Should I block it?

No, this file is 100% safe to run.

VersionsAdditional versions

6.3.9600.16384 (winblue_rtm.130821-1623) 4.72%
6.3.9600.16384 (winblue_rtm.130821-1623) 0.06%
6.3.9431.0 (winmain_bluemp.130615-1214) 0.22%
6.3.9431.0 (winmain_bluemp.130615-1214) 0.01%
6.2.9200.16384 (win8_rtm.120725-1247) 0.86%
6.1.7601.17725 (win7sp1_gdr.111116-1503) 40.58%
6.1.7601.17725 (win7sp1_gdr.111116-1503) 18.70%
6.1.7600.16915 (win7_gdr.111116-1506) 3.54%
6.1.7600.16385 (win7_rtm.090713-1255) 8.16%
6.1.7600.16385 (win7_rtm.090713-1255) 3.92%
5.1.2600.5512 (xpsp.080413-2113) 12.71%
5.1.2600.5512 (xpsp.080413-2113) 0.91%
5.1.2600.5512 (xpsp.080413-2113) 0.65%
5.1.2600.5512 (xpsp.080413-2113) 0.06%
5.1.2600.5512 (xpsp.080413-2113) 0.59%
5.1.2600.5512 (xpsp.080413-2113) 0.01%
5.1.2600.5512 (xpsp.080413-2113) 0.01%
5.1.2600.5512 (xpsp.080413-2113) 0.38%
5.1.2600.5512 (xpsp.080413-2113) 0.06%
5.1.2600.5512 (xpsp.080413-2113) 0.01%
5.1.2600.5512 (xpsp.080413-2113) 0.17%
5.1.2600.5512 (xpsp.080413-2113) 0.27%
5.1.2600.5512 (xpsp.080413-2113) 0.06%
5.1.2600.5512 (xpsp.080413-2113) 0.27%
5.1.2600.5512 (xpsp.080413-2113) 0.06%
View more

PE structurePE file structure

Show functions
Import table
api-ms-win-core-crt-l1-1-0.dll
memcpy, wcstol, _wcsicmp, wcschr, strcpy_s, _vsnprintf_s, memset, _except_handler4_common
api-ms-win-core-crt-l2-1-0.dll
_initterm, _initterm_e, exit
api-ms-win-core-errorhandling-l1-1-0.dll
SetUnhandledExceptionFilter, SetErrorMode, SetLastError, UnhandledExceptionFilter, GetLastError
api-ms-win-core-errorhandling-l1-1-1.dll
GetLastError, SetUnhandledExceptionFilter, SetErrorMode, SetLastError, UnhandledExceptionFilter
api-ms-win-core-handle-l1-1-0.dll
CloseHandle
api-ms-win-core-heap-obsolete-l1-1-0.dll
LocalFree, LocalAlloc
api-ms-win-core-interlocked-l1-1-0.dll
InterlockedCompareExchange, InterlockedExchange
api-ms-win-core-libraryloader-l1-1-0.dll
GetProcAddress, LoadLibraryExW, GetModuleHandleA
api-ms-win-core-libraryloader-l1-1-1.dll
GetProcAddress, LoadLibraryExW
api-ms-win-core-libraryloader-l1-2-0.dll
GetProcAddress, LoadLibraryExW
api-ms-win-core-localregistry-l1-1-0.dll
RegQueryValueExW, RegOpenKeyExW, RegCloseKey
api-ms-win-core-misc-l1-1-0.dll
LocalAlloc, LocalFree, Sleep
api-ms-win-core-processenvironment-l1-1-0.dll
GetEnvironmentVariableW, SetEnvironmentVariableW
api-ms-win-core-processenvironment-l1-2-0.dll
SetEnvironmentVariableW, GetEnvironmentVariableW
api-ms-win-core-processthreads-l1-1-0.dll
OpenProcessToken, GetCurrentProcess, ExitThread, CreateThread, GetCurrentThreadId, GetCurrentProcessId, TerminateProcess
api-ms-win-core-processthreads-l1-1-1.dll
TerminateProcess, GetCurrentThreadId, GetCurrentProcessId, CreateThread, ExitThread, OpenProcessToken, GetCurrentProcess
api-ms-win-core-processthreads-l1-1-2.dll
TerminateProcess, GetCurrentThreadId, GetCurrentProcessId, CreateThread, ExitThread, GetCurrentProcess, OpenProcessToken
api-ms-win-core-profile-l1-1-0.dll
QueryPerformanceCounter
api-ms-win-core-registry-l1-1-0.dll
RegCloseKey, RegQueryValueExW, RegOpenKeyExW, RegEnumKeyExW
api-ms-win-core-synch-l1-1-0.dll
SetEvent, OpenEventW, CreateEventW
api-ms-win-core-synch-l1-2-0.dll
OpenEventW, CreateEventW, SetEvent
api-ms-win-core-sysinfo-l1-1-0.dll
GetSystemTimeAsFileTime, GetTickCount
api-ms-win-core-sysinfo-l1-2-0.dll
GetSystemTimeAsFileTime, GetTickCount
api-ms-win-core-sysinfo-l1-2-1.dll
GetTickCount, GetSystemTimeAsFileTime
api-ms-win-security-base-l1-1-0.dll
GetTokenInformation
api-ms-win-security-base-l1-2-0.dll
GetTokenInformation
msvcrt.dll
DllMain
ntdll.dll
NtCreatePort, NtConnectPort, NtListenPort, NtAcceptConnectPort, NtCompleteConnectPort, NtReplyWaitReceivePort, RtlLengthRequiredSid, RtlInitializeSid, RtlSubAuthoritySid, NtSetSecurityObject, NtOpenEvent, RtlFreeHeap, RtlAllocateHeap, RtlNtStatusToDosError, RtlSetProcessIsCritical, NtSetInformationProcess, RtlInitUnicodeString, NtOpenFile, NtDeviceIoControlFile, NtSetInformationFile, RtlCreateSecurityDescriptor, RtlLengthSid, RtlSetOwnerSecurityDescriptor, RtlCreateAcl, RtlAddAccessAllowedAce, RtlSetDaclSecurityDescriptor, RtlAllocateAndInitializeSid, RtlAddMandatoryAce, RtlSetSaclSecurityDescriptor, RtlMakeSelfRelativeSD, RtlUnhandledExceptionFilter, DbgPrintEx, NtRequestWaitReplyPort, RtlCreateAndSetSD, RtlFreeSid, RtlAcquireResourceShared, RtlReleaseResource, RtlAcquireResourceExclusive, RtlInitializeResource, NtClose
rpcrt4.dll
I_RpcMapWin32Status, RpcServerRegisterIf2, RpcServerListen, RpcServerUseProtseqEpW, NdrServerCall2, RpcServerRegisterIf3
sspisrv.dll
SspiSrvInitialize, SspiSrvClientCallback
Export table
LsaGetInterface
LsaRegisterExtension
LsaRegisterInterface

lsass.exe

Local Security Authority Process by Microsoft Corporation (Signed)

Remove lsass.exe
Version:   5.1.2600.5512 (xpsp.080413-2113)
MD5:   1e5f363f023bc4861f44bfcabf4cbea1
SHA1:   acf325ba4c9d5644659f979e52133cf071e3240d
SHA256:   28719c0eeeccf7c8f0d5ffb8ccd0d7161a3ced9bac0a941870215fd9f6328d77
This is a Windows system installed file with Windows File Protection (WFP) enabled.

What is lsass.exe?

Local Security Authority Subsystem Service (LSASS), is a process in Microsoft Windows operating systems that is responsible for enforcing the security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens.

Overview

lsass.exe runs as a service under the name Titkosított fájlrendszer (EFS) (KeyIso) with extensive SYSTEM privileges (full administrator access) as a shared service. The file is digitally signed by Microsoft Corporation. This version is installed on Windows XP and is compiled as a 32 bit program.

DetailsDetails

File name:lsass.exe
Publisher:Microsoft Corporation
Product name:Local Security Authority Process
Description:Microsoft® Windows® Operating System
Typical file path:C:\Windows\System32\lsass.exe
File version:5.1.2600.5512 (xpsp.080413-2113)
Product version:5.1.2600.5512
Size:13 KB (13,312 bytes)
Certificate
Issued to:Microsoft Corporation
Authority (CA):Microsoft Corporation
Expiration date:Friday, June 13, 2014
Digital DNA
Entropy:5.983062
File packed:No
Code language:Microsoft Visual C++
.NET CLR:No
More details

BehaviorsBehaviors

Services
Runs under 'SYSTEM\CurrentControlSet\Services' as a shared service by the Service Host (svchost.exe)
Network connections
  • [UDP] listens on port 500
  • [UDP] listens on port 4500

  • ResourcesResource utilization

    (Note: statistics below are averages based on a minimum sample size of 200 unique participants)
    Averages
     
    CPU
    Total CPU:0.00099776%
    0.028634%
    Kernel CPU:0.00045265%
    0.013761%
    User CPU:0.00054511%
    0.014873%
    Kernel CPU time:201,990 ms/min
    100,923,805ms/min
    Context switches:9/sec
    284/sec
    Memory
    Private memory:5.01 MB
    21.59 MB
    Private (maximum):5.73 MB
    Private (minimum):616 KB
    Non-paged memory:5.01 MB
    21.59 MB
    Virtual memory:43.63 MB
    140.96 MB
    Virtual memory (peak):45.13 MB
    169.69 MB
    Working set:2.13 MB
    18.61 MB
    Working set (peak):7.09 MB
    37.95 MB
    Page faults:442,261/min
    2,039/min
    I/O
    I/O read transfer:2.07 KB/sec
    1.02 MB/min
    I/O read operations:23/sec
    343/min
    I/O write transfer:1.42 KB/sec
    274.99 KB/min
    I/O write operations:20/sec
    227/min
    I/O other transfer:336 Bytes/sec
    448.09 KB/min
    I/O other operations:45/sec
    1,671/min
    Resource allocations
    Threads:22
    12
    Handles:401
    600
    GUI GDI count:5
    103
    GUI USER count:2
    49

    BehaviorsProcess properties

    Integrety level:Undefined
    Platform:32-bit
    Command line:C:\Windows\System32\lsass.exe
    Owner:SYSTEM
    Windows Service
    Service name:KeyIso
    Display name:Titkosított fájlrendszer (EFS)
    Description:“Durch den Start dieses Diensts wird anderen Diensten signalisiert, dass die Sicherheitskontenverwaltung (SAM) bereit ist, Anforderungen anzunehmen. Wenn Sie diesen Dienst deaktivieren, wird verhindert, dass andere Dienste im System benachrichtigt werden, wenn die Sicherheitskontenverwaltung bereit ist. Dies kann wiederum dazu führen, dass diese Dienste nicht korrekt gestartet werden. Dieser Dienst”
    Type:Win32ShareProcess
    Parent process:winlogon.exe (Microsoft Windows Operating System by Microsoft)

    ResourcesThreads

    Averages
     
    LSASRV.dll
    Total CPU:0.07722008%
    0.272967%
    Kernel CPU:0.03861004%
    0.107585%
    User CPU:0.03861004%
    0.165382%
    Context switches:11/sec
    79/sec
    Memory:700 KB
    1.16 MB
    RPCRT4.dll
    Total CPU:0.02156755%
    Kernel CPU:0.01531609%
    User CPU:0.00625147%
    Context switches:5/sec
    Memory:588 KB
    ntdll.dll
    Total CPU:0.00025564%
    Kernel CPU:0.00001826%
    User CPU:0.00023738%
    Memory:604 KB
    msvcrt.dll
    Total CPU:0.00007156%
    Kernel CPU:0.00003611%
    User CPU:0.00003545%
    Context switches:1/sec
    Memory:352 KB
    ADVAPI32.dll
    Total CPU:0.00006032%
    Kernel CPU:0.00000058%
    User CPU:0.00005974%
    Memory:668 KB

    Common loaded modules

    These are modules that are typiclaly loaded within the context of this process.

    Windows OS versionsDistribution by Windows OS

    OS versiondistribution
    Windows 8.1 34.50%
    Windows 8.1 Pro 27.00%
    Windows 8.1 Single Language 12.00%
    Windows 7 Ultimate 10.50%
    Windows 7 Home Premium 7.00%
    Windows 8.1 Pro with Media Center 3.00%
    Windows 8.1 N 3.00%
    Windows 8.1 Enterprise Evaluation 3.00%

    Distribution by countryDistribution by country

    United States installs about 39.50% of Local Security Authority Process.

    OEM distributionDistribution by PC manufacturer

    PC Manufacturerdistribution
    ASUS 30.23%
    Dell 24.03%
    Acer 17.83%
    Lenovo 13.95%
    Hewlett-Packard 6.98%
    Toshiba 4.65%
    Alienware 2.33%
    Should I remove It? Clean your PC of unwanted adware, toolbars and bloatware.

    Download it for FREE