lsass.exe causes constant hard drive activity

Hard drive led keeps blinking constantly 24/7 every second.

Clean Install of Vista Ultimate with latest Windows Updates, No Activity, No Internet Connection, no Third Party software is installed

Same issue found on the second computer running Vista, which is on completely different hardware

Ran Task Manager with I/O read,write columns enabled.
Found that lsass.exe is the only process which reads and writes a LOT.
R/W bytes are changing at the same time when the Hard Drive led is blinking
So I found this process, GOOD!

Installed Process Monitor from Sysinternals and confirmed that lsass.exe is trying to access the Registry every second with the same number of commands (loop) (see Attached Code Snippet)

Searched through whole Google & EE, no one has a solution to this problem.
Some people say that it's normal behavior.

Well here are my concerns:
- My HDD's lifetime is going down faster
- It's bringing down my HDD's performance (very little but still)
- LED is blinking all the time - it's very annoying
- Something is not right

Question - What is this? =)
9:16:04,9627235	lsass.exe	800	RegOpenKey	HKLM\SECURITY\Policy	SUCCESS	Desired Access: Read/Write
9:16:04,9627747	lsass.exe	800	RegOpenKey	HKLM\SECURITY\Policy\SecDesc	SUCCESS	Desired Access: Read
9:16:04,9628154	lsass.exe	800	RegQueryValue	HKLM\SECURITY\Policy\SecDesc\(Default)	BUFFER OVERFLOW	Length: 12
9:16:04,9628513	lsass.exe	800	RegCloseKey	HKLM\SECURITY\Policy\SecDesc	SUCCESS	
9:16:04,9628838	lsass.exe	800	RegOpenKey	HKLM\SECURITY\Policy\SecDesc	SUCCESS	Desired Access: Read
9:16:04,9629178	lsass.exe	800	RegQueryValue	HKLM\SECURITY\Policy\SecDesc\(Default)	SUCCESS	Type: REG_NONE, Length: 200, Data: 01 00 04 80 AC 00 00 00 BC 00 00 00 00 00 00 00
9:16:04,9629516	lsass.exe	800	RegCloseKey	HKLM\SECURITY\Policy\SecDesc	SUCCESS	
9:16:04,9632074	lsass.exe	800	RegCloseKey	HKLM\SECURITY\Policy	SUCCESS	
9:16:04,9633362	lsass.exe	800	RegOpenKey	HKLM\SECURITY\Policy	SUCCESS	Desired Access: Read/Write
9:16:04,9633742	lsass.exe	800	RegOpenKey	HKLM\SECURITY\Policy\SecDesc	SUCCESS	Desired Access: Read
9:16:04,9634084	lsass.exe	800	RegQueryValue	HKLM\SECURITY\Policy\SecDesc\(Default)	BUFFER OVERFLOW	Length: 12
9:16:04,9634405	lsass.exe	800	RegCloseKey	HKLM\SECURITY\Policy\SecDesc	SUCCESS	
9:16:04,9634703	lsass.exe	800	RegOpenKey	HKLM\SECURITY\Policy\SecDesc	SUCCESS	Desired Access: Read
9:16:04,9635036	lsass.exe	800	RegQueryValue	HKLM\SECURITY\Policy\SecDesc\(Default)	SUCCESS	Type: REG_NONE, Length: 200, Data: 01 00 04 80 AC 00 00 00 BC 00 00 00 00 00 00 00
9:16:04,9635360	lsass.exe	800	RegCloseKey	HKLM\SECURITY\Policy\SecDesc	SUCCESS	
9:16:04,9637515	lsass.exe	800	RegCloseKey	HKLM\SECURITY\Policy	SUCCESS

Open in new window

LVL 6
rknetworkAsked:
Who is Participating?
 
rknetworkConnect With a Mentor Author Commented:
Found how to fix it. You need to disable AutoRun option in the registry.

http://it.angarka.ru/viewtopic.php?f=3&t=3
0
 
nobusCommented:
did you install all drivers for the motherboard ?
no errors in device manager?
test your disk and ram for a start
ram : www.memtest.org
disk : http://www.tacktech.com/display.cfm?ttid=287
0
 
rknetworkAuthor Commented:
All tested, latest drivers.

This got nothing to do with the hardware, software is causing this activity.
0
Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

 
nobusCommented:
ok then - that's not my league...
0
 
Sander StadSysteemontwikkelaar, Database AdministratorCommented:
You could try tu use Proces Monitor. It's not an easy program but you'll get it to work.
You can download it at: http://www.microsoft.com/technet/sysinternals/ProcessesAndThreads/processmonitor.mspx
 
 With this program you can see what the lsass proces is doing and maybe find the culprit that's causing all the I/O.
I've seen programs like GMail Notifier that caused this to happen.

Good luck
0
 
rknetworkAuthor Commented:
sstad, you did not read my question at all
0
 
Sander StadSysteemontwikkelaar, Database AdministratorCommented:
Ow my mistake. I was busy answering another question with the same subject.
Sorry
0
 
rknetworkAuthor Commented:
This issue is hard to resolve and it becomes pain in the a..
Only real solutions please.  I know that this behavour is NOT normal.
0
 
skywalker39Commented:
Hi rknetwork,

Have you ran any Anti-Virus applications? According to Symantec it's W32.Nimos.Worm or W32.HLLW.Lovgate.C@mm. McAfee W32.Sasser.E.Worm (Lsasss.exe)
0
 
rknetworkAuthor Commented:
No Viruses found
0
 
rknetworkAuthor Commented:
This issue is related to CD-ROM and NOT related to lsass.exe

Disabled CD-ROM (through Device Manger) and light stopped blinking (lsass.exe kept running same way)

CD-ROM is UJ230AS and it's working properly

Updated firmware of it, updated driver, disabled autorun (completely), but HDD light is still blinking

There is something in OS what causes this to happen (and it's NOT lsass.exe)

With different OS (even with BartPE) - no issues at all
0
 
DJM2009Commented:
I understand you have found a solution to the problem, but I would question the need to disable Autorun because lsass.exe aka the  "Local Security Authentication Server" is eating up all your resources
0
 
rknetworkAuthor Commented:
DJM2009, your problem got nothing to do with mine
0
 
DJM2009Commented:
Sorry, maybe I wasnt clear, I dont have a problem. I was just saying I cant understand why you would need to disable Autorun to stop the local security authentication server process from causing excessive HD usage.
0
 
rknetworkAuthor Commented:
Correction:

lsass.exe had nothing to do with the constant hard drive activity, however lsass.exe was acting up EXACTLY at the same time when activity led was coming up. EXACTLY in the same millisecond (counted). It still does, but disabling Autorun fixed the led.

I think it's a reasonable confusion.

Thanks.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.