Local Security Authority Subsystem Service (LSASS)
Windows core process managing authentication; crash causes domain controller failure.
Last refreshed: 8 May 2026 · Appears in 1 active topic
Timeline for Local Security Authority Subsystem Service (LSASS)
Triggered domain controller reboots on PAM-enabled systems, requiring emergency patching
Cybersecurity: Threats and Defences: KB5091157, Gentlemen C2 intel, ENISA CNAs: in brief- What does LSASS do in Windows?
- LSASS (Local Security Authority Subsystem Service) handles user authentication on Windows, managing Kerberos and NTLM logins, enforcing security policy, and generating access tokens. On domain controllers it is the central authentication authority for the Active Directory domain.
- Why is LSASS targeted by hackers?
- LSASS stores credentials in memory during user sessions. Attackers use tools like Mimikatz to dump LSASS memory and extract plaintext passwords, NTLM hashes, and Kerberos tickets for lateral movement without needing to crack passwords.
- What happens when LSASS crashes on a domain controller?
- When LSASS crashes or enters a reboot loop on a Windows Server domain controller, the domain controller becomes unable to authenticate users, process Kerberos tickets, or replicate with other domain controllers, causing an authentication outage across the domain.Source: event
Background
Local Security Authority Subsystem Service (LSASS) is a core Windows process responsible for enforcing the security policy on a system, handling user logins, password changes, and access token generation. On domain-joined Windows systems, LSASS communicates with Active Directory domain controllers via Kerberos and NTLM protocols to authenticate users. On domain controllers themselves, LSASS manages the authoritative authentication infrastructure for the entire Active Directory domain. If LSASS crashes or is forced to restart repeatedly, the system becomes unavailable for authentication, effectively taking the domain controller offline.
LSASS is also a primary target for credential-theft attacks. Tools such as Mimikatz, Cobalt Strike, and other post-exploitation frameworks extract plaintext credentials and NTLM hashes from LSASS memory to enable lateral movement. Microsoft has progressively hardened LSASS with Protected Process Light (PPL) mode and Credential Guard on modern Windows versions to resist memory-scraping, though attackers continuously develop bypasses.
In U#3, a regression in the April 2026 Patch Tuesday cumulative update for Windows Server caused LSASS to enter a continuous reboot loop on domain controllers with Privileged Access Management (PAM) enabled, rendering those domain controllers inoperable . Microsoft issued the out-of-band patch KB5091157 on 19 April 2026 to resolve the regression.