The Core Technologies Blog

Professional Software for Windows Services / 24×7 Operation

Essential Windows Services: Security Accounts Manager / SamSs

Security Accounts Manager Service

What is the Security Accounts Manager (SamSs) service?

The Security Accounts Manager service administers the database of user and group account information stored on your computer. The service helps to authenticate local and remote users logging on to your PC.

The service’s display name is SamSs and it’s hosted in the LSA process, lsass.exe. By default, the service is set to start automatically when your computer boots:

Security Accounts Manager Windows Service

What happens if I stop SamSs?

The following services depend on SamSs:

SamSs Service dependencies

That means that if you stop SamSs, those services will stop as well. And that may cripple your computer.

For example, if the Server service stops, file and printer sharing won’t work. Are those features important to you?

In any case, you may find it next to impossible to stop the SamSs service!

You will notice that the stop button is disabled in the Services application:

SamSs stop button disabled

And the SC command informs us that the service is not stoppable, cannot be paused and ignores shutdown requests:

SC Query SamSs

Apparently Microsoft really doesn’t want anyone to disturb the Security Accounts Manager service!

Is it OK to disable the Security Accounts Manager service?

The service’s description states:

 Disabling this service will prevent other services in the system from being notified when the SAM is ready, which may in turn cause those services to fail to start correctly. This service should not be disabled.

Indeed, Microsoft reiterates their recommendation to keep the service enabled on Windows Server 2016 (with Desktop Experience).

What happens if I kill the SamSs process (lsass.exe)?

The Security Accounts Manager service runs inside the lsass.exe process, which multiple services may share.

For example, here you see three services — SamSs, VaultSvc (Credential Manager), and Keyslo (CNG Key Isolation) — all running in the same instance of lsass.exe (with PID 708):

lsass.exe is running multiple services

Because all three services are running in the same process, terminating the process will stop all three services.

That’s probably OK for the CNG Key Isolation service but Credential Manager is a building block for another three services. Be sure to understand the implication of terminating the Credential Manager service before killing the shared lsass process.

The SamSs service isn’t starting. Help!

If Security Accounts Manager failed to start, it is likely that the important Remote Procedure Call (RPC) service didn’t start either.

Open Services and check if someone has disabled the RPC service. If so, you should definitely re-enable it.

After that, try to start the RPC service. If that works, you can start SamSs next.

Questions? Problems?

If you would like to know more about the Security Accounts Manager service, or you have a specific problem, please feel free to get in touch. We will do our best to help you!

Posted in Windows Services | Tagged , , , , | Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *