Fix lsass.exe terminated and High CPU or Disk usage issues

LSASS.exe or Local Security Authority Subsystem Service or Local Security Authority Process is a process on Windows operating system. It is valuable in enforcing the security policy on the computer. When a user logs in to the Windows Server, it is responsible for handling the password changes and creating the access tokens while updating the security log.

Is lsass.exe a virus?

Is lsass.exe a virus? the process is often targeted by malware and mimicked. The original location of this file is C:\Windows\System32 when C: is your system partition. So, if the process with a similar name is running on the Task Manager but the location is different, you know that the process is a threat and is exploiting the security on your computer.

In this article, we will be discussing the high resource consumption of the original lsass.exe on Windows.

lsass.exe High CPU and Disk usage

If LSASS.exe or Local Security Authority Subsystem Service is displaying High CPU and Disk usage on Windows 11/10, follow these suggestions:

1] Check for malware

The main cause of this High CPU and Disk usage issue cannot be narrowed down to a single culprit, and that is malware. So start by running a full system scan using your antivirus software.

2] Run SFC scan

You may also run System File Checker at boot time to replace a potentially damaged lsass.exe file.

3] Use Performance Monitor’s Active Directory Data Collector

If you need to investigate further, you can use the Performance Monitor’s Active Directory Data Collector set on a computer.

This method will work only on the recent versions of Windows Server. To fix this error, we need to start by running the Active Directory Data Collector.

Start by opening the Server Manager or by opening the Performance Monitor.

To open the Performance Monitor, you can hit WINKEY + R button combinations to launch the Run utility. Now, type in the following and hit Enter:

Perfmon.msc

Now, from the left side navigation bar, navigate to Diagnostics > Reliability, and Performance > Data Collector Sets > System.

Right-click on Active Directory Diagnostics and then select Start in the context menu.

It will take about 300 seconds or 5 minutes depending upon the performance capabilities of your hardware to gather the required data and will then take some additional time to compile a report. And these both timings are interdependent on each other.

Once compiled, the report can be found under Diagnostics > Reliability and Performance > Reports > System > Active Directory Diagnostics.

This report will contain all the information and conclusions in the report. This does not mean that it will contain the exact cause of the error but will help you investigate the real cause of the issue.

lsass.exe terminated unexpectedly

The message that appears is usually in this format:

The system is shutting down. Please save all work in progress and log off. Any unsaved changes will be lost. This shutdown was initiated by NT AUTHORITY\SYSTEM. Shutdown will begin in 60 seconds. Shutdown message: The system process “C:\WINDOWS\system32\lsass.exe” terminated unexpectedly with status code – 999. The system will now shut down and restart.

If lsass.exe terminated unexpectedly causing the system to restart there is a high likelihood that your computer is infected. You need to run a full scan with your security software.

Additionally, you could perform Clean Boot and manually troubleshoot and find out which 3rd-party process or code may be causing this issue.

Can I disable lsass?

Lsass is a crucial system file and is a part of Windows Security Policies. Disabling it is not recommended. However, if you do so, you will experience errors in your system. If you find multiple lsass.exe files running on your system, some of them are malware. In this case, you should disable and remove the fake lsass.exe files. You can check whether a lsass.exe file is genuine or not by viewing its Digital Signature.

All the best!

Other posts about processes using high resources: