L
Low RiskWindowslsaiso.exeEXECUTABLElsaiso.exe - Credential Guard Isolated LSA Process [2026]
lsaiso.exe is the Credential Guard isolated LSA process that protects credentials using virtualization-based security. Indicates enhanced security posture when running.
Risk Summary
## Risk Summary | Factor | Assessment | |--------|------------| | Detection Difficulty | Low | | Abuse Potential | Very Low | | Prevalence | Growing | | Risk Score | 15/100 | lsaiso.exe is a security-enhancing process that protects credentials via virtualization-based security.
Overview
What is lsaiso.exe?
lsaiso.exe (LSA Isolated) is the Credential Guard component that runs in a virtualization-based security (VBS) isolated environment to protect credential secrets.
Key Characteristics
| Attribute | Value |
|---|---|
| File Name | lsaiso.exe |
| Developer | Microsoft Corporation |
| Digital Signature | Microsoft Windows |
| Feature | Credential Guard |
| Type | Isolated Process |
Technical Details
| Property | Description |
|---|---|
| Process Type | Isolated User Mode (IUM) |
| Virtualization | Runs in VBS secure world |
| Purpose | Protect credential secrets |
| Protection | Hardware-isolated |
lsaiso.exe presence indicates Credential Guard is enabled, significantly reducing credential theft risks.
Normal Behavior
Normal Behavior
Legitimate Characteristics
Process: lsaiso.exe
Location: C:\Windows\System32\lsaiso.exe
Protection: VBS isolated
User: NT AUTHORITY\SYSTEM (virtual)
Expected Characteristics
| Aspect | Expected Behavior |
|---|---|
| Location | C:\Windows\System32\ |
| Protection | VBS isolation |
| Visibility | Special isolated process |
| Instances | Single when CG enabled |
| Network | None |
Credential Guard Benefits
| Protection | Description |
|---|---|
| NTLM hash | Protected from extraction |
| Kerberos tickets | Isolated storage |
| Credential secrets | Hardware protected |
| Mimikatz defense | Blocks typical attacks |
Common Locations
C:\Windows\System32\lsaiso.exeSuspicious Indicators
Suspicious Indicators
Red Flags
| Indicator | Concern Level | Description |
|---|---|---|
| Wrong location | Critical | Not in System32 |
| Missing VBS | High | Running without VBS |
| Impersonation | Critical | Fake process |
| Multiple instances | High | Should be single |
Security Positive
lsaiso.exe presence indicates:
- Credential Guard enabled
- VBS active
- Enhanced credential protection
- Reduced attack surface
If Missing When Expected
| Scenario | Concern |
|---|---|
| Expected CG but no lsaiso | CG misconfigured |
| Was running, now gone | Potential tampering |
| Never present | CG not enabled |
Abuse Techniques
Abuse Techniques
Minimal Abuse Potential
lsaiso.exe abuse is extremely limited:
- Runs in VBS isolation
- Hardware-protected
- No accessible attack surface
- Cannot be injected into
- Cannot be terminated normally
Theoretical Attacks
| Attack | Feasibility |
|---|---|
| Impersonation | Easy to detect |
| Injection | Blocked by VBS |
| Termination | Requires VBS bypass |
| VBS escape | Extremely difficult |
What Attackers Try Instead
When Credential Guard is active:
- Attackers avoid credential dumping
- Focus on other attack vectors
- May try to disable CG (requires reboot)
- Look for non-protected credentials
Detection Guidance
Detection Guidance
Sysmon Configuration
<RuleGroup name="lsaiso Monitoring" groupRelation="or">
<ProcessCreate onmatch="include">
<Image condition="contains">lsaiso</Image>
</ProcessCreate>
</RuleGroup>
Sigma Rule
title: Suspicious lsaiso.exe Location
status: experimental
logsource:
product: windows
category: process_creation
detection:
selection:
Image|endswith: '\lsaiso.exe'
filter:
Image: 'C:\Windows\System32\lsaiso.exe'
condition: selection and not filter
falsepositives:
- None expected
level: critical
Credential Guard Verification
# Check if Credential Guard is running
Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard |
Select-Object VirtualizationBasedSecurityStatus,
CredentialGuardSecurityServicesRunning
# Check for lsaiso process
Get-Process lsaiso -ErrorAction SilentlyContinue
Remediation Steps
Remediation Steps
Enable Credential Guard
# Enable via Group Policy
# Computer Configuration > Administrative Templates >
# System > Device Guard > Turn On Virtualization Based Security
# Set Credential Guard to "Enabled with UEFI lock"
# Or via registry
$regPath = "HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard"
Set-ItemProperty -Path $regPath -Name EnableVirtualizationBasedSecurity -Value 1
Set-ItemProperty -Path $regPath -Name RequirePlatformSecurityFeatures -Value 3
Verify Status
# Check VBS status
Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard
# Verify lsaiso is running
if (Get-Process lsaiso -ErrorAction SilentlyContinue) {
Write-Host "Credential Guard is active"
} else {
Write-Host "Credential Guard not running"
}
Prerequisites
| Requirement | Description |
|---|---|
| UEFI | Secure Boot enabled |
| TPM | Version 2.0 recommended |
| Virtualization | CPU support required |
| 64-bit | Windows 10/11 Enterprise |
Investigation Checklist
Investigation Checklist
Presence Verification
- Is lsaiso.exe running?
- Is it in correct location?
- Is Credential Guard configured?
- Is VBS active?
Security Status
- Are credentials protected?
- Any bypass attempts?
- Configuration changes?
If Missing
- Was CG previously enabled?
- Any recent system changes?
- Boot configuration modified?
- VBS still active?
Positive Indicators
- lsaiso running = CG active
- Credential theft mitigated
- Enhanced security posture