.. / lsass.exe

Star

• Image Path: System32 dir
• Parent Process: wininit.exe
• Number of Instances: 1
• User Account: SYSTEM
• Start Time: Around boot

The Local Security Authentication Subsystem Service process is responsible for authenticating users by calling an appropriate authentication package specified in HKLM\SYSTEM\CurrentControlSet\Control\Lsa. Typically, this will be Kerberos for domain accounts or MSV1_0 for local accounts. In addition to authenticating users, lsass.exe is also responsible for implementing the local security policy (such as password policies and audit policies) and for writing events to the security event log. Only one instance of this process should occur and it should not have child processes.

Image Path

Executable’s image path.

%SystemRoot%\System32\lsass.exe

Parent Process

A process which spawned the analyzed process.

wininit.exe

Number of Instances

Expected number of processes running which may normally run on Windows.

One

User Account

Windows account with which the process was launched. This defines what privileges given process has.

Local System

Start Time

Expected time of process to be launched.

Within seconds of boot time