lsass.exe
Local Security Authority Process by Microsoft Corporation (Signed)
This is a Windows system installed file with Windows File Protection (WFP) enabled.
Overview
There are 12 versions of lsass.exe in the wild, the latest version being 6.3.9600.16384 (winblue_rtm.130821-1623). It is started as a Windows Service called 'IPSEC Services' with the name 'PolicyAgent' and described as “Provides end-to-end security between clients and servers on TCP/IP networks. If this service is stopped, TCP/IP security between clients and servers on the network will be impaired. If this service is disabled, any services that explicitly depend on it will fail to start.”. . In addition, it is run under the context of the SYSTEM account with extensive privileges (the administrator accounts have the same privileges). This is executed as a shared service (which simply means that this service can share a process with other Win32 services). The average file size is about 27.62 KB. The file is a digitally signed and issued to Microsoft Corporation by Microsoft Corporation. During the process's lifecycle, the typical CPU resource utilization is about 0.0047% including both foreground and background operations, the average private memory consumption is about 5.87 MB with the maximum memory reaching around 12.45 MB. Addionally, typically read and write I/O disk operations is about 1.29 KB per minute for reads and 3.3 KB per minute for writes.
What is lsass.exe?
Local Security Authority Subsystem Service (LSASS), is a process in Microsoft Windows operating systems that is responsible for enforcing the security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens.
 Details
|
| File name: | lsass.exe |
| Publisher: | Microsoft Corporation |
| Product name: | Local Security Authority Process |
| Description: | Microsoft® Windows® Operating System |
| Typical file path: | C:\Windows\System32\lsass.exe |
| Certificate |
| Issued to: | Microsoft Corporation |
| Authority (CA): | Microsoft Corporation |
| Expiration date: | Friday, June 13, 2014 |
| Windows Service |
| Service name: | PolicyAgent |
| Display name: | IPSEC Services |
| Description: | “Provides end-to-end security between clients and servers on TCP/IP networks. If this service is stopped, TCP/IP security between clients and servers on the network will be impaired. If this service is disabled, any services that explicitly depend on it will fail to start.” |
| Type: | Win32ShareProcess |
Behaviors
(Note, the behaviors below are for all versions of lsass.exe, select a unique version for details.)
Services
Runs under 'SYSTEM\CurrentControlSet\Services' as a shared service by the Service Host (svchost.exe)
- 'PolicyAgent' (IPSEC Services)
- 'HTTPFilter' (HTTP SSL)
All file variations of lsass.exe
Distribution by Windows OS
| OS version | distribution |
| Windows 8.1 |
46.50% |
|
| Windows 8.1 Pro |
19.50% |
|
| Windows 8.1 Single Language |
11.00% |
|
| Windows 7 Ultimate |
7.00% |
|
| Windows 8.1 Pro with Media Center |
6.00% |
|
| Windows 7 Home Premium |
5.25% |
|
| Windows 7 Home Basic |
1.75% |
|
| Windows 8.1 N |
1.50% |
|
| Windows 8.1 Enterprise Evaluation |
1.50% |
|
Distribution by country
United States installs about 40.75% of Local Security Authority Process.
Distribution by PC manufacturer
| PC Manufacturer | distribution |
| ASUS |
23.87% |
|
| Acer |
17.81% |
|
| Dell |
16.83% |
|
| Lenovo |
14.09% |
|
| Hewlett-Packard |
12.92% |
|
| Toshiba |
9.39% |
|
| Sony |
2.74% |
|
| Alienware |
1.17% |
|
| Samsung |
1.17% |
|
