Overview#Local Security Authority Subsystem Service (LSASS) stores credentials in memory on behalf of users with active Windows sessions.
Local Security Authority Subsystem Service allows users to seamlessly access network resources, such as file shares, Exchange Server mailboxes, and SharePoint sites, without re-entering their credentials for each remote service.
Local Security Authority Subsystem Service can store credentials in multiple forms, including:
If the user logs on to Windows by using a smart card, LSASS will not store a plaintext password, but it will store the corresponding NTLM hash value for the account and the plaintext PIN for the Smart Card.
If the account attribute is enabled for a smart card that is required for interactive logon, a random NTLM hash value is automatically generated for the account instead of the original password hash. The password hash that is automatically generated when the attribute is set does not change.
If a user logs on to Windows with a password that is compatible with LM hash, this authenticator will be present in memory.
The stored credentials are directly associated with the LSASS logon sessions that have been started since the last restart and have not been closed.
- Logs on to a local session or RDP session on the computer
- Runs a task by using the RunAs option
- Runs an active Windows service on the computer
- Runs a scheduled task or batch job
- Runs a task on the local computer by using a remote administration tool