LSASS.EXE is a process which its name stands for Local Security Authority Subsystem Service. I know that sounds complicated, but basically it means that it is a process in Microsoft Windows Operating Systems that is responsible for enforcing the security policy on the system.
It authorizes whether users can log on to a Windows computer or server, and creates access tokens. These tokens encapsulate the file’s security descriptor, which contains the necessary information to process user access. It also writes to the Security Log in Microsoft Windows which contains records of login/logout activity and/or other security-related events specified by the system’s auditing policy. When you press Ctrl + Alt + Del, you can access the Windows Task Manager. The Task Manager displays the processes running on your computer at that moment in time. Some of these processes are native to the Operating System (meaning that they are needed for the OS to perform smoothly), other processes are loaded on startup but are third party applications, and then there are the programs which you have opened. Lsass.exe is a needed process as described above for the continued operation of Windows. If something happens to it, Windows will crash and stop working. There should only be 1 process named Lsass.exe (Note that I’m writing lsass.exe with a capital L for you to understand which process I’m referring to since there is lsass.exe which is the legitimate process and isass.exe written with a capital ‘i’ which appears the same as Lsass.exe with a small L when running on your computer). This is because the font used to display processes doesn’t do a nudge on the capital ‘i’. If you notice two processes there’s a strong possibility that this is a virus, unfortunately.
Why do I have 2 processes named lsass.exe running in my Windows Task Manager?
The Sasser Worm was a worm virus that was specifically created to take advantage of a design vulnerability in versions of LSASS that were found in Windows 2000 and Windows XP. There are patches available for download on the internet. Essentially, the worm would make use of LSASS to create what is known as a buffer overrun. This buffer overrun would make it possible for the worm to use the system resources to spread to other machines on the network. Once a computer is infected with the isass.exe Sasser worm, it could quickly propagate to any other computers that were connected to the same network. So you should make sure to check all your computers just to make sure and be safe.
Tags: lsass, lsass.exe, sasser worm, virus
