What is lsass.exe?
In Microsoft Windows, the file lsass.exe in the directory c:\windows\system32 or c:\winnt\system32 is the Local Security Authority Subsystem Service. It has the file description LSA shell. It is a crucial component of Microsoft Windows security policies, authority domain authentication, and Active Directory management on your computer.
Is this file a spyware, trojan, or virus?
The lsass.exe (L not an i) file included with Microsoft Windows is not spyware, a trojan, or a virus. However, like any file on your computer it can become corrupted by a virus or trojan. Antivirus programs can detect and clean this file if it has become infected. Because this file is part of Microsoft Windows users should never delete or remove this file if they think it is infected, let the antivirus program handle it.
As mentioned in Microsoft Security Bulletin (MS04-11), this file contains known security vulnerabilities. Make sure your computer is up-to-date with all the latest Microsoft Windows updates.
Finally, the files and processes: isass.exe or Isassa.exe (that is a capital ‘i’ and not an ’l’), lsassa.exe and lsasss.exe are infected files. If you see these files on your computer or listed in the Task Manager processes your computer is infected with the Sasser worm. See steps below for additional information about cleaning the computer from this file.
Is it safe to remove lsass.exe from the Task Manager processes?
No. The lsass.exe is a critical system process that cannot be removed from the Task Manager without causing issues with Windows. When attempting to End Task lsass.exe, you will receive the Unable to Terminate Process window with the following error.
This is a critical system process. Task Manager cannot end this process.
It is normal to receive this error.
Computer restarting because of lsass.exe error
If your computer continuously reboots because of the lsass.exe file or you get an lsass.exe error when changing your password, follow the steps below.
- After booting into Windows, click Start and select Run.
- In the run line, type: shutdown -a and press Enter.
After completing the steps above, continue with the steps below.
Open your web browser and visit the Microsoft Security Bulletin (MS04-11) for a list of updates to help correct this issue. If you’re unable to open any of Microsoft’s pages or Windows update pages, skip to the next section.
After the file is downloaded, double-click the file to install it.
Make sure your computer has a hardware firewall, such as a NAT router, or software firewall program installed and running. If you do not have a firewall or are unsure and have Windows XP or later, you can enable the Windows firewall.
How to enable or disable the Microsoft Windows Firewall.
Make sure your computer has all the available Windows updates.
How to update a Microsoft Windows computer.
Finally, make sure you have an antivirus program installed on the computer and that it is up-to-date.
How to update an antivirus program.
Hosts file modified
If you’re unable to open any of Microsoft’s pages, Windows update pages, or antivirus protection pages, likely the Sasser worm has modified your lmhosts hosts file. Follow the steps below to edit and verify this file has not been modified.
If you need to reboot the computer because of updates that were installed on your computer, it’s ok to reboot the computer. However, you may need to run shutdown -a again to prevent the computer from automatically restarting again.
- Locate and open the file. Because this file can be in different locations, it’s usually easiest to open the Windows search tool and search for lmhosts.sam. Additional information about locating this file is available on our lmhosts definition.
- Once found, edit the file by double-clicking it. If Windows prompts you for which program you’d like to use to open the file, select Notepad or WordPad.
- In the file, make sure no lines are listed that don’t begin with a pound (#) and contain microsoft.com, windowsupdate, or any antivirus protection sites, such as Norton or McAfee.
- If the file does list one or more of the sites above, it’s likely corrupted. Close the lmhosts.sam file and get back to the Search results window. Once in the window, right-click the lmhosts.sam file, select Rename, and rename the file to lmhosts.ch.
- After the file is renamed, close the find window, click Start, Run, and type: nbtstat -R and press Enter. You should see a brief window appear and disappear. After this is done, complete the above steps.
Related information
- See the nbtstat command page for further information on this command.
- Microsoft Windows help and support.