home

lsass.exe

Local Security Authority Process

Microsoft Corporation

It runs as a windows Service named “Encrypting File System (EFS)”. It is installed with the Windows 8 pre-release build (RTM).
Publisher:
Microsoft Corporation  (signed and verified)

Product:
Microsoft® Windows® Operating System

Description:
Local Security Authority Process

 
Part of the Windows 8.1 (Blue) Operating System

Version:
6.3.9600.16384 (winblue_rtm.130821-1623)

MD5:
f33bfcbbbaace7208db433b6cca98930

SHA-1:
660c41bbcb56ccceda63811c9211c583ccbf4f8d

SHA-256:
46e994be4a2ea4d324c8b78cf9276f4805ea47046cbc7ad37401aa77e13c75fb

Scanner detections:
0 / 68

Status:
Clean (as of last analysis)
Whitelisted  (by digital signature)

Analysis date:
4/26/2024 6:47:02 AM UTC  (today)

File size:
33.3 KB (34,072 bytes)

Product version:
6.3.9600.16384

Copyright:
© Microsoft Corporation. All rights reserved.

Original file name:
lsass.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\Windows\System32\lsass.exe

Digital Signature
Signed by:
Microsoft Corporation

Authority:
Microsoft Corporation

Valid from:
3/13/2013 2:34:10 PM

Valid to:
6/13/2014 2:34:10 PM

Subject:
CN=Microsoft Windows Publisher, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

Issuer:
CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

Serial number:
330000000AD7212BEC936743EB00000000000A

File PE Metadata
Compilation timestamp:
8/21/2013 7:55:32 PM

OS version:
6.3

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

CTPH (ssdeep):
768:vQ65V1g9i8UfC2VhRRthR0pGPt7Nj1PLrJH:vQ65V1g9HSCwRRthRYGPtvPLrJH

Entry address:
0x36FE

Entry point:
E8, B8, FF, FF, FF, 8B, FF, 55, 8B, EC, 83, EC, 10, 8D, 45, F4, C7, 45, F8, 00, 00, 00, 00, 68, 80, 37, 40, 00, 68, 7C, 37, 40, 00, C7, 45, F4, 00, 00, 00, 00, 89, 45, FC, C7, 45, F0, 00, 00, 00, 00, FF, 15, 24, 60, 40, 00, 83, C4, 08, 85, C0, 0F, 85, 3C, 01, 00, 00, 8D, 45, FC, 50, 8D, 45, F8, 50, E8, 3B, 00, 00, 00, 68, 78, 37, 40, 00, 68, 74, 37, 40, 00, FF, 15, 20, 60, 40, 00, 8B, 55, FC, 8D, 45, F0, 8B, 4D, F8, 83, C4, 10, 50, E8, D4, E6, FF, FF, CC, 90, 90, 90, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Entropy:
6.4109

Code size:
16 KB (16,384 bytes)

8 Services
Display name:
Encrypting File System (EFS)

Service name:
EFS

Description:
Provides the core file encryption technology used to store encrypted files on NTFS file system volumes. If this service is stopped or disabled, applications will be unable to access encrypted files.

Type:
Win32ShareProcess

Display name:
CNG Key Isolation

Service name:
KeyIso

Description:
The CNG key isolation service is hosted in the LSA process. The service provides key process isolation to private keys and associated cryptographic operations as required by the Common Criteria. The s

Type:
Win32ShareProcess

Display name:
Netlogon

Type:
Win32ShareProcess

Display name:
Security Accounts Manager

Service name:
SamSs

Description:
The startup of this service signals other services that the Security Accounts Manager (SAM) is ready to accept requests. Disabling this service will prevent other services in the system from being no

Type:
Win32ShareProcess

Display name:
Credential Manager

Service name:
VaultSvc

Description:
Provides secure storage and retrieval of credentials to users, applications and security service packages.

Type:
Win32ShareProcess

Display name:
Logon de rede

Service name:
Netlogon

Type:
Win32ShareProcess


herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.