How do I get rid of a "Windows cannot find |sass.exe" error message on login?

Home » Windows » Windows Configuration

Summary: Windows runs software when you log in, but if it can't be found, Windows reports an error. This can happen after an incomplete virus removal.

This question shows one of the very subtle ways that virus writers try to fool you.

And there's no question, you have, or had, a virus.

•

Consider the following list of file names:

They all look similar, don't they? In fact, depending on your machine and installed fonts, some of them may look identical. But they are four very different file names (vertical bar - sass.exe, lower case "L" - sass.exe, lower case "I" - sass.exe, and the number one - sass.exe). One of these names is legitimate.

In fact, not only is it legitimate, but it's a required Windows component. Your system won't run without it.

The rest? Malware. Malware trying to look like a required system file.

My guess is that your anti-virus scan caught the malware at some point and removed the actual file in question. But what it didn't do is remove the registry entry that caused that file to be automatically run at start up.

Fortunately, that's a relatively easy fix, though it does require caution.

Grab a copy of the free autoruns utility from Microsoft. Fire it up and after it scans your system startup entries you'll see a screen much like this:

There are many places that Windows can be instructed to run software automatically, and autoruns attempts to display them all.

Now, pay careful attention to exactly how the start up entry is spelled in that error message. I can't stress this enough - virus writers are counting on you to get this wrong, since getting it wrong can render your system unbootable.

Press CTRL+F and enter the base name of what you're looking for. In the case of the question asked here, enter |sass.exe (that's a vertical bar followed by sass.exe). Press Find Next.

If there's an auto-run entry that references that name (and by the error message you're getting, there is), autoruns will find it.

Dismiss the search box and press CTRL+D to delete the entry that it found. You might consider repeating the search just in case there's another reference.

Reboot your system and your warning should be gone.

Now, I don't have that virus on my system, so I'm going to show you what you should not delete:

This shows a reference in autoruns to the valid, legitimate and required "lsass.exe". There are several clues that this is the legitimate and proper file that should not be deleted:

• The name is spelled properly: "l", "s", "a", "s", "s" .exe.

• Microsoft is listed as the vendor.

• The location referenced is correct (%SYSTEMROOT%\system32\lsass.exe) - it uses both the "%SYSTEMROOT%" variable, as Windows would, it's the correct name ("lsass.exe"), and it's in the correct folder: system32.

Typically a virus attempt will at a minimum get the filename wrong, and if it gets the filename right it'll likely get the location wrong.

Do not delete the entries referencing "%SYSTEMROOT%\system32\lsass.exe". But if the filename matches the error message you're seeing, and it's clearly not the "real" lsass, then delete or disable it to remove the warning.

Or, if you're not sure and want to be extra cautious, consult your local Windows computer geek.

Related:

• What are "LSASS", "LSASS.EXE" and "Sasser" and how do I know if I'm infected? What do I do if I am? LSASS is a Windows component shown in error messages, often due to a virus infection such as Sasser. Learn about LSASS, LSASS.EXE and how to stay safe.

• Can I delete lsass.exe? svchost.exe? Lsass.exe and svchost.exe are required system files for Windows NT, 2000 and XP. If you delete them without care your system may become unbootable.

• How do I determine what I absolutely need to load at startup? Windows startup is a complex process further complicated by the number of software packages that add themselves to the list. Paring it down takes work.

Article 12592 | Posted August 1, 2008