When my computer has boots up I get a pop up stating “Windows cannot
find ‘C:\WINDOWS\system\|sass.exe’. make sure you type the name
correctly, and then try again. to search for a file click the Start
button, and then click Search.”
How do I get rid of it?
This question shows one of the very subtle ways that virus writers
try to fool you.
And there’s no question, you have, or had, a virus.
Become a Patron of Ask Leo! and go ad-free!
Consider the following list of file names:
|
They all look similar, don’t they? In fact, depending on your
machine and installed fonts, some of them may look identical. But they
are four very different file names (vertical bar – sass.exe, lower
case “L” – sass.exe, lower case “I” – sass.exe, and the number one –
sass.exe). One of these names is legitimate.
though it does require caution.”
In fact, not only is it legitimate, but it’s a required Windows component.
Your system won’t run without it.
The rest? Malware. Malware trying to look like a required system
file.
My guess is that your anti-virus scan caught the malware at some
point and removed the actual file in question. But what it didn’t do is
remove the registry entry that caused that file to be automatically run
at start up.
Fortunately, that’s a relatively easy fix, though it does require
caution.
Grab a copy of the free autoruns utility from Microsoft. Fire it up and after it
scans your system startup entries you’ll see a screen much like
this:
There are many places that Windows can be instructed to run software
automatically, and autoruns attempts to display them all.
Now, pay careful attention to exactly how the start
up entry is spelled in that error message. I can’t stress this enough –
virus writers are counting on you to get this wrong, since getting it
wrong can render your system unbootable.
Press CTRL+F and enter the base name of what you’re
looking for. In the case of the question asked here, enter
|sass.exe (that’s a vertical bar followed by
sass.exe). Press Find Next.
If there’s an auto-run entry that references that name (and by the
error message you’re getting, there is), autoruns will find it.
|
Important: make absolutely sure the entry is |
Dismiss the search box and press CTRL+D to delete
the entry that it found. You might consider repeating the search just
in case there’s another reference.
Reboot your system and your warning should be gone.
Now, I don’t have that virus on my system, so I’m going to show you
what you should not delete:
This shows a reference in autoruns to the valid, legitimate and
required “lsass.exe”. There are several clues that this is the
legitimate and proper file that should not be deleted:
-
The name is spelled properly: “l”, “s”, “a”, “s”, “s” .exe.
-
Microsoft is listed as the vendor.
-
The location referenced is correct (%SYSTEMROOT%\system32\lsass.exe)
– it uses both the “%SYSTEMROOT%” variable, as Windows would, it’s the
correct name (“lsass.exe”), and it’s in the correct folder:
system32.
Typically a virus attempt will at a minimum get the filename wrong,
and if it gets the filename right it’ll likely get the location
wrong.
Do not delete the entries referencing
“%SYSTEMROOT%\system32\lsass.exe”. But if the filename matches the
error message you’re seeing, and it’s clearly not the “real” lsass,
then delete or disable it to remove the warning.
Or, if you’re not sure and want to be extra cautious, consult your
local Windows computer geek. 
welldone , thank you very much.
I do not need to worry about the sass series but I find the autorun program useful.
Good article Leo
I struck this problem on 2 machines last month, and it took hours of googling to learn exactly what you have layed out above.
In my case the problem was caused by the QQpass Trojan.
I saved one computer but had to wipe the other.
hi.i’m taking an error like this ..Windows cannot find ‘s’ ” error message on login..Looks like same this error (“Windows cannot find |sass.exe”) but i cant find ‘s’ folder anywhere..i cant find ‘s’ via this programme(autoruns)..What can i do?
my problem is very similiar, but has the small lsass.exe. this error message starts right at startup and will not let me do anything. It also has a counter in 60 seconds the computer will reboot and it keeps doing this. Is there any way to help!!!!
I cannot connect to the internet, and windows I believe has been lost on my computer, everytime I turn on the computer, it says that the disc drives cannot be found, then I have to press F1 just to get to the icons, but when I do it’s saying that windows cannot be found, or it’s damaged and to reinstall windows, why is this happening, and how do I fix this problem? by the way I don’t have the windows installation disc any longer.
I recently bought a antivirus program, scanned my system, and it quarantined a virus. I went through all the steps, and I thought it finished the virus off, but aftewards, I started getting a similar message every 30 minutes or so:
“Windows cannot find ‘C:\Users\Philip\AppData\Local\Temp\NEW65B5.tmp.exe’. Make sure you typed the name correctly, and then try again.”
This loops. Every 30 minutes (roughly – I haven’t timed it.)
Is this the same problem, or very similar? I’m just hoping I can download autoruns and get rid of this problem. But I got a nasty feeling it’s probably something a lot worse…
Thanks!