When Credential Guard is enabled, the functionality of lsass.exe is split between two processes –
itself and lsaiso.exe
. Most of the functionality stays within lsass.exe
, but the important role of safely storing
account credentials moves to lsaiso.exe
. It provides safe storage by running in a context that is isolated from other
processes through hardware virtualization technology. When remote authentication is required, lsass.exe
proxies
the requests using an RPC channel with lsaiso.exe in order to authenticate the user to the remote service. Note
that if Credential Guard is not enabled, lsaiso.exe
should not be running on the system.
Executable’s image path.
%SystemRoot%\System32\lsaiso.exe
A process which spawned the analyzed process.
wininit.exe
Expected number of processes running which may normally run on Windows.
Zero or one
Windows account with which the process was launched. This defines what privileges given process has.
Local System
Expected time of process to be launched.
Withing seconds of boot time