Solved

lsass.exe causes constant hard drive activity

Posted on 2009-04-06
15
2,882 Views
Last Modified: 2012-06-27
Hard drive led keeps blinking constantly 24/7 every second.

Clean Install of Vista Ultimate with latest Windows Updates, No Activity, No Internet Connection, no Third Party software is installed

Same issue found on the second computer running Vista, which is on completely different hardware

Ran Task Manager with I/O read,write columns enabled.
Found that lsass.exe is the only process which reads and writes a LOT.
R/W bytes are changing at the same time when the Hard Drive led is blinking
So I found this process, GOOD!

Installed Process Monitor from Sysinternals and confirmed that lsass.exe is trying to access the Registry every second with the same number of commands (loop) (see Attached Code Snippet)

Searched through whole Google & EE, no one has a solution to this problem.
Some people say that it's normal behavior.

Well here are my concerns:
- My HDD's lifetime is going down faster
- It's bringing down my HDD's performance (very little but still)
- LED is blinking all the time - it's very annoying
- Something is not right

Question - What is this? =)
9:16:04,9627235	lsass.exe	800	RegOpenKey	HKLM\SECURITY\Policy	SUCCESS	Desired Access: Read/Write
9:16:04,9627747	lsass.exe	800	RegOpenKey	HKLM\SECURITY\Policy\SecDesc	SUCCESS	Desired Access: Read
9:16:04,9628154	lsass.exe	800	RegQueryValue	HKLM\SECURITY\Policy\SecDesc\(Default)	BUFFER OVERFLOW	Length: 12
9:16:04,9628513	lsass.exe	800	RegCloseKey	HKLM\SECURITY\Policy\SecDesc	SUCCESS	
9:16:04,9628838	lsass.exe	800	RegOpenKey	HKLM\SECURITY\Policy\SecDesc	SUCCESS	Desired Access: Read
9:16:04,9629178	lsass.exe	800	RegQueryValue	HKLM\SECURITY\Policy\SecDesc\(Default)	SUCCESS	Type: REG_NONE, Length: 200, Data: 01 00 04 80 AC 00 00 00 BC 00 00 00 00 00 00 00
9:16:04,9629516	lsass.exe	800	RegCloseKey	HKLM\SECURITY\Policy\SecDesc	SUCCESS	
9:16:04,9632074	lsass.exe	800	RegCloseKey	HKLM\SECURITY\Policy	SUCCESS	
9:16:04,9633362	lsass.exe	800	RegOpenKey	HKLM\SECURITY\Policy	SUCCESS	Desired Access: Read/Write
9:16:04,9633742	lsass.exe	800	RegOpenKey	HKLM\SECURITY\Policy\SecDesc	SUCCESS	Desired Access: Read
9:16:04,9634084	lsass.exe	800	RegQueryValue	HKLM\SECURITY\Policy\SecDesc\(Default)	BUFFER OVERFLOW	Length: 12
9:16:04,9634405	lsass.exe	800	RegCloseKey	HKLM\SECURITY\Policy\SecDesc	SUCCESS	
9:16:04,9634703	lsass.exe	800	RegOpenKey	HKLM\SECURITY\Policy\SecDesc	SUCCESS	Desired Access: Read
9:16:04,9635036	lsass.exe	800	RegQueryValue	HKLM\SECURITY\Policy\SecDesc\(Default)	SUCCESS	Type: REG_NONE, Length: 200, Data: 01 00 04 80 AC 00 00 00 BC 00 00 00 00 00 00 00
9:16:04,9635360	lsass.exe	800	RegCloseKey	HKLM\SECURITY\Policy\SecDesc	SUCCESS	
9:16:04,9637515	lsass.exe	800	RegCloseKey	HKLM\SECURITY\Policy	SUCCESS

Open in new window

0
Comment
Question by:rknetwork
  • 8
  • 2
  • 2
  • +2
15 Comments
 
LVL 92

Expert Comment

by:nobus
ID: 24084548
did you install all drivers for the motherboard ?
no errors in device manager?
test your disk and ram for a start
ram : www.memtest.org
disk : http://www.tacktech.com/display.cfm?ttid=287
0
 
LVL 6

Author Comment

by:rknetwork
ID: 24084726
All tested, latest drivers.

This got nothing to do with the hardware, software is causing this activity.
0
 
LVL 92

Expert Comment

by:nobus
ID: 24085751
ok then - that's not my league...
0
Revamp Your Training Process

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action.

 
LVL 9

Expert Comment

by:Sander Stad
ID: 24104778
You could try tu use Proces Monitor. It's not an easy program but you'll get it to work.
You can download it at: http://www.microsoft.com/technet/sysinternals/ProcessesAndThreads/processmonitor.mspx
 
 With this program you can see what the lsass proces is doing and maybe find the culprit that's causing all the I/O.
I've seen programs like GMail Notifier that caused this to happen.

Good luck
0
 
LVL 6

Author Comment

by:rknetwork
ID: 24106902
sstad, you did not read my question at all
0
 
LVL 9

Expert Comment

by:Sander Stad
ID: 24107134
Ow my mistake. I was busy answering another question with the same subject.
Sorry
0
 
LVL 6

Author Comment

by:rknetwork
ID: 24126115
This issue is hard to resolve and it becomes pain in the a..
Only real solutions please.  I know that this behavour is NOT normal.
0
 
LVL 8

Expert Comment

by:skywalker39
ID: 24126142
Hi rknetwork,

Have you ran any Anti-Virus applications? According to Symantec it's W32.Nimos.Worm or W32.HLLW.Lovgate.C@mm. McAfee W32.Sasser.E.Worm (Lsasss.exe)
0
 
LVL 6

Author Comment

by:rknetwork
ID: 24126320
No Viruses found
0
 
LVL 6

Author Comment

by:rknetwork
ID: 24128977
This issue is related to CD-ROM and NOT related to lsass.exe

Disabled CD-ROM (through Device Manger) and light stopped blinking (lsass.exe kept running same way)

CD-ROM is UJ230AS and it's working properly

Updated firmware of it, updated driver, disabled autorun (completely), but HDD light is still blinking

There is something in OS what causes this to happen (and it's NOT lsass.exe)

With different OS (even with BartPE) - no issues at all
0
 
LVL 6

Accepted Solution

by:
rknetwork earned 0 total points
ID: 24129858
Found how to fix it. You need to disable AutoRun option in the registry.

http://it.angarka.ru/viewtopic.php?f=3&t=3
0
 
LVL 1

Expert Comment

by:DJM2009
ID: 24633125
I understand you have found a solution to the problem, but I would question the need to disable Autorun because lsass.exe aka the  "Local Security Authentication Server" is eating up all your resources
0
 
LVL 6

Author Comment

by:rknetwork
ID: 24636451
DJM2009, your problem got nothing to do with mine
0
 
LVL 1

Expert Comment

by:DJM2009
ID: 24642326
Sorry, maybe I wasnt clear, I dont have a problem. I was just saying I cant understand why you would need to disable Autorun to stop the local security authentication server process from causing excessive HD usage.
0
 
LVL 6

Author Comment

by:rknetwork
ID: 24644206
Correction:

lsass.exe had nothing to do with the constant hard drive activity, however lsass.exe was acting up EXACTLY at the same time when activity led was coming up. EXACTLY in the same millisecond (counted). It still does, but disabling Autorun fixed the led.

I think it's a reasonable confusion.

Thanks.
0

Featured Post

SharePoint Admin?

Enable Your Employees To Focus On The Core With Intuitive Onscreen Guidance That is With You At The Moment of Need.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
No single Antivirus application (despite claims by manufacturers) will catch or protect you from all Virus / Malware or Spyware threats. That doesn't stop you from further protecting yourself however - and this article is to show you how.
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question