The file is permanently located in the \Windows\System32\ folder and is used to enforce security policies, meaning that it’s involved with things like password changes and login verifications. While the file is extremely important for normal Windows operations and should not be tampered with, malware has been known to either hijack the real lsass.exe file or pretend to be authentic to fool you into letting it run.
How to Spot a Fake lsass.exe File
It’s not difficult to spot a fake lsass.exe file, but you have to look very carefully at a few things to ensure that you’re dealing with a fake process and not the real one that Windows needs.
Check the Spelling
The most common method used by malware to trick you into thinking lsass.exe is not a virus is by renaming the file to something very similar. Since a folder can’t have two files with the same name, it will be changed ever so slightly. Here’s an example: If that looks just like lsass.exe, you’re right…it does. However, the real file uses a lowercase L (l) while the malicious one uses an uppercase i (I). Depending on how fonts are displayed on your computer, they could look identical, making it easy to confuse them for each other. One way to verify whether the filename is incorrect is to use a case converter. Copy the filename and paste it into the text box at Convert Case, and then select lower case to convert it all into lower case. If the result is not genuine, it’ll be spelled like this: isass.exe. These are some other purposeful misspellings intended to trick you into letting the file stay on your computer or allowing it to run when asked (look closely at that first one; it has an unneeded space):
Where Is It Located?
The real lsass.exe file is in one folder only, so if you find it anywhere else, it’s most likely dangerous and should be deleted immediately. The real file is supposed to be stored in the System32 folder: If it’s anywhere else on your computer, like on the desktop, in your downloads folder, on a flash drive, etc., treat it as a threat and promptly remove it (there’s more on how to do that below). If you see lsass.exe in Task Manager, here’s how to know where it’s actually running from:
What’s Its File Size?
It’s common for viruses and other malicious software to use a program-sized file to deliver whatever it is the malware is carrying, so another way to check whether lsass.exe is real or fake is to see how much space the file is taking up on the hard drive. There are several ways to do this, but the easiest is with the Ctrl+Shift+Esc keyboard shortcut. You could also access it from the Power User Menu in Windows 11/10/8, by right-clicking the Start button. Right-click it and open Properties to check its size. For example, the Windows 11 version of the file is 82 KB on our test machine, the Windows 10 lsass.exe file is 57 KB, and the Windows 8 one is 46 KB. If the file you’re seeing is a lot bigger, like a few megabytes or more, then it’s most likely not the real file provided by Microsoft.
Why Is lsass.exe Using so Much Memory?
Is Task Manager reporting lsass.exe high CPU or memory usage? Some Windows processes should never use much memory or processor power, and when they do, it’s usually a sign that something isn’t quite right and that something could be malware. Lsass.exe is one exception where under certain normal circumstances, it will use more RAM and CPU than at other times, making it difficult to know whether lsass.exe is real or fake. Memory usage for lsass.exe should remain below 10 MB at any given time, but it’s normal for it to spike when more than one user is logged in, during encrypted file writes on NTFS volumes, and possibly other times like while a user is changing their password or during the opening of a program when it’s being run with an administrator’s credentials.
When to Remove lsass.exe
If lsass.exe is using an obviously excessive amount of the memory or processor, and especially if the EXE file is not located in the Windows\System32\ folder, you need to get rid of it. Only an infected lsass.exe file or a lookalike will hog all the system resources. One example of this is if the lsass.exe file is pretending to be real so that it can mine cryptocurrencies. Software that performs crypto mining requires massive amounts of system resources, so if your computer is unusually slow, crashes randomly, displays strange errors, or has inexplicably installed browser add-ons or other programs you never agreed to, then you can safely assume that you need a good malware cleaning.
How to Remove a lsass.exe Virus
Before learning how to delete a lsass.exe infection, remember that you cannot delete the real lsass.exe file, nor can you disable it or shut it down for any reason. The steps below are for removing a fake lsass.exe file; one that Windows isn’t really using. You can do this a number of ways, but the easiest is to right-click the task in the Processes tab of Task Manager and select End task. If you don’t see the task there, look for it under the Details tab, right-click it, and choose End process tree. See our list of the best Windows antivirus software if you’re not sure where to look.
