What is lsass.exe and what should I do about it?

Local Security Authority Subsystem Service (LSASS), is a process in Microsoft Windows operating systems that is responsible for enforcing any of the security policy on the system. It verifies users logging on to a Windows computer or server, handles any password changes, and creates access tokens. Lsass.exe (the working program of LSASS) also writes to the Windows Security Log.

Perhaps the most common and important task that lsass.exe oversees is the access to the computer or server. Lsass.exe recognizes any restrictions on access to any information on the hard drive or the server, and will make sure that only recognized access codes or other login credentials will allow persons to interact with those data files. This means that lsass.exe comes into play each time someone logs into the server, or uses a desktop computer and gains access to password protected files.Forcible termination of the lsass.exe will result in the Welcome screen losing its accounts. Lsass.exe can also allow administrators or any user that is granted the proper privileges to make changes and updates to passwords and user profiles. For example, it is through lsass.exe that any authorized personnel may delete, change, or create new passwords and user files. Any and all changes that are made are noted in the Windows Security Log.This will prompt a restart of the machine; therefore lsass.exe should not be considered the Sasser worm.

The Sasser Worm is an electronic worm virus that was specifically created to take advantage of a design vulnerability in versions of lsass.exe that is found in Windows 2000 and Windows XP. Essentially, the worm uses LSASS to create what is known as a buffer overflow. This overflow would make it possible for the worm to use the system resources to spread to other machines on the network. Unlike many other worm viruses, the Sasser worm is not spread by email. But once in any computer, it can quickly spread to any other computers that are connected to the same networkThe worm is particularly potent because of the fact that it can spread without any interaction with humans, nor does it 'travel by email' like many other worms.If the worst should happen and the lsass.exe program end, for example, by the Sasser worm's effects, then a countdown timer will appear on the screen, advising the user to save their work and close all programs before Windows shuts down. It is important to keep in mind that this timer,can be thwarted by changing the computer's date and time settings or by executing the shutdown -a command.It is important to know that it is possible to remove the Sasser worm from LSASS and restore full functionality without damaging any of the aspects of the process. Once the system is down, it is possible to reboot the system and use immunizations software to isolate the worm, banish it from the system, and restore the function of LSASS.

Sometimes an error continues to surface even after having performed system restore.The user may find when they boot up their computer they receive the message "lsass.exe. system error".The computer may close down, start up and give an error message again and again. This may indicate that your computer is still infected with the Sasser worm. Immediate action is needed to correct the problem.If that happens the following procedure is recommended:

1. Disconnect from the Internet


2. Stop the shutdown cycle


3. Mitigate the vulnerability


4. Improve system performance


5. Enable a firewall


6. Reconnect to the Internet


7. Install the required OS update


8. Check for and remove Sasser