What lsass.exe Is & How It Affects Your Computer

Lsass.exe (Local Security Authority Process) is a safe file from Microsoft used in Windows operating systems. It’s vital to the normal operations of a Windows computer and should therefore not be deleted, moved, or edited in any way.

The file is permanently located in the \Windows\System32\ folder and is used to enforce security policies, meaning that it’s involved with things like password changes and login verifications.

While the file is extremely important for normal Windows operations and should not be tampered with, malware has been known to either hijack the real lsass.exe file or pretend to be authentic to fool you into letting it run.

How to Spot a Fake lsass.exe File

It's not difficult to spot a fake lsass.exe file, but you have to look very carefully at a few things to ensure that you’re dealing with a fake process and not the real one that Windows needs.

Check the Spelling

The most common method used by malware to trick you into thinking lsass.exe is not a virus is by renaming the file to something very similar. Since a folder can't have two files with the same name, it will be changed ever so slightly.

Here’s an example:

Isass.exe

If that looks just like lsass.exe, you’re right...it does. However, the real file uses a lowercase L (l) while the malicious one uses an uppercase i (I). Depending on how fonts are displayed on your computer, they could look identical, making it easy to confuse them for each other.

One way to verify whether the filename is incorrect is to use a case converter. Copy the filename and paste it into the text box at Convert Case, and then select lower case to convert it all into lower case. If the result is not genuine, it'll be spelled like this: isass.exe.

These are some other purposeful misspellings intended to trick you into letting the file stay on your computer or allowing it to run when asked (look closely at that first one; it has an unneeded space):

lsass .exe
lsassa.exe
lsasss.exe
Isassa.exe

Where Is It Located?

The real lsass.exe file is in one folder only, so if you find it anywhere else, it’s most likely dangerous and should be deleted immediately.

The real file is supposed to be stored in the System32 folder:

C:\Windows\System32\

If it’s anywhere else on your computer, like on the desktop, in your downloads folder, on a flash drive, etc., treat it as a threat and promptly remove it (there's more on how to do that below).

If you see lsass.exe in Task Manager, here’s how to know where it’s actually running from:

1. Open Task Manager.

   There are several ways to do this, but the easiest is with the Ctrl+Shift+Esc keyboard shortcut. You could also access it from the Power User Menu in Windows 11/10/8, by right-clicking the Start button.

2. Open the Details tab.

   If you don’t see this tab, select More details from the bottom of Task Manager.

3. Right-click lsass.exe from the list. Choose the first one you see.

4. Select Open file location, which should open the C:\Windows\System32 folder and pre-select the lsass.exe file, as you can see below.

5. Repeat the above steps for each lsass.exe file you see in Task Manager. There should only be one listed, so if you see additional instances, all but one are fake.

6. Did you find a fake lsass.exe file? See the directions at the button of this page for how to delete it and ensure that your computer is clean from any lsass.exe related worms, spyware, viruses, etc.

What’s Its File Size?

It’s common for viruses and other malicious software to use a program-sized file to deliver whatever it is the malware is carrying, so another way to check whether lsass.exe is real or fake is to see how much space the file is taking up on the hard drive.

Right-click it and open Properties to check its size.

For example, the Windows 11 version of the file is 82 KB on our test machine, the Windows 10 lsass.exe file is 57 KB, and the Windows 8 one is 46 KB. If the file you’re seeing is a lot bigger, like a few megabytes or more, then it’s most likely not the real file provided by Microsoft.

Why Is lsass.exe Using so Much Memory?

Is Task Manager reporting lsass.exe high CPU or memory usage?

Some Windows processes should never use much memory or processor power, and when they do, it’s usually a sign that something isn't quite right and that something could be malware.

Lsass.exe is one exception where under certain normal circumstances, it will use more RAM and CPU than at other times, making it difficult to know whether lsass.exe is real or fake.

Memory usage for lsass.exe should remain below 10 MB at any given time, but it’s normal for it to spike when more than one user is logged in, during encrypted file writes on NTFS volumes, and possibly other times like while a user is changing their password or during the opening of a program when it's being run with an administrator's credentials.

When to Remove lsass.exe

If lsass.exe is using an obviously excessive amount of the memory or processor, and especially if the EXE file is not located in the Windows\System32\ folder, you need to get rid of it. Only an infected lsass.exe file or a lookalike will hog all the system resources.

One example of this is if the lsass.exe file is pretending to be real so that it can mine cryptocurrencies. Software that performs crypto mining requires massive amounts of system resources, so if your computer is unusually slow, crashes randomly, displays strange errors, or has inexplicably installed browser add-ons or other programs you never agreed to, then you can safely assume that you need a good malware cleaning.

How to Remove a lsass.exe Virus

Before learning how to delete a lsass.exe infection, remember that you cannot delete the real lsass.exe file, nor can you disable it or shut it down for any reason. The steps below are for removing a fake lsass.exe file; one that Windows isn't really using.

1. Shut down the fake lsass.exe process and then delete the file.

   You can do this a number of ways, but the easiest is to right-click the task in the Processes tab of Task Manager and select End task. If you don't see the task there, look for it under the Details tab, right-click it, and choose End process tree.

   If you try to end the genuine process, you'll either be given an error that you can't or, if the process does shut down, you'll see a message that Windows will automatically restart soon.

2. Once you've shut down the process, open the folder where the file is located (see the "Where Is It Located?" steps above if you're not sure how) and delete it.

   If you suspect that a certain program is responsible for installing the lsass EXE virus, feel free to remove the program to see if that clears away the process, too. IObit Uninstaller is one example of a powerful program uninstaller that can do this.

3. Scan your computer for lsass.exe malware using a program like Malwarebytes or some other on-demand virus scanner.

4. Install an always-on antivirus program. This will help provide not only a second look in addition to Malwarebytes but also a permanent method to ensure that your computer is protected from future threats like this one.

   See our list of the best Windows antivirus software if you're not sure where to look.

5. Use a bootable antivirus tool to delete the lsass.exe virus. This is a perfect method if the other programs above didn't work because when you run an antivirus program before Windows starts, you're able to ensure a thorough removal process without running into permission or locked file issues.