Computer Hope

Other Pages

Home
Site map
Computer help
Dictionary
News
Q&A
What's new

Tools

E-mail this page
Print Preview
Edit this page




Reference number: CH000913

What is the Windows lsass.exe file / process?

Question:

What is the Windows lsass.exe file / process?

Answer:

What is lsass.exe?

A Microsoft Windows file stored in the c:\windows\system32 or c:\winnt\system32 directory that is short for Local Security Authority Subsystem Service and has the file description: "LSA shell". This file is responsible for how Microsoft Windows handles security and security related policies, authority domain authentication, and Active Directory management on your computer.

Is this file a spyware, trojan, or virus?

The lsass.exe file included with Microsoft Windows is not spyware, a trojan, or a virus. However, like any file on your computer it can become corrupted by a virus or trojan. antivirus programs can detect and clean this file if it has become infected. Because this file is part of Microsoft Windows users should never delete or remove this file if they think it is infected, let the antivirus program handle it.

This file has had security vulnerabilities in the past, as mentioned at: Microsoft Security Bulletin (MS04-11). Make sure your computer is up-to-date with all the latest Microsoft Windows updates.

Finally, the files and processes: Isassa.exe (that is a capital 'i' and not an 'l'), lsassa.exe and lsasss.exe are infected files. If you see any of these file on your computer or listed in the Task Manager processes your computer is infected with the Sasser worm. See below steps for additional information about cleaning the computer from this file.

Is it safe to remove lsass.exe from the Task Manager processes?

No. The lsass.exe is a critical system process that cannot be removed from the Task Manager without causing issues with Windows. When attempting to End Process the lsass.exe you will receive the Unable to Terminate Process window with the error "This is a critical system process. Task Manager cannot end this process.". It is normal to receive this error.

Computer restarting because of lsass.exe error.

If your computer is continuously rebooting because of an error in the lsass.exe file, you encounter an lsass.exe error when attempting to change your password, or you have any of the files mentioned above that are infected files follow the below steps.

  1. After booting into Windows quickly click Start and then Run
  2. In the run line type: shutdown -a and press enter.

This will abort the restart from occurring. After completing the above steps continue with the below steps.

  1. Open your web browser and visit the Microsoft Security Bulletin (MS04-11) for a list of updates to help correct this issue. If you're unable to open any of Microsoft's pages or Windows update pages skip to the next section.
  2. After the file has been downloaded double-click the file to install it.
  3. Make sure your computer has a hardware firewall (such as a NAT router) or software firewall program installed and running. If you do not have a firewall or are not sure and have Windows XP you can always enable the firewall installed with Windows XP. Additional information about enabling the Windows XP firewall can be found on document CH000551.
  4. Make sure your computer has all the available Windows updates by visiting http://windowsupdate.microsoft.com/ and checking for any security updates. Additional information and tips on making sure your Windows computer is up-to-date can be found on document CH000545.
  5. Finally, make sure you have an antivirus program installed on the computer and that it is up-to-date. Additional information about this can be found on document CH000533.

Note: If at anytime you need to reboot the computer because of updates that have been installed on your computer it's ok to reboot the computer but you may need to run shutdown -a again to prevent the computer from automatically restarting again.

Hosts file modified

If you're unable to open any of Microsoft's pages, Windows update pages, or antivirus protection pages its possible that the Sasser worm has modified your your lmhosts hosts file. Follow the below steps to edit and verify this file has not been modified.

  1. Locate and open the file. Because this file can be in different locations its usually easiest to simply open the Windows search and search for "lmhosts.sam" file. Additional information about finding files in Microsoft Windows can be found on document CHFIND. Additional information about locating this file can also be found on our lmhosts definition page.
  2. Once found, edit the file by double-clicking the file. If Windows prompt you for what program to use to open the file select Notepad or Wordpad.
  3. Once the file is file is open make sure no lines are listed that do not begin with a pound (#) and contain microsoft.com, windowsupdate, or any antivirus protection sites such as Norton or McAfee.
  4. If the file does list one or more of the above sites it's likely corrupted. Close the lmhosts.sam file and get back to the Search results window. Once in the window right-click on the lmhosts.sam file and click rename and rename the file to lmhosts.ch
  5. After the file has been renamed, close the find window, click Start, Run, and type: nbtstat -R and press enter. You should see a brief window appear and disappear. After this has been done complete the above steps. Additional information about the nbtstat command can be found here.

 

 

 

  

 

Index


Category:
Windows NT Q&A
Windows 2000 Q&A
Windows XP Q&A

Companies:
Microsoft

Related Pages:
 

 
Resolved

Were you able to locate the answer to your questions?

Home - Computer help - Contact - Dictionary - Links
Link to Computer Hope - Bookmark Computer Hope

Copyright 1998-2008 by Computer Hope (tm). All rights reserved
Legal Disclaimer - ESD Warning - Privacy Statement