What Is lsass.exe in Windows and How To Tell If It Is Safe

If you have opened Task Manager and spotted lsass.exe running, you might wonder what it is and whether it is safe. The Local Security Authority Subsystem Service (lsass.exe) is a vital part of Windows that manages authentication and enforces security policies for your computer.

However, cybercriminals sometimes disguise malware using the same name, so it is important to know how to confirm that it is legitimate and how to spot a fake version.

What Is lsass.exe in Windows And Is it Safe?

What Is lsass.exe?

The lsass.exe process is a core Windows security service that starts automatically during system boot. It works closely with other Windows components to protect user credentials and control access to system resources.

Key responsibilities include:

• Authenticating user logins to Windows or a domain
• Managing password changes and logoff procedures
• Enforcing system wide security rules
• Creating security tokens for applications and users

For a deeper look at how the Local Security Authority interacts with network and internet permissions, read this guide: Local Security Authority process trying to access the Internet.

Where lsass.exe Is Located

The legitimate lsass.exe file is always located in:

C:\Windows\System32\lsass.exe

If you find a file named lsass.exe in any other location, for example C:\Users, C:\Temp, or C:\Windows\SysWOW64, it may be a malicious copy attempting to imitate the real process.

If you are exploring system level security configurations, you can learn how to open and use the Local Security Policy tool here: How to open Local Security Policy in Windows.

How to Check If lsass.exe Is Authentic

Follow these steps to verify that your lsass.exe file is the genuine Windows version.

1. Check the File Location

1. Press Ctrl + Shift + Esc to open Task Manager.
2. Go to the Details tab.
   
3. Locate lsass.exe, right click it, and select Open file location.
   
4. Confirm that the path is C:\Windows\System32

2. Verify the Digital Signature

1. In File Explorer, right click the lsass.exe file and choose Properties.
   
2. Select the Digital Signatures tab.
   
3. Ensure the signer is Microsoft Windows or Microsoft Corporation.
4. If the signature is missing or unverified, treat the file as suspicious.

3. Review the Process Description

1. In Task Manager, right click lsass.exe and choose Properties.
2. Go to the Details tab.
3. Check the description field. It should read Local Security Authority Process.
4. Any unfamiliar or altered name may indicate malware.

When lsass.exe Might Be Dangerous

You should be cautious if you notice any of the following warning signs:

• lsass.exe is running from a folder other than C:\Windows\System32
• The process has no valid Microsoft digital signature
• The name or description looks unusual or slightly altered
• Your antivirus software flags lsass.exe as suspicious

If you want to understand how lsass.exe may impact system performance or CPU load, refer to: Local Security Authority Process high CPU usage in Windows 11.

FAQs

Conclusion

The lsass.exe process is a fundamental Windows component that handles user authentication and enforces security policies. As long as it resides in C:\Windows\System32 and is digitally signed by Microsoft, it is legitimate and safe.

Any version found in another folder, lacking a proper signature, or carrying an unusual description should be treated as a potential threat. By checking its location, verifying its digital signature, and watching for unusual behavior, you can quickly determine whether the lsass.exe running on your system is authentic and keep your PC secure.