lsass.exe - Local Security Authentication Server Subsystem
The Windows security subsystem is the origin of the lsass.exe process. LSASS stands for "Local Security Authentication Server Subsystem" and it manages the Winlogon process as well as other local authentication tasks. Remote authentication is managed by a different subsystem, which contacts the remote machine's authentication service.While Windows is capable of interacting with multiple subsystems such as a Distributed Computing Environment (DCE) security server, Active Directory, or Kerberos server the default local package is known as Msgina.dll.
If authentication is successful, the LSASS generates the user's access token, which is used to launch the initial shell. Other processes that the user initiates inherit this token. The lsass.exe process is a critical Windows component, and should not be terminated or otherwise altered since this may prevent user logins from occurring.
While this is a legitimate process, malware vendors can and have taken advantage of the lsass.exe process and executable name on occasion. The W32.Nimos.Worm, 32.Sasser.E.Worm (file named Lsasss.exe), and W32.HLLW.Lovgate.C@mm worms are known to have misused this file name in attempts to infect machines. One report describes a virus that used the name "Isass.exe" (note the "I") to conceal itself from casual virus scans.
The legitimate lsass.exe file is located in the c:\windows\system32 directory. Other copies found in different locations on your system may be viruses or other forms of malware. This process has existed since Windows 2000 was released, and is also active on Windows Server 2000 and 2003. Earlier versions of the OS do not include the file, so this process should never appear on Windows 98 or 95.
As always, if you suspect a malware infestation you should download and run a current copy of an antivirus/malware scanner in order to isolate and remove the offending application. Be sure to obtain the most recent definition files, since these are critical to the removal of current malware variants.
windowshelp.net