home

lsass.exe

Local Security Authority Process

Microsoft Corporation

It runs as a windows Service named “Encrypting File System (EFS)”. It is installed with the Windows 8 pre-release build (RTM).
Publisher:
Microsoft Corporation  (signed and verified)

Product:
Microsoft® Windows® Operating System

Description:
Local Security Authority Process

 
Part of the Windows 8.1 (Blue) Operating System

Version:
6.3.9600.16384 (winblue_rtm.130821-1623)

MD5:
f6f209ddb94959ba104fc8fc87c53759

SHA-1:
bcbce61852df6cc59f897c78471c222e564b32b3

SHA-256:
8e862d41f4332eabf64bd034e2c0e3cc8109c7990cb4112c2b2880e8e6edf2d3

Scanner detections:
0 / 68

Status:
Clean (as of last analysis)
Whitelisted  (by digital signature)

Analysis date:
4/26/2024 7:39:04 AM UTC  (today)

File size:
44 KB (45,008 bytes)

Product version:
6.3.9600.16384

Copyright:
© Microsoft Corporation. All rights reserved.

Original file name:
lsass.exe

File type:
Executable application (Win64 EXE)

Language:
English (United States)

Common path:
C:\Windows\System32\lsass.exe

Digital Signature
Signed by:
Microsoft Corporation

Authority:
Microsoft Corporation

Valid from:
3/13/2013 4:34:10 PM

Valid to:
6/13/2014 4:34:10 PM

Subject:
CN=Microsoft Windows Publisher, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

Issuer:
CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

Serial number:
330000000AD7212BEC936743EB00000000000A

File PE Metadata
Compilation timestamp:
8/22/2013 5:05:19 AM

OS version:
6.3

OS bitness:
Win64

Subsystem:
Windows GUI

Linker version:
11.0

CTPH (ssdeep):
384:99gzgneB0d0HlOz+AdDoUU2fADYNDHHLcRn8rvt8l4HLtEpWTHWxWKjpLWGiDBRj:9+geuLjUGAWPG8TAULtL2ffi1PhktY

Entry address:
0x3D5C

Entry point:
48, 83, EC, 28, E8, 1F, FF, FF, FF, 48, 83, C4, 28, EB, 09, CC, 90, 90, 90, 90, 90, 90, 90, 90, 4C, 8B, DC, 48, 83, EC, 28, 83, 64, 24, 30, 00, 49, 83, 63, 18, 00, 49, 83, 63, 20, 00, 49, 8D, 43, 18, 48, 8D, 15, 83, 00, 00, 00, 48, 8D, 0D, 74, 00, 00, 00, 49, 89, 43, 10, E8, BB, FE, FF, FF, 85, C0, 74, 0A, B8, FF, 00, 00, 00, 48, 83, C4, 28, C3, 48, 8D, 54, 24, 38, 48, 8D, 4C, 24, 30, E8, 9A, FE, FF, FF, 48, 8D, 15, 3F, 00, 00, 00, 48, 8D, 0D, 30, 00, 00, 00, E8, 9B, FE, FF, FF, 48, 8B, 54, 24, 38, 8B, 4C...
 
[+]

Entropy:
5.9171

Code size:
25 KB (25,600 bytes)

12 Services
Display name:
Encrypting File System (EFS)

Service name:
EFS

Description:
Provides the core file encryption technology used to store encrypted files on NTFS file system volumes. If this service is stopped or disabled, applications will be unable to access encrypted files.

Type:
Win32ShareProcess

Display name:
CNG Key Isolation

Service name:
KeyIso

Description:
The CNG key isolation service is hosted in the LSA process. The service provides key process isolation to private keys and associated cryptographic operations as required by the Common Criteria. The s

Type:
Win32ShareProcess

Display name:
Netlogon

Type:
Win32ShareProcess

Display name:
Security Accounts Manager

Service name:
SamSs

Description:
The startup of this service signals other services that the Security Accounts Manager (SAM) is ready to accept requests. Disabling this service will prevent other services in the system from being no

Type:
Win32ShareProcess

Display name:
Credential Manager

Service name:
VaultSvc

Description:
Provides secure storage and retrieval of credentials to users, applications and security service packages.

Type:
Win32ShareProcess

Display name:
Anmeldedienst

Service name:
Netlogon

Type:
Win32ShareProcess


herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.