 | This articleneeds additional citations forverification. Please helpimprove this article byadding citations to reliable sources. Unsourced material may be challenged and removed. Find sources: "Local Security Authority Subsystem Service" – news ·newspapers ·books ·scholar ·JSTOR(July 2009) (Learn how and when to remove this message) |
Local Security Authority Subsystem Service (LSASS)[1] is aprocess inMicrosoft Windowsoperating systems that is responsible for enforcing thesecurity policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and createsaccess tokens.[2] It also writes to theWindows Security Log.
Forcible termination oflsass.exe will result in the system losing access to any account, including NT AUTHORITY, starting a one minute timer that after it runs out the system restarts. Under Windows XP the shutdown timer can be stopped with "shutdown -a" which will result in many features of the system that use the RPC server (user profile (management), sysdm.cpl, etc.) being unusable, often permission errors occur even when logged in with an account that has administrative permissions, when logging off, clicking switch user, or locking the machine, either a black screen appears or logging in is not possible again, or logging off is impossible at all, the machine often needs to be reset as a normal shutdown is not possible anymore after lsass.exe has been terminated. Becauselsass.exe is a crucial system file, its name is often faked by malware. Thelsass.exe file used by Windows is located in thedirectory%WINDIR%\System32, and the description of the file isLocal Security Authority Process. If it is running from any other location, thatlsass.exe is most likely avirus,spyware,trojan orworm. Due to the way some systems display fonts, malicious developers may name the file something likeIsass.exe (capital "i" instead of a lowercase "L") in efforts to trick users into installing or executing a malicious file instead of the trusted system file.[3] TheSasser worm spreads by exploiting abuffer overflow in the LSASS onWindows XP andWindows 2000 operating systems.
