“lsm.exe” is the Local Session Manager Service in the Windows OS.
This process handles all the connections related to the terminal server on the hosted machine. “lsm.exe” is a core Windows process.
In this new series, we analyze Windows processes and provide threat hunting tips.
Image Path: %SystemRoot%\System32\lsm.exe
Parent Process: wininit.exe
Number of Instances: One
User Account: Local System
Start Time: Within seconds of boot time
Description: Local Session Manager handles terminal services, including Remote Desktop sessions as well as additional local sessions via Fast User Switching. It communicates with smss.exe to start new sessions. Smss in turn creates an additional csrss.exe and winlogon.exe to support the new session. Only one instance of this process should occur and it should never have child processes.
Taken From SANS Digital Forensics Poster
This process is located in C:\Windows\System32. Note that if it is not located this path, it is a cyber-threat such as a virus, spyware, trojan or worm, capable of performing malicious tasks on your computer.
“Lsm.exe” Threat Hunting Tips:
There must only be 1 instance of lsm.exe on Windows 7 machines. You should NOT be seeing this on Windows 8 and windows 10. It will be running as a service DLL instead — lsm.dll.
Secure Your Organization’s Mind with Securemind.se