"lsass.exe" Process on Windows 7

Q

What is the "lsass.exe" process on windows 7? Is the "lsass.exe" process a virus? Can I terminate the "lsass.exe" process?

✍: FYIcenter.com

A

"lsass.exe" process represents "Local Security Authority Process" program. "lsass.exe" is a service hosting process on Windows 7 to host multiple security related services.

"lsass.exe" process is normally running under the parent process "wininit" as shown in the process tree below:

Boot
   wininit
      lsass

On the Processes tab of "Task Manager", "lsass.exe" process may be listed as:

Image Name                 Memory   Description
--------------------   ----------   -----------
lsass.exe                22,212 K   Local Security Authority Process

Additional information about "lsass.exe" process:

Command line:
   C:\windows\system32\lsass.exe

Programe file information:
   Name: lsass.exe
   Location: C:\windows\system32\lsass.exe
   Description: Local Security Authority Process
   Version: 6.1.7601.23571 (win7sp1_ldr.161010-0600)
   Size: 30720 bytes
   Last modified: 10/10/2016 10:55:00 AM
   Company Name: Microsoft Corporation

Some data files used:
C:\Windows\System32
C:\Windows\System32\en-US\lsasrv.dll.mui
C:\Windows\debug\PASSWD.LOG
C:\Windows\System32\en-US\vaultsvc.dll.mui
C:\Windows\debug\netlogon.log
C:\Windows\System32\en-US\netlogon.dll.mui
C:\Users\fyicenter\AppData\Roaming\Microsoft\Credentials
C:\Users\fyicenter\AppData\Local\Microsoft\Credentials
C:\Windows\System32\en-US\crypt32.dll.mui
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My

Some registry keys used:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKLM\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions
HKLM\SYSTEM\ControlSet001\Control\SESSION MANAGER
HKLM\SYSTEM\ControlSet001\Control\Lsa
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit
HKLM\SYSTEM\ControlSet001\Control\Lsa\Kerberos\Parameters
HKLM\SYSTEM\ControlSet001\Control\Lsa\Kerberos\Parameters
HKLM\SYSTEM\ControlSet001\Control\Lsa\Kerberos\HostToRealm
HKLM\SYSTEM\ControlSet001\Control\Lsa\Kerberos\Domains

Some DLL libraries used:
C:\windows\SYSTEM32\ntdll.dll
C:\windows\system32\kernel32.dll
C:\windows\system32\KERNELBASE.dll
C:\windows\system32\msvcrt.dll
C:\windows\system32\RPCRT4.dll
C:\windows\system32\SspiSrv.dll
C:\windows\system32\lsasrv.dll
C:\windows\SYSTEM32\sechost.dll
C:\windows\system32\SspiCli.dll
C:\windows\system32\ADVAPI32.dll

"lsass.exe" process is not a virus. You should not terminate "lsass.exe" process.

 

System Processes on Windows 7

⇒⇒Windows 7 Processes Tutorials

2016-07-28, 2162👍, 0💬