lsass.exe

lsass.exe enforces the local security policy. When someone signs in, it authenticates them by calling the authentication package named in HKLM\SYSTEM\CurrentControlSet\Control\Lsa, typically Kerberos for domain accounts or MSV1_0 for local accounts, and on success it creates the access token that represents that user for the rest of the session. Password changes, NTLM authentication, and the writing of security audit log entries all run through it.

It's started by wininit.exe early in boot and runs in session 0 as NT AUTHORITY\SYSTEM from C:\Windows\System32\lsass.exe. Exactly one instance runs on a normal system, and it stays up for the life of the machine. It's a critical process, so terminating it will crash the system with a stop error (blue screen).

To authenticate users without prompting for a password at every step, lsass.exe caches credential material in its memory: NTLM hashes, Kerberos tickets, and in some configurations more. On systems with Credential Guard enabled, those secrets move into the isolated lsaiso.exe process and lsass.exe no longer holds them directly.

The genuine lsass.exe is a trusted, signed Microsoft system file. On modern Windows it can be configured to run as a protected process (PPL), which stops other processes, even administrators, from reading its memory or loading code into it.

Because of its central role and its trusted name, lsass.exe is both a prime impersonation target and the single most common credential-theft target on Windows. A legitimate copy always resides in C:\Windows\System32 and carries a valid Microsoft digital signature. Be suspicious of copies running from other locations and of near-miss spellings such as lsas.exe, lsasss.exe, or lsass32.exe, which use the trusted name to hide in a process list (T1036.005).

The bigger threat is theft from the real process. Because lsass.exe holds password hashes and Kerberos tickets in memory, attackers dump that memory to harvest credentials (T1003.001), most famously with Mimikatz, but also by saving a memory dump with built-in tools like comsvcs.dll or procdump and parsing it offline. The harvested secrets then feed pass-the-hash and pass-the-ticket attacks for lateral movement. Any unexpected process opening a handle to lsass.exe memory, or an lsass.dmp-style file appearing on disk, is worth running down.

A genuine lsass.exe rarely spawns child processes. Encrypting File System operations are a known exception, but beyond those a command shell or any other process parented to lsass.exe is a strong sign of injected code (T1055). The defensive baseline is to enable LSA protection (PPL) and, where the hardware supports it, Credential Guard, which moves the secrets out of reach in lsaiso.exe.