The lsass.exe, also called the Local Security Authority Process, is a legitimate file created by Microsoft for the Windows operating system. Because it is an essential Windows process, it must not be deleted, moved from its folder, or altered in any way.
A safe and legit lsass.exe file is located in the Windows System 32 folder. Its primary purpose is to enforce strict security policies, particularly with aspects like changing passwords and verifying login information.
Although it is a legit and essential file for the Windows platform, cybercriminals have found a way to exploit it. They hijacked it to disguise malware entities and retrieve personal information from unsuspecting users.
Lsass.exe: How to Find Out If It’s Legit or Malware
Is lsass.exe a virus? Is lsass.exe a legitimate file? To answer these questions, read on.
Well, it is easy to identify a legit lsass.exe file. However, to do so, you have to be familiar with a couple of things. By then, you should be able to deal with a fake lsass.exe process from the real one that is essential for the Windows platform.
To help you spot a malicious lsass.exe file, here are some things you should do:
Check the spelling
One of the methods that cybercriminals use to lure users into thinking that the lsass.exe file is not a virus is by simply renaming the file into something that looks similar. Because folders can’t have the same name, criminals will change the name slightly. They can change it to Isass.exe or lssass.exe.
As you can see, both names appear similar. Depending on how fonts on your computer are displayed, this can easily confuse you.
Verify its location
A legit lsass.exe file is located in one folder only. If you happen to find it elsewhere, it’s highly likely to be dangerous and must be deleted as soon as possible.
As mentioned above, the real lsass.exe file is stored in the System 32 folder. If it is on your desktop or in the downloads folder, then consider it a threat. Take action and remove it right away.
Now, if the lasass.exe is running in Task Manager, do the following:
- Launch the Task Manager.
- Navigate to the Details tab.
- Right-click on the lsass.exe process.
- Choose the Open File Location option. If it takes you to the C:\Windows\System32 folder, then it should be a legit file. Otherwise, it’s a fake.
Check the File Size
Many malicious entities like viruses can be identified by their file size. So, check how much space the lsass.exe file is consuming on your hard drive.
A real lsass.exe file on a Windows 10 device takes up about 57 KB only. On a Windows 8 environment, it should be around 46 KB. If you notice that the file size is a bit bigger, then it is possible that you are dealing with a malware entity.
Is Lsass.exe Using So Much Computer Resources?
Is the Task Manager telling you that the lsass.exe file is consuming a lot of memory space or CPU resources?
In an ideal scenario, Windows processes don’t use much processing power. Once they do, they’re telling you that something is wrong and should be fixed right away, or a malware entity has infiltrated your system.
What makes things complicated is that an abnormal CPU usage could suggest that the lsass.exe process is either legit or fake. Sometimes, the process uses more CPU power. Other times, it doesn’t.
Normally, the memory usage of the lsass.exe process should not exceed 10 MB. But there are times when it spikes, especially when more than one user is logged in. Other times, a high CPU usage is noticed when a user is trying to change password credentials or running a program that requires administrator access.
So, how can you tell if the lsass.exe is a fake based on CPU usage? This can be answered by doing the three steps mentioned above. If its file name is different or if it is not located in the System 32 folder, then get rid of it.
How to Remove a Fake Lsass.exe File
Before we teach you how to delete a fake lsass.exe file, it is worth noting that you should not delete the legit version. You cannot disable it as well because many processes depend on it.
Without further ado, here are the steps you should take to get rid of a malicious or fake lsass.exe file:
- End the fake lsass.exe process and delete the file. There are a few ways to do this. However, the easiest is to right-click on the process in Task Manager and choose End Task. If the process is not there, navigate to the Details tab, right-click on it, and select the End process tree option.
- After ending the process, go to the folder location and delete the file.
- At this point, scan your PC for any traces of the lsass.exe malware. For this, you can use a reliable anti-malware program or other third-party virus scanner applications.
- Next, make sure to enable your choice of antivirus program at all times. This will protect your computer from any future threats.
Another Lsass.exe File Removal Option
If your computer is constantly rebooting because a lsass.exe file-related error is being displayed on your screen, then do the following:
- Restart your computer.
- Once Windows has successfully booted, click Start and choose Run.
- Into the text field, input shutdown -a and hit Enter.
- Now, open your preferred web browser and check the Microsoft Security Bulletin for a complete list of updates and patches that are intended to resolve the problem. Download the update that answers your problem.
- After downloading the update, double-click on it to start the installation process.
- Reboot your PC and check if the problem persists.
The lsass.exe file is a legitimate and Windows system file. This means it should not be removed, relocated, or altered. However, if it is giving your problems already, do not hesitate to do a quick check whether to find out whether or not it’s malware. If you realize that you are dealing with a malicious entity, take action and remove it right away.
Have we missed an important point in this article? Let us know in the comments!