The Local Security Authentication Subsystem Service process is responsible for authenticating users by
calling an appropriate authentication package specified in
Typically, this will be Kerberos for domain accounts or MSV1_0 for local accounts. In addition to authenticating
lsass.exe is also responsible for implementing the local security policy (such as password policies and
audit policies) and for writing events to the security event log. Only one instance of this process should occur and it
should not have child processes.
Executable’s image path.
A process which spawned the analyzed process.
Expected number of processes running which may normally run on Windows.
Windows account with which the process was launched. This defines what privileges given process has.
Expected time of process to be launched.
Within seconds of boot time