file size.
Since viruses and other malware frequently use program-sized files to distribute malware, you can determine if “lsass.exe” is the real service by looking at the amount of space the file takes up.
- Go to Task Manager Open a file “Isass.exe” In its location as shown in the previous section.
- To check the file size, right-click on it and select "Properties".
- The Windows 11 version of the file is 82 kb , while the Windows 10 version should be 57 KB. For those still using Windows 8, the file size is 46 kb Only. If the process you're seeing is much larger, like a few gigabytes or more, it's definitely not a genuine Microsoft file.
Frequently Asked Questions
Q1: How can I fix lsass.exe high RAM usage issues?
The answer: If the original file “lsass.exe” seems to be consuming a lot of RAM resources, you should try the following:
- Run an antivirus scan
- Use commands DISM and SFC in PowerShell (Admin)
- Windows Update
- Perform a system restore
- Delete the virus file “Isass.exe”
Don't like the idea of installing third-party antivirus software on your computer? Defender Built into Windows, you don't have to.
Q2: How do I remove lsass.exe virus?
The answer: First, go to Task Manager. In the Processes tab, select the potentially malicious lsass.exe file and click Open Location. If the process isn't visible, go to the Details tab.
Next, go back to Task Manager, right-click on the “lsass.exe” process, select “End Task”, then go back to the location of the “lsass.exe” file and delete it.
Q3: Why is disabling the real lsass.exe process not a good idea?
The answer: Starting lsass.exe notifies other services that the Security Accounts Manager (SAM) is ready to receive requests. Disabling this process means that system services will not receive notifications when SAM is ready, which may prevent them from starting correctly.
