.. / lsass.exe

The Local Security Authentication Subsystem Service process is responsible for authenticating users by calling an appropriate authentication package specified in HKLM\SYSTEM\CurrentControlSet\Control\Lsa. Typically, this will be Kerberos for domain accounts or MSV1_0 for local accounts. In addition to authenticating users, lsass.exe is also responsible for implementing the local security policy (such as password policies and audit policies) and for writing events to the security event log. Only one instance of this process should occur and it should not have child processes.

Image Path

Executable’s image path.

Parent Process

A process which spawned the analyzed process.

Number of Instances

Expected number of processes running which may normally run on Windows.

User Account

Windows account with which the process was launched. This defines what privileges given process has.

Start Time

Expected time of process to be launched.