LSASS, or local security authority subsystem service, is a process that functions as part of the Microsoft Windows operating system. Essentially, LSASS is part of the process for maintaining and enforcing the security protocols on the operating system. To this end, LSASS performs several important functions to ensure that the system remains free from unauthorized access and is protected from a wide range of viruses and bugs.
What does LSASS Specifically do?
Perhaps the most common task that LSASS oversees is the access to a computer or server. LSASS recognizes any restrictions on access to any information on the hard drive or the server, and will make sure that only recognized access codes or other login credentials will allow persons to interact with those data files. This means that LSASS comes into play each time someone logs into the server, or uses a desktop computer and gains access to password protected files.
LSASS can also allow administrators or any user that is granted the proper privileges to make changes and updates to passwords and user profiles. For example, it is through LSASS that authorized personnel may delete, change, or create new passwords and user files. Any changes are noted in the Windows Security Log.
How does the Sasser Worm Relate to LSASS?
The Sasser Worm was an electronic worm that was specifically created to take advantage of a design vulnerability in versions of LSASS that were found in Windows 2000 and Windows XP. Essentially, the worm would make use of LSASS to create what is known as a buffer overflow. This overflow would make it possible for the worm to use the system resources to spread to other machines on the network. Unlike many other worms, the Sasser worm was not spread by email. But once it would infect a particular computer, it could quickly spread to any other computers that were connected to the same network.
Can an Infected LSASS be repaired?
Yes, it is possible to remove any Sasser-like worm from LSASS and restore full functionality without damaging any of the aspects of the process. Since such worms can cause LSASS to end abruptly, LSASS will flash a timer on the screen, warning users to save work in progress before the operating systems shuts down. Once the system is down, it is possible to reboot the system into Safe Mode and use antivirus software programs to isolate the worm, banish it from the system, and restore the function of LSASS.