In this article we explore the most common lsass.exe issues and find solutions to resolve it. We also offer some tips on how to determine if the file is infected, how to fix lsass.exe and how to prevent potential troubles.
What is lsass.exe? This is an executable file and part of the Windows OS security service which it implements. According to the technical description, this service implies user access, e.g. when software requires user rights confirmation. Modifying or deleting the file, in most cases, will make Windows boot unstable or crash it. All Windows builds (since Windows XP) contain it, and attackers often target it to gain unauthorized access to data or certain parts of the system.
|Description||Part of Windows security system|
|Size (Win 10)||59.680 bytes|
|Target systems||Windows XP, Windows 8, Windows 8.1, Windows 10|
LSASS characteristics. These parameters will help you quickly determine whether the file is genuine or not, in case you suspect it has been corrupted by malware. In other words, here are 5 simple verification methods.
1. Location. This is a system file, so it is located in the System32 directory:
2. Name. The name is an abbreviation of service which it initializes. In addition, this file exists only in the .exe extension:
lsass.exe – Local Security Authority Subsystem Service
3. Size. 58.2 Kb on Windows 10, 32 Kb on Windows 7.
4. Checksum. A sequence of characters that represent a unique identifier for files based on exact size. Even a tiny resizing will change this value, therefore it is widely used to determine file authenticity.
Windows 10: d70219dbe8cda2f93972ea4574aa47e57b61480ef31c69510a8faf681b0bff46
Windows 7: 5c3a20f242492b9782047fe5f53eb3c6400cf5f0c89e45b22453724714d838be
5. Digital signature. Microsoft, like other reputable software vendors, has its own digital signature for files. It is a unique sequence of characters identifying the author.
If parameters of your file copy mismatch with any of these characteristics, it is either damaged or infected. If a file meets all the parameters and still there’s an error, we have the “prevent” section at the end.
Common LSASS issues and solutions
Our analysis has shown that most LSAA issues are caused by malicious files and attempts to get unauthorized access to the system. Here you will find practical recommendations for determining the cause of it.
|1||LSASS launched not from the default folder||+||–|
|2||File size is suspicious||+||–|
|3||2 instances of the file running||+||–|
|4||A similarly named file is already running||+||–|
|5||No digital signature or file damage||+||–|
|6||File uses too much memory||+||+|
|7||BSOD after restart||–||+|
|8||System restart, file not found||–||+|
|9||Error when Windows starts||–||+|
|10||Error when launching applications||–||+|
How to use Task Manager (quick tutorial).
This is a system utility that provides information about all running applications and resources they consume. One can initialize it by pressing Ctrl+Shift+Esc. In Windows 10, a list of running processes is displayed by default when opened. To see running processes in Windows 7, one has to switch to the Processes tab. Task Manager also comprises resources, services, autostartup list.
- Issue 1. How to check a directory hosting lsass.exe.
To see whether the file is working from the default folder or not, press Ctrl + Shift + Esc to launch Task Manager. Go to the Services tab and make sure that among the running processes there is only one called lsass.exe. If you can’t find it, enable the “Show processes from all users” feature and try again.
- Issue 2. How to determine lsass.exe size.
Method 1: using system resources. Open file location in Task Manager and compare your file size with standard size (we’ve mentioned it earlier in the article). Method 2: using hash sum. Open file location too and check its hash sum with this SHA256 Online tool. Compare the received string with the one we’ve mentioned earlier, it should be the same. Note: don’t trust file Preferences in it’s location, as it could be amended by malware.
- Issue 3. How to detect two running LSASS files.
It is also possible via Task Manager. Launch it and open the Services tab. Check the entire list of running applications and make sure that there is only one named lsass.exe.
- Issue 4. How to detect a malicious lsass.
The most common attempt to pass off malicious lsass as a genuine copy is to replace the first letter “L” in the lower case with the letter “I” in the upper case. As in words “lamp” and “India”. To detect a malicious file, check running applications in the Task Manager. It should contain only one LSASS file that meets all 5 criteria of genuine check.
- Issue 5. How to check LSASS digital signature.
To verify a file’s digital signature, open its properties with a right click. Select the Digital Signatures tab. File must have a Microsoft Windows Publisher signature exclusively.
- Issue 6. How to fix high lsass.exe memory consumption.
We can check RAM usage in the same Task Manager place where the list of applications is. In normal condition, lsass consumes about 4 Mb. Though other running programs can increase this value due to frequent requests, so before a check it’s better to close third-party programs.
- Issue 7. How to fix BSOD after restart.
When Windows boot has just been initialized, press F8 to go to the Windows boot menu. Try “Download the last successful configuration” option to restore the system to a previous state. If this doesn’t help, use Windows installation disk for system recovery. Note: system recovery doesn’t delete user files, it only checks if Windows files are in a proper location, and whether to restore it or not.
- Issue 8. How to fix missing lsass.exe and system reboot (in 30 seconds).
Often we get the alert about the missing lsass and system reboot to attempt to restore it. See if it works first. If not, use Windows recovery or installation disk to start recovery.
- Issue 9. How to fix LSASS error at Windows startup.
Reboot system to check if it was a single error. Next step depends on the error message content. If it refers to 3rd-party software, try reinstalling that software. If there is no specific error information, or it refers to system files, then activate Windows system recovery using the installation disk. After that, run a full system scan for malicious files.
- Issue 10. How to fix LSASS while launching another application.
Remove an application with an uninstaller program and reinstall it. It is also recommended to get the latest updates for it, if possible. If this doesn’t help, contact the software vendor.
Most attacks (70-80% of incidents) on lsass.exe are aimed at obtaining unauthorized access to information or the system as a whole. Some malware also tries damaging user data or system files. In 2020, according to VirusTotal, attacks using lsass are still happening.
5 methods to fix LSASS.exe
Option 1: Scan PC for malware. Download and install Malware Fighter by IObit or any other anti-malware app of choice, run a full scan. Delete any malware detected, reboot.
Option 2: Install Windows 10 updates. Open Settings menu, go to Update & Security. Press Check for Updates and wait for scan results. Install all recommended updates and reboot.
Option 3. Change Windows Boot mode. Launch a PC and before Windows screen saver appears press F8 to enable Windows boot menu. Select “Safe Mode with Networking” and wait for it to load. If the system loads correctly, try options 1 and 2 to fix lsass.exe. Or continue working in this mode.
Option 4. Use system restore utility. As in the previous scenario, press F8 before Windows starts loading. Select “Repair your computer”. Follow the tips to restore the system.
Option 5. System restore point. Press Win+R, type in rstrui.exe and press Enter. Press Next and in the following window select a restore point to the date when your PC (as you remember) worked correctly. Reboot at the end.
How to prevent lsass errors?
Preventive measures are easier and safer than fixes, so a basic rule of thumb is the following.
- Сlean and optimize a PC with special apps. Often computers collect junk and temporary files that are no longer in use. This is a favourite place for hackers to disguise malware. There are plenty of PC optimization software, we recommend Advanced SystemCare for several reasons: it has a free version, scheduler for regular PC maintenance, automatic updates.
- Install and use anti-malware. Let’s not make hackers’ life easier by leaving a computer vulnerable. Special security software, known as antimalware, monitors all traffic in real-time and will be able to detect and block such threats. In this regard, we welcome you to learn more about Best anti-malware programs.
Stay safe, everyone, physically and digitally.