What Is lsass.exe and Why Does It Eat My RAM?

LSASS- What is LSASS

The “lsass.exe” process is critical to Windows’s proper functioning and should not be modified in any way. However, malware has been known to infect and even thrive within legitimate files or masquerade as the original in an effort to deceive users into allowing it to execute. This article discusses the function of the “Isass.exe” process and shows you how to check if a virus has infected it or not.

What Is lsass.exe and What Does It Do?

“lsass.exe” is a safe file in Windows that plays a vital part in your PC’s day-to-day operations. It’s used to enforce security policies and has to do with password changes and login verifications. “lsass.exe” stores credentials in memory to enable a single sign-in, where the user does not have to reenter credentials for services inside the domain.

This service is also active on domain controller computers (servers responsible for managing networks). On server computers, lsass.exe is responsible for storing thousand of passwords and IDs and monitoring resource access. As a result, you will notice that the process uses more CPU, RAM, and IO resources on a domain controller computer.

Image source: Freepik

Even so, you shouldn’t observe quite as significant an impact on a computer that isn’t a domain controller. Therefore, something is wrong if the process still uses too much RAM on your computer. The most frequent scenario would be that the supposedly lsass.exe process is not what it first seems to be, in which case the likelihood that you have gotten a virus is relatively high.

Malware frequently renames the file to something similar to trick you into believing “lsass.exe” is not a virus. Fortunately, there are ways to tell a genuine Windows process from a duplicate.

If you’re worried about viruses taking over your PC, check out this list of more genuine Windows processes that can look like malware.

1. Check the Spelling

A malicious “lsass.exe” process might use an uppercase “i” (I), whereas the genuine process uses a lowercase “L” (l). Names may appear similar, depending on how your computer displays them, making it easy to confuse one for the other.

You can check whether the filename is incorrect by using a case converter tool, such as the one offered by Microsoft Word.

  1. Copy the file name, then paste it into the word processor.
  2. Click the “Change case” button from the menu at the top and select “UPPERCASE.”
Lsass Title Case Converter In Word View

There are other variations of the genuine “lsass.exe” process, and you should keep an eye out for them as well:

  • lsass .exe
  • lsassa.exe
  • lsasss.exe
  • Isassa.exe

2. View Its Location

The true “lsass.exe” file is only found in one place: “C:\Windows\System32\”. If you locate it elsewhere, it is most certainly malicious and should be deleted immediately.

You can find out where the process is running if you spot it in the Task Manager:

  1. Open Task Manager by pressing Ctrl + Alt + Del and clicking the appropriate button.
  1. Under “Processes,” scroll down until you find the lsass process (Local Security Authority Process), right-click it, and select “Open file location.” This should open the “C:\Windows\System32\” folder.
Lsass File Location 1
  1. If you can’t see it, switch to the “Details” tab and search for “Isass.exe” there. Click on “Open file location.”
Lsass - Process In Task Manager 1
  1. Repeat the instructions for each “lsass.exe” file in Task Manager. There should only be one process listed, but if you see more, all except one are fake.

3. Check the File Size

As viruses and other malicious software frequently use program-sized files to distribute malware, you can determine whether “lsass.exe” is the real service by looking at how much space the file takes up.

  1. Go to Task Manager and open the “Isass.exe” file at its location as shown in the previous section.
  1. To verify the file’s size, right-click it and select “Properties.”
Lsass Go To Lsass File Properties 1
  1. The Windows 11 version of the file is 82KB, while the Windows 10 version should be 57KB. For those still running Windows 8, the file is only 46KB. If the process you are viewing is much larger, such as a few gigabytes or more, it’s certainly not a genuine Microsoft file.
Lsass File Size

Frequently Asked Questions

How can I fix lsass.exe high RAM usage issues?

If the genuine “lsass.exe” file appears to be eating a lot of RAM resources, you should try the following:

  • Perform an antivirus scan
  • Use DISM and SFC commands in PowerShell (Admin)
  • Update Windows
  • Perform a System Restore
  • Delete the “Isass.exe” virus file

Don’t like the idea of installing a third-party antivirus program on your PC? With Windows’s built-in Defender, you don’t have to.

How do I remove lsass.exe virus?

First, go to Task Manager. In the “Processes” tab, select the potentially malicious “lsass.exe” and click on “Open Location.” If the process isn’t visible, switch to the “Details” tab.

Next, go back to the “Task Manager,” right-click on the “lsass.exe” process, and select “End Task,” then go back to the “lsass.exe” file location and delete it.

Why is disabling the real lsass.exe process not a good idea?

Launching lsass.exe informs other services that the Security Accounts Manager (SAM) is ready to receive requests. Disabling this process means system services won’t receive notifications when SAM is ready, which may prevent them from starting properly.

Image credit: Unsplash. All screenshots by Farhad Pashaei.

Farhad Pashaei
Farhad Pashaei

As a technophile, Farhad has spent the last decade getting hands-on experience with a variety of electronic devices, including smartphones, laptops, accessories, wearables, printers, and so on. When he isn’t writing, you can bet he’s devouring information on products making their market foray, demonstrating his unquenchable thirst for technology.

Subscribe to our newsletter!

Our latest tutorials delivered straight to your inbox