Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

How do I get rid of a "Windows cannot find |sass.exe" error message on login?


When my computer has boots up I get a pop up stating “Windows cannot
find ‘C:\WINDOWS\system\|sass.exe’. make sure you type the name
correctly, and then try again. to search for a file click the Start
button, and then click Search.”

How do I get rid of it?

This question shows one of the very subtle ways that virus writers
try to fool you.

And there’s no question, you have, or had, a virus.

Become a Patron of Ask Leo! and go ad-free!

Consider the following list of file names:


They all look similar, don’t they? In fact, depending on your
machine and installed fonts, some of them may look identical. But they
are four very different file names (vertical bar – sass.exe, lower
case “L” – sass.exe, lower case “I” – sass.exe, and the number one –
sass.exe). One of these names is legitimate.

“Fortunately, that’s a relatively easy fix,
though it does require caution.”

In fact, not only is it legitimate, but it’s a required Windows component.
Your system won’t run without it.

The rest? Malware. Malware trying to look like a required system

My guess is that your anti-virus scan caught the malware at some
point and removed the actual file in question. But what it didn’t do is
remove the registry entry that caused that file to be automatically run
at start up.

Fortunately, that’s a relatively easy fix, though it does require

Grab a copy of the free autoruns utility from Microsoft. Fire it up and after it
scans your system startup entries you’ll see a screen much like

Autoruns default screen

There are many places that Windows can be instructed to run software
automatically, and autoruns attempts to display them all.

Now, pay careful attention to exactly how the start
up entry is spelled in that error message. I can’t stress this enough –
virus writers are counting on you to get this wrong, since getting it
wrong can render your system unbootable.

Press CTRL+F and enter the base name of what you’re
looking for. In the case of the question asked here, enter
|sass.exe (that’s a vertical bar followed by
sass.exe). Press Find Next.

If there’s an auto-run entry that references that name (and by the
error message you’re getting, there is), autoruns will find it.

Important: make absolutely sure the entry is
not “lsass.exe” – the letters “l”, “s”, “a”, “s”, “s”
.exe. That is a required system component. Deleting that may make your
system unbootable.

Dismiss the search box and press CTRL+D to delete
the entry that it found. You might consider repeating the search just
in case there’s another reference.

Reboot your system and your warning should be gone.

Now, I don’t have that virus on my system, so I’m going to show you
what you should not delete:

Autoruns showing a reference to lsass.exe

This shows a reference in autoruns to the valid, legitimate and
required “lsass.exe”. There are several clues that this is the
legitimate and proper file that should not be deleted:

  • The name is spelled properly: “l”, “s”, “a”, “s”, “s” .exe.

  • Microsoft is listed as the vendor.

  • The location referenced is correct (%SYSTEMROOT%\system32\lsass.exe)
    – it uses both the “%SYSTEMROOT%” variable, as Windows would, it’s the
    correct name (“lsass.exe”), and it’s in the correct folder:

Typically a virus attempt will at a minimum get the filename wrong,
and if it gets the filename right it’ll likely get the location

Do not delete the entries referencing
“%SYSTEMROOT%\system32\lsass.exe”. But if the filename matches the
error message you’re seeing, and it’s clearly not the “real” lsass,
then delete or disable it to remove the warning.

Or, if you’re not sure and want to be extra cautious, consult your
local Windows computer geek. Smile

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

7 comments on “How do I get rid of a "Windows cannot find |sass.exe" error message on login?”

  1. Good article Leo

    I struck this problem on 2 machines last month, and it took hours of googling to learn exactly what you have layed out above.
    In my case the problem was caused by the QQpass Trojan.
    I saved one computer but had to wipe the other.

  2. hi.i’m taking an error like this ..Windows cannot find ‘s’ ” error message on login..Looks like same this error (“Windows cannot find |sass.exe”) but i cant find ‘s’ folder anywhere..i cant find ‘s’ via this programme(autoruns)..What can i do?

  3. my problem is very similiar, but has the small lsass.exe. this error message starts right at startup and will not let me do anything. It also has a counter in 60 seconds the computer will reboot and it keeps doing this. Is there any way to help!!!!

  4. I cannot connect to the internet, and windows I believe has been lost on my computer, everytime I turn on the computer, it says that the disc drives cannot be found, then I have to press F1 just to get to the icons, but when I do it’s saying that windows cannot be found, or it’s damaged and to reinstall windows, why is this happening, and how do I fix this problem? by the way I don’t have the windows installation disc any longer.

  5. I recently bought a antivirus program, scanned my system, and it quarantined a virus. I went through all the steps, and I thought it finished the virus off, but aftewards, I started getting a similar message every 30 minutes or so:

    “Windows cannot find ‘C:\Users\Philip\AppData\Local\Temp\NEW65B5.tmp.exe’. Make sure you typed the name correctly, and then try again.”

    This loops. Every 30 minutes (roughly – I haven’t timed it.)

    Is this the same problem, or very similar? I’m just hoping I can download autoruns and get rid of this problem. But I got a nasty feeling it’s probably something a lot worse…



Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.