What is lsass.exe and how does it affect your computer?

Deepak Gupta
Deepak Gupta December 9, 2021
Updated 2021/12/09 at 3:26 PM

Lsass.exe is a very safe Microsoft file that is used in Windows operating systems. It is of essential importance to the operations of a Windows computer and therefore should not be deleted, moved or edited. To learn more about what lsass.exe is and how it affects your computer, read on …

The lsass.exe file is permanently located in the folder Windows System32 and is used to comply with security policies. While the lsass.exe file is extremely important for normal Windows operations. Malware has been known to hijack the actual file or pretend to be original in order to trick it into letting it start.

How to detect a lsass.exe file that affects your computer?

It is easy to spot a fake lsass.exe file, but you need to look very carefully at a few things to make sure you are dealing with a rogue process. The most common way for malware to make you think lsass.exe is not a virus is to rename the file. Since a folder cannot have two files with the same name, it is slightly modified.

Here we show you an example:


If it looks like lsass.exe, you’re right. However, the actual file uses a lowercase L (l) while the malicious one uses an uppercase i (I). Depending on how the fonts are displayed on your computer, they may appear identical, making it easy to confuse them. One way to check if the file name is not correct is to use a case converter. Copy the file name and paste it into this text box. Select lowercase to convert everything.

This will be the result if the file is not genuine :


Here are some other misspellings that trick you into letting the file stay on your computer

lsass .exe 

Where can you find the lsass.exe file?

The actual lsass.exe file is in only one folder, so if you find it elsewhere, it is dangerous and should be removed immediately.

This is where lsass.exe should be stored

C:  Windows  System32 

If it’s anywhere else on your computer, in your Downloads folder or on a flash drive, treat it like a threat and remove it immediately. Your computer may have some lsass.exe files in folders C: Windows winsxs . These are used during Windows updates and serve as backups.

Here’s how to tell where it’s running from

  1. Open the Task Manager. There are several ways to do it, but the simplest is with the keyboard shortcut Ctrl + Shift + Esc.
  2. Open the tab Details. If you don’t see this tab, press More details at the bottom of the Task Manager.
  3. Right click on lsass.exe of the list.
  4. Choose Open file location, which should open the folder C: Windows System32 and preselect the lsass.exe file, as you can see below.
  5. Repeat the steps above for each lsass.exe file that you see in Task Manager. There should only be one in the list, so if you see additional instances, all but one are fake.
  6. If you found a fake lsass.exe file, check the instructions on the button on this page to find out how to remove it and make sure your computer is clean of viruses and other.

What is your file size?

It is common for viruses and other malicious software to use a file the size of a program to deliver whatever the malware is carrying. So another way to check if lsass.exe is real or fake is to see how much space the file takes up. For example, the lsass.exe file for Windows 8 is 46 KB and the file for Windows 10 is 57 KB. If the file you are viewing is much larger, such as a few megabytes or more, it is not the actual file provided by Microsoft.

Why does lsass.exe use so much memory space?

Some Windows processes shouldn’t use a lot of memory or processor power, and when they do, it’s usually a sign that something is not quite right and that it could be malware. Lsass.exe is an exception where, under certain normal circumstances, it will use more RAM and CPU than at other times. Therefore it makes it difficult to know whether lsass.exe is real or not. Memory usage for lsass.exe should stay below 10MB at any given time, but it is normal for it to increase when more than one user is logged in.

When should you remove lsass.exe that affects your computer?

If lsass.exe is using a very excessive amount of memory or processor, and especially if the EXE file is not in the folder Windows System32 , you must get rid of it. Only an infected lsass.exe file or similar will hog your system resources. An example of this is if the lsass.exe file pretends to be real in order to mine cryptocurrencies. Crypto mining software requires massive amounts of system resources.

How to remove a lsass.exe virus?

Before learning how to remove lsass.exe that affects your computer, remember that you cannot delete, disable or shut down the actual lsass.exe file for any reason. The steps below are to remove a fake lsass.exe file.

  1. Close the fake lsass.exe process and then delete the file. You can do this in a number of ways, but the easiest is to right-click on the tab Processes from the Task Manager and select Finish homework.
  2. Once you have closed the process, open the folder where the file is located and delete it. If you suspect that a certain program is responsible for installing the lsass EXE virus, feel free to remove the program to see if it removes the process as well.
  3. Scan your computer for lsass.exe malware using a program such as Malwarebytes or some other on-demand virus scanner.
  4. Install an antivirus program that is always on. This will help provide not only a second look in addition to Malwarebytes, but also a permanent method to ensure that your computer is protected from threats.
  5. Use a startup antivirus tool to remove the lsass.exe virus. This is a perfect method if the other programs above didn’t work.

Share this Article
Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *