English | Deutsch


Is lsass.exe safe?

Lsass.exe is a executable file (a program) within Windows. The filename extension .exe denotes an executable file. You should only run executable files from publishers you trust, because executable files can potentially change your computer settings or harm your computer. The free file information forum can help you determine if lsass.exe is a virus, trojan, spyware, or adware that you can remove, or a file belonging to a Windows system or to an application you can trust.


Lsass.exe file information

The process known as LSA Shell (Export Version) or Local Security Authority Process or LSA Shell or Generic Hosts for WinService or Userinit Logon Application or Stub Application or AVP - spyware removal module or (xpclient.010817-11489)

belongs to software Microsoft Windows Operating System or IPSEC Services, Protected Storage, Security Accounts Manager or symantex or CNG Key Isolation, Security Accounts Manager or symdfsdf or update or worm2007 or NT LM Security Support Provider, IPSEC Services, Protected Storage, Security Accounts Manager

by Microsoft (www.microsoft.com) or MskSoftStudy or Microsoft Windows Operation System or noOrg (www.noorg.org) or AceSoft Corp all rights reserved or IT University or s708051Jm103533QSt619382493o or Jznof.

Description: The original lsass.exe from Microsoft is an important part of Windows, but often causes problems. lsass.exe is located in the folder C:\Windows\System32. Known file sizes on Windows 7/XP are 13,312 bytes (88% of all occurrences), 11,776 bytes and 13 more variants. http://www.file.net/process/lsass.exe.html 
The program is not visible. Lsass.exe is a trustworthy file from Microsoft. The application uses ports to connect to a LAN or the Internet. Therefore the technical security rating is 10% dangerous, however also read the users reviews.

Recommended: Identify lsass.exe related errors

Viruses with the same file name

Is lsass.exe a virus? No, it is not. The true lsass.exe file is a safe Microsoft Windows system process, called "LSA Shell". However, writers of malware programs, such as viruses, worms, and trojans deliberately give their processes the same file name to escape detection. Viruses with the same file name are e.g. Trojan.Win32.VB.bdo or Trojan.Win32.Refroso.cez (detected by Kaspersky), and Backdoor:Win32/VB.AT or VirTool:Win32/Injector.gen!AD (detected by Microsoft).
To ensure that no rogue lsass.exe is running on your PC, click here to run a Free Malware Scan.

How to recognize suspicious variants? If lsass.exe is located in a subfolder of C:\Windows, the security rating is 80% dangerous. The file size is 253,952 bytes (11% of all occurrences), 225,280 bytes and 135 more variants. The file is not a Windows core file. The program is not visible. Lsass.exe is an unknown file in the Windows folder. The program starts upon Windows startup (see Registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell, HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx, HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command, C:\Windows\win.ini, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders, HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run, HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices). The software has no file description. The program listens for or sends data on open ports to a LAN or the Internet. Lsass.exe is able to monitor applications, record inputs, hide itself and manipulate other programs.

If lsass.exe is located in a subfolder of "C:\Documents and Settings", the security rating is 62% dangerous. The file size is 229,621 bytes (4% of all occurrences), 29,696 bytes and 124 more variants. The file is not a Windows system file. The program has no visible window. The file is a file without information about the developer of this file. The process starts when Windows starts (see Registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell, HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx, HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command, C:\Windows\win.ini, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders, HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run, HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices). Lsass.exe is able to monitor applications and manipulate other programs.

If lsass.exe is located in the folder C:\Windows, the security rating is 79% dangerous. The file size is 107,520 bytes (6% of all occurrences), 34,992 bytes and 94 more variants.

If lsass.exe is located in a subfolder of "C:\Program Files", the security rating is 57% dangerous. The file size is 94,208 bytes (6% of all occurrences), 110,592 bytes and 42 more variants.

If lsass.exe is located in a subfolder of C:\Windows\System32\drivers, the security rating is 44% dangerous. The file size is 29,696 bytes (59% of all occurrences), 24,724 bytes, 17,408 bytes or 138,752 bytes.

If lsass.exe is located in a subfolder of C:\Windows\System32, the security rating is 83% dangerous. The file size is 939,520 bytes (12% of all occurrences), 102,400 bytes and 32 more variants.

If lsass.exe is located in a subfolder of C:\, the security rating is 60% dangerous. The file size is 551,669 bytes (22% of all occurrences), 44,544 bytes and 19 more variants.

If lsass.exe is located in C:\, the security rating is 62% dangerous. The file size is 20,480 bytes (16% of all occurrences), 23,040 bytes and 20 more variants.

If lsass.exe is located in a subfolder of "C:\Program Files\Common Files", the security rating is 36% dangerous. The file size is 34,304 bytes (22% of all occurrences), 39,109 bytes and 6 more variants.

If lsass.exe is located in the folder C:\Windows\System32\drivers, the security rating is 76% dangerous. The file size is 32,768 bytes (40% of all occurrences), 238,173 bytes, 731,136 bytes or 15,360 bytes.

If lsass.exe is located in the Windows Temp folder, the security rating is 65% dangerous. The file size is 13,312 bytes (33% of all occurrences), 13,362 bytes or 217,088 bytes.

If lsass.exe is located in the folder "C:\Program Files\Common Files", the security rating is 40% dangerous. The file size is 32,256 bytes.

If lsass.exe is located in the "My Files" folder, the security rating is 64% dangerous. The file size is 187,392 bytes.

External information from Paul Collins:
There are different files with the same name:

  • "MicrosoftSourceSafe" definitely not required. Added by the WEBUS.B TROJAN! Note - this is not the legitimate lsass.exe process, which should not appear in Msconfig/Startup!
  • "lsass" definitely not required. Added by the RATSOU.B TROJAN! Note - this is not the legitimate Lsass.exe system file should normally NOT figure in Msconfig/Startup!
  • "Microsoft UPDATER32" definitely not required. Added by the RANDEX.AR WORM! Note - this is not the legitimate Lsass.exe system file should normally NOT figure in Msconfig/Startup!
  • "System Handler" definitely not required. Added by the NIMOS WORM! Note - this is not the legitimate Lsass.exe system file should normally NOT figure in Msconfig/Startup!
  • "Traybar" definitely not required. Added by the MYDOOM.L WORM! Note - this is not the legitimate Lsass.exe system file should normally NOT figure in Msconfig/Startup!

Important: Some malware disguises itself as lsass.exe, particularly when not located in the C:\Windows\System32 folder. Therefore, you should check the lsass.exe process on your PC to see if it is a threat. We recommend Security Task Manager for verifying your computer's security. This was one of the Top Download Picks of The Washington Post and PC World.



Score

User Comments

Safe, but...uses more resources than my anti virus while scanning. Thats real High, for a process that controls user log ons.Why is this so high especially if I'm logged on
  Tony  
This file is vital to the Windows operating system. To what I know, it operates within Windows 7 and is a module to assist in the Winlogon process. It's safe as long as it's from the "(drive letter):\(your windows directory)\System32" directory.
  Lildirt  
I am doing a defrag of C: using the windows disk defragmenter. When I look at Task Manager, lsass.exe is churning out I/O byte writes like crazy, so this lsass must have something to do with file system management also.
  Bobbyrae  
It is not a virus
  Hendrik  
lsass is a part of Microsoft Security is called by two services. These services are default configured to: adjust action recovery not allowed (via management mmc), service failure: restart pc. Service Name: SamSs (Security Accounts Manager) user data Service Name: Protected Storage (Protected Storage). private data ... whatever. Microsoft definition gives false impression, he is a smartass if security is not available, find another solution than this shit!
  Axel  
It is used for NT authentication
   
It is only a virus IF something infects you're computer. So, if you have never received a shutdown message you're safe, if you have, you're computer has a 75% chance of it being a virus.
  Chris  
lsass by SYSTEM is not a virus
  George  
More comments can be found here:
    (further information)

Rating chart

Summary: Average user rating of lsass.exe: based on 698 votes with 9 reviews.
258 users think lsass.exe is essential for Windows or an installed application. 29 users think it's probably harmless. 130 users think it's neither essential nor dangerous. 82 users suspect danger. 199 users think lsass.exe is dangerous and recommend removing it. 71 users don't grade lsass.exe ("not sure about it").


Do you have additional information?
What do you know about lsass.exe: 
How do you rate it: 
Link for more info's: 
Your Name: 


Lsass scanner


Security Task Manager shows all running Windows tasks including embedded hidden functions (e.g. keyboard or browser monitoring, autostart entry). A unique security risk rating indicates the likelihood of the process being potential spyware, malware, keylogger or a Trojan.

Malwarebytes Anti-Malware detects and removes sleeping spyware, adware, trojans, keyloggers, malware and tracking threats from your hard disk. Ideal supplement to Security Task Manager.

SpeedUpMyPC scans, cleans, repairs and optimizes your computer.


Other processes


lsass.exe [all]