lsaiso.exe

lsaiso.exe only exists on systems running Credential Guard, a feature that uses virtualization-based security (VBS) to wall off credential secrets from the rest of the operating system. When it's enabled, Windows splits the Local Security Authority in two: lsass.exe keeps handling authentication requests from the rest of the system as usual, while lsaiso.exe holds the actual secrets, like NTLM hashes and Kerberos tickets, inside an isolated environment protected by the hypervisor.

That isolation is the whole point. lsaiso.exe runs in what Microsoft calls Isolated User Mode, where even the kernel, drivers, and administrators of the normal operating system can't read its memory. lsass.exe communicates with it over an RPC channel and only ever gets back the results of credential operations, never the secrets themselves, so even malware with administrative privileges on the main OS cannot read them. This isolation is the core of how Credential Guard defends against credential-theft attacks like pass-the-hash and pass-the-ticket. Debuggers and memory tools show almost nothing about it, which is expected behavior for an isolated process, and it generally sits quietly with minimal resource use.

It's started by wininit.exe during boot, alongside lsass.exe, and runs as NT AUTHORITY\SYSTEM in session 0 from C:\Windows\System32\lsaiso.exe. One instance runs, it starts no children, and it stays up for the life of the machine. The genuine lsaiso.exe is a trusted, signed Microsoft system file, and on a machine with Credential Guard enabled it should never be missing. Not seeing it at all simply means Credential Guard isn't enabled, which is normal on many machines.

Because security-related process names carry a trusted reputation, lsaiso.exe is the kind of name malware may try to imitate (T1036.005). A legitimate copy always resides in C:\Windows\System32 and carries a valid Microsoft digital signature. Be suspicious of copies found in other locations or slight misspellings such as lsaisa.exe or lsaiso32.exe. The quickest check is whether Credential Guard is enabled at all: a process named lsaiso.exe on a machine that doesn't run Credential Guard is an anomaly.

lsaiso.exe exists to defeat credential dumping. Tools like Mimikatz that pull password hashes out of lsass.exe memory (T1003.001) come up empty against it, because the secrets sit in memory the operating system itself can't read. Attackers on a Credential Guard machine therefore look for ways around it rather than through it: capturing credentials as they're typed, or disabling Credential Guard entirely, which takes registry and boot configuration changes plus a reboot (T1685).