What is LsaIso.exe and Why is it Running?
If you’re looking at Task Manager on a Windows computer, you might see LsaIso.exe running in the background. Yes, that is a capital ‘i’ in the filename. This running process could raise some questions. Is it a valid file? Could it be part of malware or a virus? Great questions. Let’s review what LsaIso.exe is, why it is running, and if you should be concerned or not.
What is LsaIso.exe?
LsaIso.exe stands for Local Security Authority Isolation. The executable is part of the Windows operating system. The file Description says “Credential Guard & VBS Key Isolation.” Indeed, this program is used by Credential Guard. The VBS Key Isolation is also true. While most might interpret VBS as Visual Basic Scripting, that is not the case here. Instead, VBS stands for virtualization-based security in this instance. So, the reason why LsaIso.exe is running is to ensure your PC stays secure.
LsaIso.exe acts as a silent guardian. It quietly protects your PC against potential threats. Its role is to isolate critical security processes by doing the following:
- Credential Guard is a security feature using LsaIso.exe. Introduced in Windows 10, it protects user credentials by storing them in a secure container. This isolates the credentials from the rest of the operating system. A security measure like this prevents Pass-the-Hash and other common attack techniques.
- Secure Kernel Mode: LsaIso.exe is important in maintaining a secure kernel mode. In this mode, critical system components operate in isolation. This reduces the risk of exploitation and unauthorized access to sensitive data.
- Security Isolation: LsaIso.exe runs in an isolated environment. This helps protect sensitive security data and processes from potential threats. By running in a separate session, it acts as a barrier, preventing unauthorized access and tampering.
You find LsaIso.exe in the C:\Windows\System32 directory on your Windows PC.
Is This File Safe?
The file is typically safe. LsaIso.exe is, after all, a legitimate Windows process. Still, it’s crucial to be aware of potential security and performance concerns:
- Malware Impersonation: Malicious software can disguise itself using filenames that resemble legitimate system processes, including LsaIso.exe. Always ensure that the process is located in the C:\Windows\System32 directory and is digitally signed by Microsoft.
- Resource Usage: In some instances, you might notice LsaIso.exe consuming a significant amount of system resources like CPU or memory. This behavior could indicate an issue or conflict that requires investigation.
How to Check if the File is Correctly Digitally Signed?
As mentioned previously, you need to verify the file LsaIso.exe is located in the C:\Windows\System32 directory first. Depending on which Windows versions you run, you might be able to right-click the file in Explorer and look at the Digital Signature tab.
However, that isn’t always visible in later versions of Windows 11. The following method works on all Windows versions, using PowerShell. No worries, it is a one-liner that you can easily copy and paste to run.
- Open PowerShell (no need to open it elevated)
- Type in the following command and parameters:
Get-AuthenticodeSignature -FilePath C:\Windows\System32\LsaIso.exe | Format-List
- Read the result. Since it is a Microsoft Windows system file, we want it to be signed by Microsoft and verify the following lines:
Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Status: Valid
- If the issuer is the above, that indicates Microsoft issued the signing certificate. Next, the Status should read as valid. Those parameters together ensure that you can trust this file.
Don’t Worry, LsaIso.exe Is Usually Perfectly Legit
As we’ve discussed, LsaIso.exe is normally a valid Microsoft Windows system file. To be safe, you have to verify the file is recent, has the correct digital signature, and executes from the correct folder.