When Credential Guard is enabled, the functionality of lsass.exe is split between two processes –
itself and lsaiso.exe. Most of the functionality stays within lsass.exe, but the important role of safely storing
account credentials moves to lsaiso.exe. It provides safe storage by running in a context that is isolated from other
processes through hardware virtualization technology. When remote authentication is required, lsass.exe proxies
the requests using an RPC channel with lsaiso.exe in order to authenticate the user to the remote service. Note
that if Credential Guard is not enabled, lsaiso.exe should not be running on the system.
Executable’s image path.
%SystemRoot%\System32\lsaiso.exeA process which spawned the analyzed process.
wininit.exeExpected number of processes running which may normally run on Windows.
Zero or oneWindows account with which the process was launched. This defines what privileges given process has.
Local SystemExpected time of process to be launched.
Withing seconds of boot time