Local Security Authority Process [2021] | No Login

It sounds like you're experiencing high disk usage due to the "local security authority process" on multiple computers running Win... learn.microsoft.com Local Security Authority Subsystem Service - Wikipedia being unusable, often permission errors occur even when logged in with an account that has administrative permissions, when loggin... en.wikipedia.org How to fix : "local security authority process" high disk use. - Microsoft Q&A Sep 6, 2024 —

| Mitigation | Description | |------------|-------------| | | Prevents unauthorized processes (even admin) from opening LSASS for memory read access. Set RunAsPPL = 1 in registry. | | Credential Guard (Virtualization-based security) | Isolates LSASS secrets in a hardware-secured environment, making them inaccessible to the OS kernel even. | | Windows Defender Credential Guard | Similar to Credential Guard, blocks NTLM hash and plaintext credential caching in LSASS. | | Audit LSASS access | Monitor Event ID 4656 (Handle to LSASS opened with PROCESS_VM_READ ). | | Block procdump.exe and suspicious tools | Use AppLocker or WDAC. | local security authority process

The , primarily known by its executable name lsass.exe , is a critical system component in the Windows operating system. It serves as the primary gatekeeper for user authentication, security policy enforcement, and credential management. Without this process, you would be unable to log in to your computer, and the system would be unable to verify who has permission to access specific files or network resources. Core Functions of the Local Security Authority Process It sounds like you're experiencing high disk usage

Under normal circumstances, . It is a legitimate Microsoft process. However, because it handles sensitive passwords, it is a frequent target for malware. Legitimate Process Potential Malware File Name lsass.exe (starts with a lowercase "L") isass.exe (starts with "i") or lsasss.exe Location C:\Windows\System32 Any other folder (e.g., Downloads or Temp) Description Local Security Authority Process Often blank or has generic names - Microsoft Q&A Sep 6, 2024 — |

Because LSASS often stores plaintext passwords, NTLM hashes, and Kerberos tickets in its memory, it is a seeking credential theft.