Windows Internals
intermediate

LSASS, SAM, and local security policy

The protected security process and data stores behind local accounts and policy decisions.

Guided paths in this branch

Follow a short sequence step by step. Each path links to the first topic; use Read next on each page to continue.

Official Microsoft docs

Closest official references related to this topic on Microsoft Learn.

Microsoft Learn

Credentials processes in Windows authentication

learn.microsoft.com

Microsoft Learn

Windows authentication architecture

learn.microsoft.com

Why it matters

If you want to understand local account validation, security policy, and why LSASS is so sensitive, this is the core topic.

Mental model

LSASS is the protected security authority; SAM is one of the authoritative stores it consults for local account information.

How it works

  1. 1LSASS hosts core security logic and manages authentication package interactions.
  2. 2For local accounts, SAM stores account records and password-derived data.
  3. 3Successful authentication contributes to logon session and token creation under local security policy.

Key terms

LSA
The Local Security Authority, the subsystem responsible for local security policy and sign-in decisions.
SAM database
The local database holding machine-local account information.

Signing in with a local machine account

The machine is not asking a domain controller. The decision is made using local security components and locally authoritative account data.

Common misconception

LSASS is not only a password checker. It is a broader security authority managing policy, package coordination, and logon state.

You should read next

Ranked from your current topic, related links, branch depth, and any active guided path.

intermediate

Kerberos, NTLM, and authentication packages

How Windows chooses and uses protocol packages to validate identities.

Next step in your guided path

intermediate

Access tokens

SIDs, privileges, impersonation, and the identity payload every process carries.

Related topic

beginner

Registry & configuration

How Windows stores system and application configuration in hierarchical hives.

Related topic

Related topics

Access tokens

SIDs, privileges, impersonation, and the identity payload every process carries.

Registry & configuration

How Windows stores system and application configuration in hierarchical hives.

Kerberos, NTLM, and authentication packages

How Windows chooses and uses protocol packages to validate identities.

Previous

Winlogon, LogonUI, and session sign-in

The visible and semi-visible path from secure attention to a fully signed-in session.

Next

Kerberos, NTLM, and authentication packages

How Windows chooses and uses protocol packages to validate identities.