The Local Security Authentication Subsystem Service process is responsible for authenticating users by
calling an appropriate authentication package specified in HKLM\SYSTEM\CurrentControlSet\Control\Lsa
.
Typically, this will be Kerberos for domain accounts or MSV1_0 for local accounts. In addition to authenticating
users, lsass.exe
is also responsible for implementing the local security policy (such as password policies and
audit policies) and for writing events to the security event log. Only one instance of this process should occur and it
should not have child processes.
Executable’s image path.
%SystemRoot%\System32\lsass.exe
A process which spawned the analyzed process.
wininit.exe
Expected number of processes running which may normally run on Windows.
One
Windows account with which the process was launched. This defines what privileges given process has.
Local System
Expected time of process to be launched.
Within seconds of boot time