What Is the LSA Shell Lsass.Exe?

Purpose

• Lsass authenticates users and enforces the security policy for a computer. When a user logs on to the computer, lsass checks whether the user’s credentials are valid to the computer and, if applicable, to the domain. After validating the user, lsass generates an access token and launches the initial shell. LSASS also manages the audit policy associated with the computer that it monitors.

Components

• The Local Security Authority Subsystem Service includes six components. The Local Security Authority, or LSA, manages user authentication and user privileges. The LSA Server Service directs computer security. The Net Logon service monitors and secures user and computer access to the domain controller. Secure Sockets Layer (SSL) encrypts authentication calls to a server. Kerberos v5 Authentication and NTLM protocols provide oversight on individual login protocols. Finally, the Security Accounts Manager Service acts as an overseer of the lsass process, bringing the individual components to function together.

Instances

• Although the primary lsass.exe file sits in the C:\Windows\System32 directory, multiple instances of the file can exist by way of viral infection. When infection occurs, it could waste valuable computer resources and cause the computer to reboot or even crash. Examples of viruses that have exploited lsass.exe include W32.Nimos.Worm, W32.Sasser.E.Worm, W32.HLLW.Lovegate.C@mm, Trojan.W32.KELVIR, Trojan.W32.Webus, Trojan.W32.Satiloler, Trojan E32.Downloader, and Trojan.W32.Rontokbr.

Known Issues

• If a user suspects that lsass.exe has been corrupted by a virus, Microsoft Corporation has released a tool called the Microsoft Windows Malicious Software Removal Tool which cleans up variants of the Sasser worm. (Reference 4) Microsoft Security Bulletin (MS04-11) (Resource 1) also provides a list of fixes to help resolve errors associated with lsass that reboot the computer. (Reference 5)