How to Check if Your Windows 11 PC is Protected by LSA
You check if your Windows 11 PC is protected by LSA Protection by looking for the LSA Protection setting in your Windows Security app.
LSA Protection, also known as Local Security Authority Protection, is a crucial security feature in Windows that helps prevent malicious actors from tampering with sensitive security data. Enabling it guards against credential theft and other sophisticated attacks.
For instance, LSA Protection is a critical defense against credential harvesting malware that attempts to steal passwords and authentication tokens stored by the Local Security Authority Subsystem Service (LSASS).
If the setting is toggled on, your system is actively protected. You can confirm this by navigating to Windows Security > Device security > Core isolation details.
You can check LSA Protection in Windows Security under Device security > Core isolation details. If the setting is toggled on, your system is protected. Alternatively, open Event Viewer and filter for Event ID 12 from the Wininit source to see if LSASS.exe is running as a protected process.
What is LSA Protection?
LSA Protection is a Windows security feature that acts like a bodyguard for your computer’s sensitive info, like passwords. It stops bad guys and sneaky programs from getting to important details stored by your system.
LSA Protection strengthens computer security by running the Local Security Authority process in a special protected mode. This protected mode prevents unauthorized programs from accessing or changing sensitive security information on the computer. The LSA Protection security feature makes it much harder for hackers to tamper with the computer's security functions.
Windows also has another protection called Core Isolation, which works in a similar way to keep your PC safe.
How to Check if LSA Protection is On
You can check if LSA Protection is on in Windows 11 using the Event Viewer, a tool that shows your computer’s activity logs. This lets you see if this security feature is running to keep your system safe.
- Open Event Viewer: Click the Start button, type
eventvwr.msc, and press Enter.
Event Viewer System View - Find System Logs: In the left panel, click the arrow next to Windows Logs to expand it. Then click on System.
- Filter the Logs: Right-click on System and choose Filter Current Log…

Filter Current Log in Event Viewer - Enter Filter Details: In the filter box, type
12in the Event IDs box. Then click the dropdown for Event sources and select Wininit. Click OK.
Set Event ID and Source Filter - Check the Log Message: Look for a message that says: “LSASS.exe was started as a protected process with level 4”. This message means LSA Protection is active on your PC.

LSASS Protected Process Log
Local Security Authority (LSA) protection safeguards your computer from attacks that target the security process. Seeing a confirmation message indicates your Windows 11 PC has this valuable protection active, preventing unauthorized access to sensitive security information and data.
Why Does This Matter?
LSA Protection matters because it makes it much harder for hackers to steal your computer’s security details, like passwords. Keeping this feature on gives you peace of mind knowing your personal information is better protected from online threats.
Checking this yourself gives you peace of mind that your PC is secure. It’s a good habit to check security features regularly to stay protected.
Windows security features offer protection by using safeguards like Core Isolation. Core Isolation, a feature introduced with Windows 10 and present in Windows 11, creates a secure area in your computer's memory. This protected memory prevents malware from accessing sensitive data.
Summary
LSA Protection is a vital Windows security feature that shields your passwords and login details, and you can confirm it’s active using Event Viewer.
Should I turn on LSA in 🪟 Windows 11?
LSA protection makes LSASS more secure. This security feature runs LSASS as a protected process (PPL), which prevents untrusted code (even with administrative rights) from injecting into it.
What is LSA in 🪟 Windows 11?
Local Security Authority (LSA) protection Windows has several critical processes to verify a user's identity. Verification processes include Local Security Authority (LSA), which is responsible for authenticating users, and verifying Windows sign-ins.
What does LSA protection do?
LSA performs security related tasks such as the verification of logon attempts and password changes. It also creates access tokens, enforces local security policies, and protects and adds security protection for stored credentials.
What is LSA protection set to enabled?
Enabling this setting provides added security for the credentials that LSA stores and manages. Impact: If additional LSA protection is enabled, Administrators will not be able to debug a custom LSA plugin. A debugger cannot be attached to LSASS when it's a protected process.
Was this guide helpful?
About the Author
Richard
Tech Writer, IT Professional
Richard, a writer for Geek Rewind, is a tech enthusiast who loves breaking down complex IT topics into simple, easy-to-understand ideas. With years of hands-on experience in system administration and enterprise IT operations, he’s developed a knack for offering practical tips and solutions. Richard aims to make technology more accessible and actionable. He's deeply committed to the Geek Rewind community, always ready to answer questions and engage in discussions.
No comments yet — be the first to share your thoughts!