lsass.exe
Local Security Authority Process by Microsoft Corporation (Signed)
This is a Windows system installed file with Windows File Protection (WFP) enabled.
Overview
There are 11 versions of lsass.exe in the wild, the latest version being 6.3.9600.16384 (winblue_rtm.130821-1623). It is started as a Windows Service called 'Protected Storage' with the name 'ProtectedStorage' and described as “Provides protected storage for sensitive data, such as passwords, to prevent access by unauthorized services, processes, or users.”. . In addition, it is run under the context of the SYSTEM account with extensive privileges (the administrator accounts have the same privileges). This is executed as a shared service (which simply means that this service can share a process with other Win32 services). The average file size is about 28.68 KB. The file is a digitally signed and issued to Microsoft Corporation by Microsoft Corporation. During the process's lifecycle, the typical CPU resource utilization is about 0.0047% including both foreground and background operations, the average private memory consumption is about 5.83 MB with the maximum memory reaching around 12.4 MB. Addionally, typically read and write I/O disk operations is about 1.96 KB per minute for reads and 4.17 KB per minute for writes.
What is lsass.exe?
Local Security Authority Subsystem Service (LSASS), is a process in Microsoft Windows operating systems that is responsible for enforcing the security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens.
 Details
|
| File name: | lsass.exe |
| Publisher: | Microsoft Corporation |
| Product name: | Local Security Authority Process |
| Description: | Microsoft® Windows® Operating System |
| Typical file path: | C:\Windows\System32\lsass.exe |
| Certificate |
| Issued to: | Microsoft Corporation |
| Authority (CA): | Microsoft Corporation |
| Expiration date: | Friday, June 13, 2014 |
| Windows Service |
| Service name: | ProtectedStorage |
| Display name: | Protected Storage |
| Description: | “Provides protected storage for sensitive data, such as passwords, to prevent access by unauthorized services, processes, or users.” |
| Type: | Win32ShareProcess |
Behaviors
(Note, the behaviors below are for all versions of lsass.exe, select a unique version for details.)
Services
Runs under 'SYSTEM\CurrentControlSet\Services' as a shared service by the Service Host (svchost.exe)
- 'ProtectedStorage' (Protected Storage)
- 'KeyIso' (Isolation de clé CNG)
- 'SamSs' (Security Accounts Manager)
- KeyIso
All file variations of lsass.exe
Distribution by Windows OS
| OS version | distribution |
| Windows 8.1 |
46.50% |
|
| Windows 8.1 Pro |
19.50% |
|
| Windows 8.1 Single Language |
11.00% |
|
| Windows 7 Ultimate |
7.00% |
|
| Windows 8.1 Pro with Media Center |
6.00% |
|
| Windows 7 Home Premium |
5.25% |
|
| Windows 7 Home Basic |
1.75% |
|
| Windows 8.1 N |
1.50% |
|
| Windows 8.1 Enterprise Evaluation |
1.50% |
|
Distribution by country
United States installs about 40.75% of Local Security Authority Process.
Distribution by PC manufacturer
| PC Manufacturer | distribution |
| ASUS |
23.87% |
|
| Acer |
17.81% |
|
| Dell |
16.83% |
|
| Lenovo |
14.09% |
|
| Hewlett-Packard |
12.92% |
|
| Toshiba |
9.39% |
|
| Sony |
2.74% |
|
| Alienware |
1.17% |
|
| Samsung |
1.17% |
|
