lsass.exe Windows XP

What is LSASS.EXE used for in windows xp. Cos it seems to be using a lot of CPU at the moment.

LSASS = Local Security Authentication Server Something

It basically handles requests generated by WinLogon and calls the relevant authentication package for the object you are trying to use. Your user profile is then granted access and stored in a security certificate/access token which in turn will be handed to the object requesting authentication.

It's really an NT thing, but seems to have crossed the home user path too now that XP is in wide use.

Apparently reinstalling service packs can be of use for some reasons....not sure why to be honest.

Have you tried limiting what you actually have running in the sys tray? messenger etc may well cause an increase in CPU usage by LSASS.

'Slo

i never used to have this problem, but now IT's using all availble CPU usage./

Hi

LSASS.exe is responsible for running certain groups of drivers (.dlls) associated with several background services in windows xp.
If this file is using a lot of cpu reserve it is probably because it is sitting on quite a few .dlls whilst attempting to launch one or two services.
The only way to contol the services that windows runs in the background is to roll up your sleeves and get under the bonnet
and configure them one by one
You'll find them here: Control Panel / Administrative Tools / double click the last icon "Services"
Expand the page to get a clearer view then click once on the first icon "Alerter". In the left hand panel will be a description of what this service does. Now right click the icon and choose "Properties" from the drop down menu, in the center panel next to "Startup type:" is a drop down allowing you to set it to one of three modes, it is here that you can configure each service in turn.

here's a tip:
LSASS.exe runs Netlogon which on a home pc you should really dissable - unless of course you actually do have your own Domain!!

I can post the list of settings that I use but it will take at least 3 posts and I'm not sure if that's permitted?

please advise...

If it's any help, I'm running XP Home and my 'lsass.exe' is taking up 1,000-1,244k of mem but 0% of cpu.

Just checked mine whilst online it's using 892kb memory 0% cpu

If you use a PC at home and you are NOT on a LAN (network linked to other computers) and you do NOT live in the USA it is perfectly safe to set the following Services in WindowsXP to:

Disabled

Application Layer Gateway Service
Automatic Updates
Background Intelligent Transfer Service
ClipBook
Computer Browser
Distributed Link Tracking Client
Distributed Transaction Coordinator
Error Reporting Service
Help and Support
Indexing Service
Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS)
MS Software Shadow Copy Provider
Net Logon
NetMeeting Remote Desktop Sharing
Network DDE
Network DDE DSDM
Network Location Awareness (NLA)
NVIDIA Driver Helper Service
Performance Logs and Alerts
Portable Media Serial Number
QoS RSVP
Remote Registry
Routing and Remote Access
Server
SSDP Discovery Service
Telnet
Terminal Services
Uninterruptible Power Supply
Volume Shadow Copy
Windows Time
Windows Zero Configuration

You may not have all of these, I am running XP Pro SP1. You will however notice a performance increase if you disable them!

Well, I'm on ADSL and I have a Home Network (up to 8 PC's at any one time) but, even if I had a dial-up I would certainly leave Internet Connection Firewall (ICF) unless I had something similar running. As to the others, some ARE at your discretion, others I just don't know about.

Hehe

Oops sorry!

I suppose although Windows firewall is about as useful as a chocolate tea pot it's better than nothing...

I use ZoneAlarm Pro with my own configuration which makes my machine undetectable (stealth mode). Also I never go online unless I'm hiding my IP behind a proxy server (if you can see it, you have noticed it doesn't read the usual 62.64.

I need to post the full list of service configs with their descriptions... is that ok?

This is a guide for information only with plain english descriptions of the services real function. Please make your own mind up over which services to disable on your system.

Alerter
Function - Good for big brother corporate networks. Home PCs do not need to send/receive administrative alerts.

home PC - Manual

-

Application Layer Gateway Service
Function - Good if the system is a gateway/client on a NAT LAN, also (attempts to) protect nasty script kiddies from turning you and your friends' computers into their pawns in the quest for world domination. XP's Firewall is about as useful as a chocolate Teapot. Disable this service unless you are on a home LAN and use Microsoft's Internet Connection Sharing.

home PC - Disabled

-

Application Management
Function - Provides software installation services such as Assign, Publish, and Remove.

home PC - Manual

-

Automatic Updates
Function - Allows Windows XP free reign to contact the Microsoft servers and download a whole host of "critical" updates. No
thanks Bill, think I can connect to WindowsUpdate by myself

home PC - Disabled

-

Background Intelligent Transfer Service
Function - A sneaky way of doing Automatic Updates - Windows XP will judge whether you are using your bandwidth or just sat
there motionless looking at your screen. If not it will happily download away.

home PC - Disabled

-

ClipBook
Function - "exactly what it says on the tin"
Why do you want to share your random cut'n'pastes with your fellow LAN chums? If you feel this is an important contribution to your life leave it on Manual. Otherwise kill this resource eating service!

home PC - Disabled

-

COM+ Event System
Function - Kind of like a communication method between different modules in Windows.

home PC - Manual

-

COM+ System Application
Function - If COM+ Event System is the car then this service is the driver

home PC - Manual

-

Computer Browser
Function - Like it says, needed to keep tracks of computers on your network. If you're on a LAN, leave it to manual, if you're a standalone system then disable it.

home PC - Disabled

-

Cryptographic Services
Function - Among other things, this service authenticates WHQL drivers (i.e. for graphics cards)

home PC - Manual

-

DHCP Client
Function - Under Windows managed networks DCHP is useful in assigning IP/DNS addresses.

home PC - Manual

-

Distributed Link Tracking Client
Function - Good for databases that rely on networked files for updating. Do you share files that lots of people work on? Do you even use NTFS as a home user?

home PC - Disabled

-

Distributed Transaction Coordinator
Function - Related to Distributed Link Tracking Client
The service sounds like a job title for a pointless middle manager somewhere. For home users it's the same story for our
Distributed Transaction Coordinator; going nowhere fast.

home PC - Disabled

-

DNS Client
Function - Needed by windows

home PC - Automatic

-

Error Reporting Service
Function - When something crashes (quite frequently) and Windows pops up and advises you to tell Microsoft all about it,
that is the fruit of this service's loins. One of my pet hates, If something crashes I will scream at the monitor and stamp my feet as I please; I don't need to tell Microsoft that I'm doing it.

home PC - Disabled

-

Event Log
Function - Exactly what it says on the tin

home PC - Manual

-

Fast User Switching Compatibility
Function - For home users this functions as "switch user" when the logoff option is used. If you want it you can have it.

home PC - Manual

-

Help and Support
Function - Description is self-explanitory

home PC - Disabled

-

Human Interface Device Access
Function - allows you to use a usb mouse/keyboard in Windows. If you have one set this to automatic

home PC - Disabled

-

IMAPI CD-Burning COM Service
Function - Controls the in-built CD-burning software in XP
If you don't use the in-built software then disable the service. Incidentally disabling this makes NERO Burning ROM open quicker.

home PC - Disabled

-

Indexing Service
Function - Works like an advanced search feature. This can search through files and index keywords for rapid searching.
Thanks, but no thanks. If I want to search I will use the "dog feature".

Recommended for home PC - Disabled

-

Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS)
Function - Related to Application Layer Gateway Service

home PC - Disabled

-

IPSEC Services
Function - Authenticates hosts before transfer of data, Encryption of IP traffic, Prevention of reply attacks

home PC - Manual

-

Logical Disk Manager
Function - Updates records to do with hard disk volumes.

home PC - Automatic

-

Logical Disk Manager Administrative Service
Function - Related to Logical Disk Manager it is infrequently used

home PC - Manual

-

Messenger
Function - Allows network administrators the ability to pop a little prompt on your screen with information. Although hilarious for the first 25 seconds in forcing your non-computer literate friends to think their machine has been hacked into this service is pretty much pointless.

home PC - Disabled

-

MS Software Shadow Copy Provider
Function - Like the man said, it allows shadow copying.

home PC - Disabled

-

Net Logon
Function - Domain Authentication, if you have a Domain

home PC - Disabled

-

NetMeeting Remote Desktop Sharing
Function - Why use the bloated netmeeting when VNC does it about 10 times faster and is free?

Recommended for home PC - Disabled

-

Network Connections
Function - Controls your internet connection details basically.

home PC - Manual

-

Network DDE
Function - DDE functions are usually restricted to business applications.

home PC - Disabled

-

Network DDE DSDM
Function - Related to Network DDE

home PC - Disabled

-

Network Location Awareness (NLA)
Function - Installation of some hardware requires usage of RPC.

home PC - Manual

-

NVIDIA Driver Helper Service
Function - Provides help and support for NVIDIA graphics cards. Disabling this service seems to significantly reduce the time Windows XP takes to shut down.

home PC - Disabled

-

Performance Logs and Alerts
Function - Hardly useful for a home PC now is it? Unless they start assigning the equivalent of 3DMarks I doubt anyone is really interested.

home PC - Disabled

-

Plug and Play
Function - Commonly referred to as Plug'n'Pray this service is perhaps one feature of Windows XP worth having.

home PC - Automatic

-

Portable Media Serial Number
Function - Quite possibly the most pointless and utterly useless service known to human kind. Why memory is allocated to the
retrieval of a needless serial number from your MP3 player is beyond me and I'm sure it's a joke.

home PC - Disabled

-

Print Spooler
Function - A must if you have a printer

home PC - Manual

-

Protected Storage
Provides protected storage for sensitive data, such as private keys, to prevent access by unauthorized services, processes, or users.
Function - Stop those 1337 h4X0)2 skr1p7 |<1dd135 knocking around with your files. Trouble is, if they are already past your firewall you've had it anyway. Leave on Manual just in case.

home PC - Manual

-

QoS RSVP
Function - Quality Of Service - quite useful for services that use it used for network balancing and other nifty things to make "your internet experience as wonderful as possible". Quite good then that this service eats 25% of your bandwidth doing it and hardly anything actually makes use of it.

home PC - Disabled

-

Remote Access Auto Connection Manager
Function - Makes use of embedded links in programs such as Office, also is used in autodial functions

home PC - Manual

-

Remote Access Connection Manager
Function - Involved in dial-up.

home PC - Manual

-

Remote Desktop Help Session Manager
Function - Allows incoming Remote Desktop connections.
If you don't use this feature of Windows XP (Remote Desktop) then disable this service.

home PC - Disabled

-

Remote Procedure Call (RPC)
Function - Needed for some installations nice vague Microsoft description. Leave as manual.

home PC - Manual

-

Remote Procedure Call (RPC) Locator
Function - Related to Remote Procedure Call (RPC)

home PC - Manual

-

Remote Registry
Function - Allow people to modify local registry settings via remote desktop or similar. Allowing your registry to be edited remotely? Come on....

home PC - Disabled

-

Removable Storage
Function - Zip Drives, USB pens etc...

home PC - Manual

-

Routing and Remote Access
Function - used on business networks

home PC - Disabled

-

Secondary Logon
Function - allow multiple users on one machine.

home PC - Automatic

-

Security Accounts Manager
Function - Related to Secondary Logon

home PC - Automatic

-

Server
Function - Supports file sharing and other basic LAN functions.
If you're not on a network you don't need this.

home PC - Disabled

-

Smart Card
Function - If you don't use smart media, disable this service.

home PC - Disabled

-

Smart Card Helper
Function - Related to Smart Card

home PC - Disabled

-

SSDP Discovery Service
Function - UPnP = Universal Plug'n'Play If you don't have a LAN then disable this service.

home PC - Disabled

-

System Event Notification
Function - Can notify programs such as Outlook when an internet connection is established so that it can send its mail. This service manages a lot of processes

home PC - Automatic

-

System Restore Service
Function - Allows "rollback" to previous configurations in order to solve hardware/software problems.

home PC - Automatic

-

Task Scheduler
Function - Depends on the individual. Task Scheduler uses a fair amount of resources. Any program I wish to run, I run when I want, not at 4.37am on a Friday morning.

home PC - Disabled

-

TCP/IP NetBIOS Helper
Function - Helper for Internet traffic. Useful if you're fascinated by the intrinsic features of TCP/IP.

home PC - Disabled

-

Telephony
Function - it starts when a connection is made to the internet.

home PC - Manual

-

Telnet
Function - Big Security Hole - If you're not on a LAN this is well worth disabling to bounce those 13 year old hackers.

home PC - Disabled

-

Terminal Services
Function - Remote Desktop features.If you disabled Remote Desktop earlier then do the same with this.

home PC - Disabled

-

Themes
Function - Most people use the themes

home PC - Automatic

-

Uninterruptible Power Supply
Function - Most users (unless you live in California) do not have UPS backups.

home PC - Disabled

-

Universal Plug and Play Device Host
Function - You'll need this

home PC - Manual

-

Upload Manager
Function - Fundemental to Windows

home PC - Automatic

-

Volume Shadow Copy
Function - Set the same as MS Software Shadow Copy Provider

home PC - Disabled

-

WebClient
Function - Fundemental to Windows

For home PC - Automatic

-

Windows Audio
Function - Fundemental to Windows

home PC - Automatic

-

Windows Image Acquisition (WIA)
Function - In-built scanner and camera features.If you don't have a scanner/camera then disable this service. Also if you use a 3rd party image aquisition program then disable this.

home PC - Disabled

-

Windows Management Instrumentation
Function - Fundemental to Windows

home PC - Automatic

-

Windows Management Instrumentation Driver Extensions
Function - Fundemental to Windows

home PC - Automatic

-

Windows Time
Function - Fine if you need to have exactly the same time as the administrator on your network

home PC - Disabled

-

Windows Zero Configuration
Function - Wireless networking auto-configuration Wireless unless you have wireless having this resident in memory is
pointless.

home PC - Disabled

-

WMI Performance Adapter
Function - Provides information about your system to system components that require it.

home PC - Manual

-

Workstation
Function - Needed by Windows to provide functionality on the internet.

home PC - Automatic

is lots of good info on what the services are and which you can turn off in XP at

http://www.blkviper.com/WinXP/service411.htm

and

http://www.blkviper.com/WinXP/servicecfg.htm

Sil

PS, also check out harden win2k most should work for XP - well let us know !

... well at least somebody can finally put into all into PLAIN ENGLISH ...



I appreciate it greatly !!

Tas
(in Bris Australia)

Welcome to The Scream! safeboy.
Can you read all this OK, isn't it upside down?

HAHAHAHA ....




not quite ... but we do enjoy having that reputation me thinks.

Hope all is well on the upside

Cheers.

AT LAST!!

I've been looking for this thread for ages.Strangley,I've disabled a lot of features that the2ndLoser considers fundamental to Windows.
Shall we have a bash at revising the topic?

Bloodhound,if you wanted to close some of your ports,this is an English version of the BV guide,and probably safer..

The services that you need running depend entirely upon the way that you use your computer and the environment in which it's used.
The Blackviper pages give a pretty good guide for various conditions.

see this thread is getting a few more views recently - probably because of the sasser worm exploiting lsass.exe ?

if you're having constant reboots then check a couple of threads:

<thread>:lsass.exe 59 second restart

and

<thread>:Sasser.a & Sasser.b



Sil

Yesterday I switched from ZA firewall to XP SP2 firewall because of some other issues I had to solve. Today lsass.exe started eating 20% of (Athlon XP 2800+) CPU time.
This was solved when I disabled firewall protection on my IE1394 (firewire) connection to an external HDD.

just to add a point,

there is a virus that has a filename of LSASS.EXE, but the filename is cap'd, and not lowercase that the correct version is.

Just a though

Lroyb