What is LSASS.exe? And why does it take a lot of memory and CPU time?

I'm taking care of a windows servers in my company. AFAIK, the server is a member of active directory. I notice from task manager that the process LSASS.exe is taking a lot of memory and cpu time. Via google, I've found it could possibly be fixed with some updated patches.

Just curious. What is LSASS.exe? What does it do? And why it takes a lot of memory and CPU time? Can it be reduced if the patches do not work?


LSASS is the Local Security Authority Subsystem. It's ultimately responsible for making the access granted / access denied decision when you attempt to access resources in a Windows NT-derived operating system. Each time you try to access any resource, a bit of code deep down in LSASS actually says "Yeah, go ahead" or "Woah! No way!"

On domain controller computers it hosts the Active Directory database. Thusly, on a domain controller computer, you will see more CPU, RAM, and IO resources consumed by this process because it's running AD. On a member server that isn't a domain controller you shouldn't see quite as big an impact.

As far as patching your boxes go, take what "Windows Update" or "Microsoft Update" says to do as the "right thing". For the most part, this will get you patched to current levels. Be careful mucking about with LSASS, because killing it will cause your computer to reboot.


LSASS.exe is the Local Security Authentication Server process. Basically it enforces Security Policy. If the process is taking up an inordinate amount of CPU cycles then I would first look at what security policies you have in place.

LSASS.exe has been hit by viruses in the past so you obviously want to make sure your Antivirus software is running and up-to-date.

Also, it is a core system file so don't try and kill it. Like Wolverine, kicking it in the balls will only piss it off.

Good luck

-RaindogShane


After spending much time on this issue with Lsass.exe on a server that was not an DC, I have found the issue.

There was a time difference of about 4 hours between the clocks on the DC and on the problematic server. Setting the clocks to the same time and restarting both servers (not sure if restarting both is necessary) has stopped the service from eating up all the memory. After monitoring for a few days, my issue is resolved.

Thought I would post this here for people who have the same issue with this service and not on a DC.