Read time 4 minutes

“Local Security Authority Subsystem Service file”, abbreviated as, “lsass.exe”, is an important part of Microsoft Windows’ Security policies like, Authority Domain Authentication (like authentication of password changes, login verifications etc.) and Active Directory Management on your PC. It is located in the folder, C:\Windows\System32. This file is never to be tempered with in any way like, edit, remove or delete and it exists at the sole location stated herein. In the present blog we are going to discuss about various aspects and scenarios of lsass.exe file.

Basic Functions of lsass.exe File:

As stated above, lsass.exe file is responsible for verification of validity of user login to your PC or server and generating process to authenticate users for the Winlogon service.

Location of lsass.exe File:

It is located solely in C:\Windows\System32 folder and nowhere else.LOCATION OF lsass.exe FILE

Is lsass.exe File a Spyware/Trojan/Virus?

NO, lsass.exe is not a spyware. But, if any file with such name is present at any location other than C:\Windows\System32, then it is certainly a virus/spyware/Trojan or worm.
Further, lsass.exe file can become corrupt by virus or Trojan. Since this file is part of MS Windows, never delete or remove it, rather run antivirus program to remove virus.

Signs Of Presence Of Fake lsass.exe Files?

From the following signs you can infer the presence of fake files:

  • Computer is running very slow which is unusual.
  • Computer crashes randomly.
  • Display of strange errors.
  • Unexplained installation of browser add-ons or other programs without your knowledge or consent.
How To Identify a Fake lsass.exe File?

You can use 3 factors to identify a fake lsass.exe file viz;

  1. Location of file.

    The one and only location where real lsass.exe file exists is C:\Windows\System32. If you find any such file anywhere other than this location like desktop, downloaded folders, on flash drive etc., then, the file is fake and can be dangerous and you should delete the same immediately.

  2. Spelling of file.

    Real lsass.exe is name consisting of all letters “LSASS.EXE”, in lowercase.
    Files and processes with names similar to lsass.exe are fake files. Various variants of such similar named files can be as given below:

    • isass.exe
    • Isass.exe (here ‘I’ is ‘i’ in uppercase)
    • lsassa.exe (here ‘l’ is ‘L’ in lowercase)
    • Isassa.exe(here ‘I’ is ‘i’ in uppercase)
    • lsasss.exe(here ‘I’ is ‘L’ in lowercase)
    • Isasss.exe(here ‘I’ is ‘i’ in uppercase)
    • 1sass.exe
    • 1sassa.exe
    • 1sasss.exe

    You can check whether the file is real or not, by copying the file name and pasting it anywhere like on notepad and convert the whole to lowercase to detect the real name.

  3. Size of file.

    Malicious software usually has much large size. ‘lsass.exe’ file in Windows 10 is 57KB and 47KB in Windows 8. If you find a much bigger file then, it is most probably fake file. Usually lsass.exe file uses less than 10MB of memory at any time but, it may increase in situations like;

    • When users logged in are more than one.
    • When encrypted file writes on NTFS volumes.
    • When user changes password.
    • When the program is running on credentials of administrator and you open the program.
How To Remove Fake lsass.exe Files?

To remove the fake lsass.exe files from your computer follow the steps given under:

  1. Go to ‘Task Manager’
  2. Press tab ‘Processes’
  3. Find ‘Task’ and right-click.
  4. Select ‘End Task’
  5. If you do not find ‘Task’ in Processes Tab then press ‘Details’ Tab and find ‘Task’ there.
  6. Right-click ‘Task’
  7. Select ‘End process tree’.
  8. When you have closed the process, go to folder where the fake lsass.exe file is located and delete it.

You are also recommended to scan your PC using some efficient antivirus software and clean your system.

Read Also : Fix Windows 10 Error Code “0xc0000001”


In this blog we discussed what lsass.exe file is, its importance, functions and location. Further we discussed how imitate of this file can be a potent security threat/hazard to your PC. We have tried to guide our readers how to identify and get rid of such fake files and end security vulnerability of their PCs. Additionally, if you find any challenges with your Windows system and some files become corrupt, then you should use Kernel Windows Data Recovery software to recover complete files. It will recover all the data present in various drives excluding C drive where the software is installed.

Kernel Windows Data Recovery