Local Security Authority Process (lsass.exe): How to Fix High CPU Usage on Windows 10/11

Introduction

The Local Security Authority Process, shown in Task Manager as “Local Security Authority Process” or lsass.exe, is one of the core components of Windows. It handles logons, password changes, Kerberos tickets, and other authentication-related operations. If it misbehaves, the whole system starts to drag.

Under normal conditions, lsass.exe uses very little CPU and only spikes briefly when you sign in, unlock your PC, or connect to a protected resource. When you see it stuck at high CPU usage for minutes at a time, you’ll usually notice fans spinning up, apps becoming sluggish, sign-ins taking longer, and sometimes short freezes.

Common causes include things like:

• A legitimate but buggy driver or security product that hooks into authentication
• Misconfigured authentication / audit settings, especially on domain-joined machines
• Malware that pretends to be lsass.exe or injects into it
• Corrupted system files or a problematic Windows update

In this tutorial, you’ll learn how to make sure lsass.exe is the real Windows component and not malware, clean up infections and software conflicts that can push its CPU usage up, repair Windows system files and track down configuration issues, and decide when it’s time for a repair install or reset.

Everything here applies to Windows 10 and Windows 11 on home PCs, laptops, and small business systems, with extra notes where corporate/domain environments behave differently.

Quick Triage: Easy Things to Try First

If your PC is struggling right now, start with simple, low-risk checks. These can fix a surprising number of cases without deeper troubleshooting.

Restart and Watch

Restart Windows normally, sign in, and open Task Manager (Ctrl + Shift + Esc). Let the machine sit for a few minutes and watch Local Security Authority Process in the Processes or Details view. Short spikes around sign-in are normal; constant high usage is not.

Install Pending Windows Updates

Open Windows Update:

• Windows 10: Settings → Update & Security → Windows Update → Check for updates
• Windows 11: Settings → Windows Update → Check for updates

Install important and security updates, reboot, and see if lsass.exe behaves better. Microsoft has fixed several authentication and LSASS problems through cumulative updates.

Run a Quick Malware Scan

Open Windows Security → Virus & threat protection → Quick scan. If anything malicious is found and removed, restart and test again.

Verify the File Location

In Task Manager, switch to the Details tab, find lsass.exe, right-click it, and choose Open file location. The path must be:

C:\Windows\System32\lsass.exe

Anything else, especially a similar name in a user or temp folder, is suspicious and should be treated as a potential infection.

Test in Safe Mode

Boot into Safe Mode:

1. Hold Shift and click Restart.
2. Go to Troubleshoot → Advanced options → Startup Settings → Restart.
3. Press 4 for Safe Mode or 5 for Safe Mode with Networking.

If LSASS CPU usage is normal in Safe Mode but high in a normal boot, a third-party driver or software conflict is very likely involved.

If these quick checks don’t resolve things, move on to the full step-by-step guide.

Prerequisites

Before diving deeper, it helps to have a few basics covered. You should be logged in with an administrator account, you ideally have a recent backup or restore point, and you’re comfortable following instructions that involve Task Manager, Settings, and copying commands into Command Prompt or PowerShell.

Nothing here requires deep expertise, but you will touch some low-level parts of the system.

Step-by-Step Guide to Fixing lsass.exe High CPU

1. Confirm It’s the Genuine Local Security Authority Process

Start by ruling out the possibility that you’re dealing with a fake lsass.exe.

• Open Task Manager (Ctrl + Shift + Esc) and go to the Details tab.
• Find lsass.exe, right-click it, and select Open file location.

Now check that the file path is exactly C:\Windows\System32\lsass.exe, and that its Properties → Digital Signatures tab shows a valid Microsoft signature.

If the file lives in a different directory or the signature looks wrong, that’s a strong sign that something malicious is trying to impersonate LSASS. In that case, focus on malware cleanup first before any other tuning.

2. Observe the Pattern of High CPU Usage

Not all high CPU scenarios point to the same cause. The pattern matters. You might see LSASS running hot almost immediately after boot and staying that way, spiking heavily during sign-in or unlock and staying high for a long time, or only misbehaving when you connect to a VPN or join a work network/domain.

As you use the machine, note whether LSASS calms down if you disconnect from Wi-Fi or unplug Ethernet, or if turning off your VPN or closing a specific app makes a difference. Those observations will help you identify whether your main suspect should be the OS, a driver, a security tool, or network/authentication settings.

3. Run Deep Malware Scans (Including Offline Scan)

Even when lsass.exe itself is legitimate, credential-stealing malware can inject into it and cause high CPU usage as a side effect. So a deeper malware check is worth doing early.

Use Windows’ own tools first:

1. Open Windows Security → Virus & threat protection → Scan options.
2. Run a Full scan and allow it to finish.
3. After that, choose Microsoft Defender Offline scan. The system will reboot into a special environment and run a scan before Windows starts.

You can complement this with a reputable second-opinion scanner (an on-demand antivirus from a well-known vendor). Avoid random “optimizers” or “PC boosters”; they rarely help and can make things worse.

Once scans are clean and any detections have been removed, reboot and monitor lsass.exe again. If high CPU usage continues, move on to system and driver-level fixes.

4. Update Windows and Device Drivers

Bugs or incompatibilities in Windows builds and drivers can cause LSASS to do extra work. Start by making sure Windows itself is up to date: open Settings → Windows Update, check for updates, install all important and security updates, and then restart.

After that, focus on devices closely tied to authentication and networking:

• Network adapters (Wi-Fi and Ethernet)
• VPN clients and their virtual adapters
• Smart card readers and biometric devices
• Security and endpoint protection drivers

Use Device Manager or your hardware vendor’s support site to install the latest drivers. Once everything is updated, reboot and see how lsass.exe behaves during normal work.

5. Check for Conflicting Security or Identity Software

LSASS is a common hook point for security tools. If you have several of them trying to intercept the same operations, performance can suffer badly. Think about what’s installed: third-party antivirus or “Internet Security” suites, corporate EDR/monitoring agents, VPN clients that integrate deeply with Windows logon, and smart card or identity management software.

A good way to test for conflicts is a clean boot:

1. Press Win + R, type msconfig, and press Enter.
2. On the Services tab, check Hide all Microsoft services, then click Disable all.
3. For startup apps:
   • On Windows 10, click Open Task Manager and disable non-essential startup items there.
   • On Windows 11, use Settings → Apps → Startup to temporarily turn off unnecessary items.
4. Restart the PC.

If CPU usage is suddenly normal, it means something you disabled is likely the culprit. Re-enable services and startup apps in small groups, restarting between changes, until LSASS starts misbehaving again. The last group you turned back on probably contains the problematic component.

When you find the offender, update it to the latest version or replace it with an alternative. If it’s a corporate agent, you may need to contact your IT department rather than uninstalling it yourself.

6. Repair System Files with SFC and DISM

Damaged or partially updated system files can cause stubborn LSASS issues even when everything else looks fine.
To repair system files:

1. Open Command Prompt as administrator (search for “cmd”, right-click, Run as administrator).
2. Run System File Checker:

sfc /scannow

Wait for the scan to finish. If it reports that it found and repaired errors, restart your PC and test LSASS again.

3. Then run DISM to repair the system image:

DISM /Online /Cleanup-Image /RestoreHealth

When DISM has completed its work, restart once more. At this point, many underlying OS inconsistencies that can
affect LSASS should be resolved.

7. Look for Logon Failures and Problematic Network Resources

LSASS does the heavy lifting for authentication. If something keeps hammering it with bad credentials or repeated connection attempts, CPU usage will reflect that. Typical offenders include old mapped network drives using outdated or wrong passwords, background services or scheduled tasks that run under a broken account, and misconfigured SMB shares or NAS devices.

On a home or small office system, start with a bit of cleanup:

• Open File Explorer → This PC and disconnect mapped network drives you no longer use.
• Go to Control Panel → Credential Manager and remove stale Windows credentials that point to old servers or devices.

Then, try a simple test: completely disconnect from the network (turn off Wi-Fi and unplug Ethernet) and watch lsass.exe. If CPU usage drops back to normal and only spikes once you reconnect, you’re likely dealing with a network or credential issue rather than a pure OS problem.

On domain-joined machines in a corporate environment, LSASS may also be stressed by noisy clients or misconfigured applications repeatedly making bad logon attempts. That’s usually something your IT or security team needs to investigate via domain logs.

8. Advanced: Inspect LSASS-Related Event Logs (Optional)

If you’re comfortable with Event Viewer, you can dig deeper into what LSASS is handling. Two places to look are Windows Logs → Security, to spot recurring failed logons or unusual authentication activity, and Windows Logs → System, for warnings or errors related to Kerberos, NetLogon, or LSASS.

You don’t need to interpret every event ID, but patterns help. If you consistently see bursts of failures or logging noise around the times when CPU spikes, that’s a clue pointing to a particular user, machine, or application.

If you’re not familiar with Event Viewer, you can skip this step; the previous ones solve most home and small office scenarios.

9. Last Resort: Repair Install or Reset

If you’ve verified lsass.exe is genuine and properly signed, performed thorough malware scans and clean-up, updated Windows and key drivers, isolated or removed conflicting security products, repaired system files with SFC and DISM, and cleaned up old network connections and credentials, yet LSASS still sits at high CPU usage, your Windows installation may be too damaged to fix piecemeal.

At that point, consider an in-place repair install or a full Reset this PC.
For a repair install, download the official Windows 10/11 ISO from Microsoft, run setup.exe from within Windows, and choose the option to keep your personal files and apps. For a reset, use Settings → System → Recovery → Reset this PC and choose whether to keep your files or remove everything.

Afterward, reinstall your applications carefully rather than dumping everything back at once. That way you can quickly spot if a particular tool brings the LSASS problem back.

Validation and Testing

When you believe you’ve resolved the issue, confirm it instead of assuming. First, test at idle: boot normally, sign in, open Task Manager, and let the PC sit for 5–10 minutes. LSASS should spend most of the time near 0% CPU, with only brief spikes.

Then work as you normally would: open your browser, email, chat, maybe your VPN, and run through the tasks that previously seemed to trigger slowdowns. The system should now feel responsive, and lsass.exe shouldn’t be dominating the CPU charts.

If there was a specific trigger earlier—such as connecting to a particular share or launching a certain app—recreate that scenario deliberately to make sure it no longer causes trouble. Running another full antivirus scan a bit later is also a good habit, just to confirm nothing new has appeared.

Security Hardening: Avoid LSASS Problems in the Future

Once things are stable, a bit of hygiene goes a long way. Keep Windows and drivers updated so you benefit from bug fixes and security patches, allow automatic updates, and reboot regularly so they actually install.

Stick to one primary security solution. Running multiple antivirus or “security suite” products at the same time can cause them to clash, especially around LSASS. If you uninstall a third-party product, make sure Microsoft Defender or another reputable solution is active.

Be careful with low-level tweaks and tools that hook into logon and credential handling. Use trusted, well-known password managers and security tools, and avoid vague “system optimizers” that claim to boost performance by adjusting everything in sight.

Finally, clean up old network connections and credentials every so often, and keep devices like NAS boxes updated. Fewer broken authentication attempts mean less unnecessary work for LSASS.

Conclusion

The Local Security Authority Process (lsass.exe) is a core part of how Windows handles authentication and protects credentials. When it starts using too much CPU, the entire system shows it—slow logons, laggy apps, and sometimes reliability problems.

Most of the time, though, the root cause is something you can fix: malware, buggy drivers, conflicting security tools, damaged system files, or misbehaving network credentials. By working through the steps in this guide, you can systematically rule out each category and bring LSASS back to normal behavior.

If you eventually decide to repair or reinstall Windows, treat that as a clean slate and be selective about what you put back. The goal isn’t just to stop LSASS from maxing your CPU today, but to keep your system fast, stable, and secure going forward.

FAQ