Solved

High page file usage - lsass.exe using 2.2GBs

Posted on 2007-11-28
4
1,226 Views
Last Modified: 2008-03-04
Morning -

Exchange 2003 Enterprise configured in a two node active passive cluster.
4GBs of RAM installed and using 3GB switch.

Noticed that lsass.exe is using 2.2GBs.  Recrcmon.exe using 1.3GB.  Store using 672MB.
Server is a bit sluggish. When remoting to it  - receive out of resource errors.  Cannot run System Manager for same reason.

Do not think server is infected with sasser.

Any ideas?
0
Comment
Question by:javajo
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 6

Expert Comment

by:ashutosh_kumar
ID: 20365900
Are you noticing any account lockout issues?

lsass.exe using 2.2 GBs is strange...there is possibility of virus on the server.

Please scan your system with antivirus.
0
 

Author Comment

by:javajo
ID: 20366000
Am noticing instances where i need to authenticate to server....

0
 
LVL 6

Accepted Solution

by:
ashutosh_kumar earned 500 total points
ID: 20366040
lsass.exe is the process that is responsible for Authentication and runs the Security Account Manager...

so, if there is a random password attack on a system then the CPU and memory usage of this process increases drastically.

use process explorer from
http://www.microsoft.com/technet/sysinternals/utilities/processexplorer.mspx

check the publisher of each process running and also its description...shut down unwanted process....

for the services the process explorer shows an extra tab in the properties of the process...check which services each process its running...
0
 

Author Comment

by:javajo
ID: 20366071
Thanks ashutosh!

I failed over to secondary node and everything appears to be fine now.  other serevr is hardly using lsass.exe.  14MB of VM

lsass.exe is back to normal on the other server as well after a reboot...


if lsass.exe was indeed a virus - how would it appear in process explorer?
0

Featured Post

Enroll in June's Course of the Month

June’s Course of the Month is now available! Experts Exchange’s Premium Members, Team Accounts, and Qualified Experts have access to a complimentary course each month as part of their membership—an extra way to sharpen your skills and increase training.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
How to resolve IMCEAEX NDRs in Exchange or Exchange Online related to invalid X500 addresses.
In this video we show how to create a Contact in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Contact ta…
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …

695 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question