lsass.exe 50% CPU Usage while playing games

I can play for some time (maybe even an hour), but then it starts lagging really good.. and then in 1-3 minutes it goes away. I minimized the game and with process explorer, I saw that lsass.exe was taking 50% of the CPU and in some time it took 0% again. Why does this happen?

Sorry for only 25 points.. I don't have more :(
SaduffAsked:
Who is Participating?
 
SaduffConnect With a Mentor Author Commented:
Hmm, seems like BitDefender Total Security 2009 was the problem after all..

After uninstalling it, I installed BitDefender GameSafe and with this, the problem seems to be gone.
Thanks everyone for helping me!
0
 
manav08Commented:
Sounds like traces of SASSER WORM. Check this out
"Local Security Authority Subsystem Service (LSASS), is a process in Microsoft Windows operating systems that is responsible for enforcing the security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens. It also writes to the Windows Security Log.

The Sasser worm exploited a vulnerability in LSASS [1] to spread via a remote buffer overflow in computers running Microsoft Windows XP and Windows 2000. The worm is particularly potent in that it can spread without any interaction with humans, nor does it 'travel by email' like many other worms.

Should the lsass.exe program end, for example, by the Sasser worm's effects, then a countdown timer will appear on the screen, advising the user to save his work and close all programs before Windows shuts down. This timer, however, can be thwarted by changing the computer's date and time settings or by executing the shutdown -a command.

Forcible termination of lsass.exe will result in the Welcome screen losing its accounts, prompting a restart of the machine.
"

Extract taken from - http://en.wikipedia.org/wiki/Local_Security_Authority_Subsystem_Service
0
 
manav08Commented:
manav08:Here is how to remove it -

"If you think that you may be infected with this threat, and are unsure how to check your system, you may download the Stinger tool (http://vil.nai.com/vil/stinger/) to scan your system and remove the virus if present.  

Note: Infected systems should install the Microsoft update to be protected from the exploit used by this worm. See:
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx "


Extract taken from - http://vil.nai.com/vil/content/v_125007.htm
0
Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

 
SaduffAuthor Commented:
I have made a scan with BitDefender TS 2009 lately (well not so lately), but that doesn't mean that I'm absolutely sure that there can't be viruses.  But still, any other thoughts, if I wont find a virus?
0
 
johnb6767Commented:
Process Explorer for Windows v10.21
http://www.microsoft.com/technet/sysinternals/ProcessesAndThreads/ProcessExplorer.mspx

Double click lsass.exe one more time....Then Select the Threads tab, and see what .exe or .dll is using the CPU, and then select it by double clicking it....and copying/pasting the call stack here.....

Chances are it might not be lsass.exe, but a loaded module of the process....
0
 
manav08Commented:
Reply to Saduff:
No antivirus can give you 100% safety agains MALWARE, SPYWARE, HIJACKERS, WORMS, ROOT KIT or VIRUSES. I suggest you use http://vil.nai.com/vil/stinger/ first and scan as per instructions.
If nothing found I suggest you follow johnb6767 recommendation and post the stack here for us.
0
 
SaduffAuthor Commented:
Fortunately (or unfortunately) the Stringer didn't find any viruses. ntdll.dll is using the CPU. Here's the call stack of lsass.exe:

TUKERNEL.EXE!ExReleaseResourceLite+0x24f
TUKERNEL.EXE!PsIsThreadImpersonating+0x27fd
TUKERNEL.EXE!ExAcquireSharedWaitForExclusive+0x132
TUKERNEL.EXE!IoGetRequestorProcessId+0x583
hal.dll+0x2ef2
LSASRV.dll!LsaIWriteAuditEvent+0x26c4
LSASRV.dll!LsaIWriteAuditEvent+0x2644
LSASRV.dll+0x8cb3b
LSASRV.dll+0x8dcaf
LSASRV.dll!DsRolerDcAsDc+0xcb2e
LSASRV.dll!LsarSetSecret+0xd5b5
LSASRV.dll+0x914d5
LSASRV.dll!LsarSetSecret+0xd7c3
LSASRV.dll!LsarSetSecret+0xdb42
LSASRV.dll!LsaIRegisterNotification+0x166f
ntdll.dll!RtlUpcaseUnicodeString+0x159
ntdll.dll!RtlUpcaseUnicodeString+0x197
ntdll.dll!RtlUpcaseUnicodeString+0x259
ntdll.dll!RtlUpcaseUnicodeString+0x230
kernel32.dll!GetModuleFileNameA+0x1b4
0
 
☠ MASQ ☠Commented:
What game? Are you playing it online or connected to a network while playing?
Are you playing in an admin or limited account? (If it will play in a limited account and you're currently playing it admin can you try in limited & see if you get the same problem?)
Assuming this is legitimate lsass.exe use then it is fielding local authorisation requests at the point that you get 50% usage so is there anything else running on your PC that might need to verify itself (email requests SQLServer, antivirus etc?) What happens if they are disabled while playing?
0
 
SaduffAuthor Commented:
It doesn't matter what game (and it wasn't an online game). If the game is taking 50% of the CPU and then lsass.exe is taking 50% CPU, it will lag really bad, but if the game takes 10-20% CPU, it won't lag. And there is Bitdefender Total Security running. lsass.exe started taking 50% CPU quite recently, it might be because of Mindsoft Utilities. It said that my CPU is not running at it's maximum speed and applied some kind of tweaks.
0
 
manav08Commented:
Hi saduff,

Can you please download WEBSOOT SPY SWEEPER and scan your PC. Let us know what it finds. It will not delete the virus but will atleast point out where it lies.
http://www.liutilities.com/products/campaigns/plib/seplib/
0
 
johnb6767Commented:
Uninstall your TuneUp utilities...

Actually, find TUKERNEL.EXE and note the location. Is it in one of your known app's Program Files folder? Also, right click>Properties> and find out the maker just to be safe.. There are known viral processes that use this filename....

Jotti's malware scan 2.99
http://virusscan.jotti.org/

Scan it at the above link to be safe....

If it is a legit file, proceed to uininstall the app it belongs to....
0
 
SaduffAuthor Commented:
I scanned with the Webroot Spy Sweeper and it did find some viruses and I removed them all..

I found the TUKERNEL.EXE at C:\WINDOWS\System32 but I think it has to be there. I scanned it and it was clean. I will uninstall Tuneup Utilities soon.
0
 
SaduffAuthor Commented:
Ok.. I uninstalled Tuneup Utilities, but it still happens..
0
 
SaduffAuthor Commented:
Sorry for this triple post, but now that Tuneup Utilities is uninstalled, this is the call stack of lsass.exe:

TUKERNEL.EXE!ExReleaseResourceLite+0x2b4
TUKERNEL.EXE!IoGetRequestorProcessId+0x583
hal.dll+0x2ef2
LSASRV.dll!LsaIWriteAuditEvent+0x2793
LSASRV.dll!LsaIWriteAuditEvent+0x2644
LSASRV.dll+0x8cb3b
LSASRV.dll+0x8dcaf
LSASRV.dll!DsRolerDcAsDc+0xcb2e
LSASRV.dll!LsarSetSecret+0xd5b5
LSASRV.dll+0x914d5
LSASRV.dll!LsarSetSecret+0xd7c3
LSASRV.dll!LsarSetSecret+0xdb42
LSASRV.dll!LsaIRegisterNotification+0x166f
ntdll.dll!RtlSetEnvironmentVariable+0x30a
ntdll.dll!RtlSetEnvironmentVariable+0x34b
ntdll.dll!RtlSetEnvironmentVariable+0x40d
ntdll.dll!RtlSetEnvironmentVariable+0x3e4
kernel32.dll!GetModuleFileNameA+0x1b4
0
 
☠ MASQ ☠Commented:
TUKernel.exe is still being launched by your boot.ini.
You'll need to edit the references out of boot.ini if you want it to disappear from the lsass call stack.
0
 
johnb6767Commented:
Autoruns for Windows v9.39
http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx

See if you can find it here......

You can save a logfile of Autoruns as a .arn file. Just rename it to .txt, and attach it here if you need help.....

And have you confirmed that it actually did belong to TuneUp utilities and not a virus?
0
 
SaduffAuthor Commented:
I suspect it's not the TUKERNEL.EXE, but hal.dll, because when the lag goes away, it disappears from the call stack, but TUKERNEL.EXE stays there.
0
 
SaduffAuthor Commented:
Ok, now I don't have TUKERNEL.EXE in the stack, but it still happens. Now I got a stack like this, when the lag occurred:

ntkrnlpa.exe!KiUnexpectedInterrupt+0x121
ntkrnlpa.exe!ZwYieldExecution+0x1c8e
hal.dll+0x2ef2
ADVAPI32.dll!A_SHAFinal+0xcf
ADVAPI32.dll!A_SHAFinal+0x8f
LSASRV.dll!LsaIWriteAuditEvent+0x2f93
LSASRV.dll!LsaIWriteAuditEvent+0x279a
LSASRV.dll!LsaIWriteAuditEvent+0x2644
LSASRV.dll+0x8cb3b
LSASRV.dll+0x8dcaf
LSASRV.dll!DsRolerDcAsDc+0xcb2e
LSASRV.dll!LsarSetSecret+0xd5b5
LSASRV.dll+0x914d5
LSASRV.dll!LsarSetSecret+0xd7c3
LSASRV.dll!LsarSetSecret+0xdb42
LSASRV.dll!LsaIRegisterNotification+0x166f
ntdll.dll!RtlSetEnvironmentVariable+0x30a
ntdll.dll!RtlSetEnvironmentVariable+0x34b
ntdll.dll!RtlSetEnvironmentVariable+0x40d
ntdll.dll!RtlSetEnvironmentVariable+0x3e4
kernel32.dll!GetModuleFileNameA+0x1b4

And when the lag went away, I got a stack like this:

ntkrnlpa.exe!KiUnexpectedInterrupt+0xbc
ntkrnlpa.exe!PsDereferencePrimaryToken+0x342
ntdll.dll!KiFastSystemCallRet
kernel32.dll!GetModuleFileNameA+0x1b4
0
 
manav08Commented:
Can you tell me what type of CPU and RAM you have on this PC??
0
 
manav08Commented:
Try running CCleaner, BEClean, ATF Cleaner and finally COMBO FIX.
CCleaner will get rid of invalid registry entries.
BeClean will do the same
ATF Cleaner will free up some TEMP files and
COMBO FIX will remove unwanted threads, viruses.

If you do a google search you will find all these tools. Let me know how you go.
Make sure you turn off SYSTEM RESTORE before you run these tools.
0
 
johnb6767Commented:
LsaIWriteAuditEvent

The purpose of this if I am not mistaken, is to write an event to the Security log. Are you auditing file/folder objects?

Maybe the Security log is corrupted?

Fix Corrupt Event Log Files
http://technet.microsoft.com/en-us/library/bb457024.aspx
0
 
SaduffAuthor Commented:
I have Intel(R) Core(TM)2 Duo CPU     E6750  @ 2.66GHz and 2029,5 MB of RAM.

I ran all these tools (except Combo Fix, as it seemed like a strange program).

I don't even have any security logs, but I still cleaned it.
0
 
manav08Commented:
Combo Fix is a very renowned tool for ROOTKIT and MALWARE cleaning. I suggest you run it as it unhides all hidden viruses, processes. Also try running SMITFRAUD and see if it makes any difference.
0
 
johnb6767Commented:
You should always have security logs......

Start>run>eventvwr.msc> What logs do you have?
0
 
SaduffAuthor Commented:
Yes, I have Application, Security, System, DriverScanner, Internet Explorer and Tuneup logs, but if I click on the Security, I don't have any events there.
0
 
johnb6767Commented:
Right click it>Clear, and dont save... Does it leave an entry showing you cleared it?
0
 
SaduffAuthor Commented:
Yes, I already did that..

I have been increasing points, it's 50 points now.
0
 
SaduffAuthor Commented:
Could the problem be maybe with FileZilla Server, because I'm running an FTP server on this machine and maybe this FTP server wants authentication.
0
 
johnb6767Commented:
Worth a try to disable.......

Just seems odd that you arent getting any regular events to the Sec Log....

Starting to think viral/rootkit now........

Please download ComboFix by sUBs:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply using the "Attach Code Snippet" or "Attach File".
Re-enable all the programs that were disabled during the running of ComboFix..


Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
0
 
johnb6767Commented:
GMER
http://www.gmer.net 

See what this one finds.....

0
 
SaduffAuthor Commented:
I actually did that ComboFix scan before, but now I did it again, so I got 2 logs now...
ComboFix----1st-scan.txt
ComboFix----2nd-scan.txt
0
 
manav08Commented:
Hi Saduff,

Combofix logs look all good. Lets get back to some basics first -

1. Did you have Norton Antivirus ever installed on your system before. I mean when it came with factory image.
2. Can you turn off WINDOWS INDEXING SERVICE as per guide http://www.mydigitallife.info/2007/09/18/turn-off-and-disable-search-indexing-service-in-windows-xp/ and observe if it makes any difference in CPU consumption.
3. Can you perhaps post a screen shot of STARTUP ITEMS in your "msconfig". We will need to stop a few programs from launching at startup and troubleshoot.

Let me know how you go with these 3 steps.
0
 
SaduffAuthor Commented:
1. No, I have never had Norton Antivirus installed.
2. Going to do that soon, testing takes some time (as I have to play for some time).
3. Screen shot attached.
startup.jpg
0
 
manav08Commented:
OK Disable the following items from your startup -

1. NvCPL
2. nwiz
3. Nerocheck
4. nvmctray
5. Physical Memory (do you know what this process is for?? it looks didgy)
6. ctfmon
7. hpoddt01.exe

Disable all of the above. restart your PC and see if it makes any difference.  
0
 
SaduffAuthor Commented:
That Physical Memory is an application coded by me in VB .NET

It's using a timer to update available physical memory and CPU usage.
0
 
johnb6767Commented:
Why do you need an app to do this when the Task Manager does it already? Are you using it to Free Memory?
0
 
manav08Commented:
SADUFF. Did you see any improvement when you disabled windows index service and those items above from start-up??
0
 
SaduffAuthor Commented:
No, this app doesn't free memory. It's for seeing available physical memory and CPU usage quickly, without having to press a key combination for task manager to pop up.

OK, I disabled windows indexing service and these items from start up and I also stopped my FTP server, but it still happens..
This time, I got a stack like this:

ntkrnlpa.exe!KiUnexpectedInterrupt+0x121
ntkrnlpa.exe!ZwYieldExecution+0x1c8e
hal.dll+0x2ef2
ADVAPI32.dll!RegEnumValueA+0xe18

and when lsass.exe was 0%, I got a stack like this:

ntkrnlpa.exe!KiUnexpectedInterrupt+0x121
ntkrnlpa.exe!ZwYieldExecution+0x1c8e
ntkrnlpa.exe!ZwYieldExecution+0x2570
ntkrnlpa.exe!IoSetIoCompletion+0x2c9
ntkrnlpa.exe!KeReleaseInStackQueuedSpinLockFromDpcLevel+0xb74
ntdll.dll!KiFastSystemCallRet
kernel32.dll!GetModuleFileNameA+0x1b4
0
 
manav08Commented:
At the time the lag happens, can you check in your task manager which process consumes MAXIMUM MEMORY. Just trying to assess if it is a memory leak scenario or not..
0
 
SaduffAuthor Commented:
The game's executable consumes maximum memory.
0
 
manav08Commented:
Well, then obviously one of the DLLs of the game are linking up to lsass.exe and causing a memory leak. I suggest uninstalling and reinstalling the game with the latest version might fix it.
What sort of RAM is it using??
0
 
johnb6767Commented:
Using Process Explorer from above, highligfht lsass.exe, and look ata the lower pane (might need to enable it, under View>Show Lower Pane, and hit the Show DLLs button on the toolbar...)

An modules that belong to your game?
0
 
SaduffAuthor Commented:
I don't think it has anything to do with a specific game, because it doesn't matter what game I play (it still lags). And this does NOT happen ONLY while playing games. It also happens in windows, but it doesn't make the computer slower, so I have no sign that something is wrong.
0
 
johnb6767Commented:
ntkrnlpa.exe!KiUnexpectedInterrupt+0x121 <~~~~~~ Indicates the call stack is corrupted by a loaded module...
ntkrnlpa.exe!ZwYieldExecution+0x1c8e
ntkrnlpa.exe!ZwYieldExecution+0x2570
ntkrnlpa.exe!IoSetIoCompletion+0x2c9
ntkrnlpa.exe!KeReleaseInStackQueuedSpinLockFromDpcLevel+0xb74 <~~~ I this is a device driver related call....
ntdll.dll!KiFastSystemCallRet
kernel32.dll!GetModuleFileNameA+0x1b4

You might need to start looking at uninstalling devices in your machine, and reinstall them with the very latest drivers from the mfgr.....
0
 
SaduffAuthor Commented:
My drivers should be all updated..
I have checked with Uniblue's DriverScanner 2009 and with DriverAgent..

Increased points to 100...
0
 
johnb6767Commented:
I would still uninstall, and reinstall drivers.....Might be a configuration problem in the registry......

Have you done an SFC as well?

Start>run>cmd.exe

sfc /purgecache
sfc /scannow

You WILL need the XP CD for this to complete...

Scannow sfc
http://www.updatexp.com/scannow-sfc.html

Whats the make/model of this PC?
0
 
SaduffAuthor Commented:
OK, I did it now, but no help...
0
 
SaduffAuthor Commented:
I also get a high CPU usage (50-80%) on Windows start up...

This time I decided to look with task manager, what process is taking all that CPU and you guessed it, it's lsass.exe (50%).
0
 
manav08Commented:
Okay Saduff,

I am running out of answers here. Probably try this. Make sure that you have the latest drivers for everything installed in your system. A real good utility for this is - DriveMAX (http://www.innovative-sol.com/drivermax/) which happens to be free (Registration Required).
It scans your entire system for installed drivers and gives you download link for the updates. Let me know how you go..
0
 
johnb6767Commented:
If we already mentioned this one, forgive me.....

Have you tried a BRAND NEW user account? If you dont have one, make one for testing.....
0
 
SaduffAuthor Commented:
DriverMax is a very good program indeed.. I did have some out of date drivers and I updated them all...

And no, I haven't tried a new user account...
0
 
johnb6767Commented:
Would be worth trying..... Specially at this point where we are running out of options.....
0
 
SaduffAuthor Commented:
OK, I tested it, but even with a brand new user account, it still happens...

But one thing was strange.. right after lsass.exe was 0% I tried to log off and then IDT (Sigmatel) Audio was not responding and I had to press end now to log off...
0
 
johnb6767Commented:
Disable the sound card, in the BIOS/Device Manager, and then reboot and retest.. You might be on to something......
0
 
SaduffAuthor Commented:
OK, I disabled the sound card, rebooted and retested, but it still happened..

This time it logged off immediately, without any hanging applications.
0
 
manav08Commented:
BitDefender is the worst available software. It is full of bugs and problems.
0
 
SaduffAuthor Commented:
BitDefender atleast detects viruses quite good. It was first in toptenreviews.com.

I had BitDefender Total Security 2008 before and this one had no problems.
Now the new product Bitdefender GameSafe is much faster than Total Security 2008 or 2009 and even a lot better in my opinion. With this one I also have no problems.
0
 
johnb6767Commented:
One of the downsides to all these AV reviews, is that what works well for one person/entity, might not do great for others. Plus, people in the industry have thier own war stories of a mfgr's app, and that tends to weigh in on comments in these types of discussions. As long as it works for you, thats all that matters....
0
 
manav08Commented:
Try AVIRA. It seems to be the best rated one these days..
0
All Courses

From novice to tech pro — start learning today.