?
Solved

lsass.exe causes constant hard drive activity

Posted on 2009-04-06
15
Medium Priority
?
2,904 Views
Last Modified: 2012-06-27
Hard drive led keeps blinking constantly 24/7 every second.

Clean Install of Vista Ultimate with latest Windows Updates, No Activity, No Internet Connection, no Third Party software is installed

Same issue found on the second computer running Vista, which is on completely different hardware

Ran Task Manager with I/O read,write columns enabled.
Found that lsass.exe is the only process which reads and writes a LOT.
R/W bytes are changing at the same time when the Hard Drive led is blinking
So I found this process, GOOD!

Installed Process Monitor from Sysinternals and confirmed that lsass.exe is trying to access the Registry every second with the same number of commands (loop) (see Attached Code Snippet)

Searched through whole Google & EE, no one has a solution to this problem.
Some people say that it's normal behavior.

Well here are my concerns:
- My HDD's lifetime is going down faster
- It's bringing down my HDD's performance (very little but still)
- LED is blinking all the time - it's very annoying
- Something is not right

Question - What is this? =)
9:16:04,9627235	lsass.exe	800	RegOpenKey	HKLM\SECURITY\Policy	SUCCESS	Desired Access: Read/Write
9:16:04,9627747	lsass.exe	800	RegOpenKey	HKLM\SECURITY\Policy\SecDesc	SUCCESS	Desired Access: Read
9:16:04,9628154	lsass.exe	800	RegQueryValue	HKLM\SECURITY\Policy\SecDesc\(Default)	BUFFER OVERFLOW	Length: 12
9:16:04,9628513	lsass.exe	800	RegCloseKey	HKLM\SECURITY\Policy\SecDesc	SUCCESS	
9:16:04,9628838	lsass.exe	800	RegOpenKey	HKLM\SECURITY\Policy\SecDesc	SUCCESS	Desired Access: Read
9:16:04,9629178	lsass.exe	800	RegQueryValue	HKLM\SECURITY\Policy\SecDesc\(Default)	SUCCESS	Type: REG_NONE, Length: 200, Data: 01 00 04 80 AC 00 00 00 BC 00 00 00 00 00 00 00
9:16:04,9629516	lsass.exe	800	RegCloseKey	HKLM\SECURITY\Policy\SecDesc	SUCCESS	
9:16:04,9632074	lsass.exe	800	RegCloseKey	HKLM\SECURITY\Policy	SUCCESS	
9:16:04,9633362	lsass.exe	800	RegOpenKey	HKLM\SECURITY\Policy	SUCCESS	Desired Access: Read/Write
9:16:04,9633742	lsass.exe	800	RegOpenKey	HKLM\SECURITY\Policy\SecDesc	SUCCESS	Desired Access: Read
9:16:04,9634084	lsass.exe	800	RegQueryValue	HKLM\SECURITY\Policy\SecDesc\(Default)	BUFFER OVERFLOW	Length: 12
9:16:04,9634405	lsass.exe	800	RegCloseKey	HKLM\SECURITY\Policy\SecDesc	SUCCESS	
9:16:04,9634703	lsass.exe	800	RegOpenKey	HKLM\SECURITY\Policy\SecDesc	SUCCESS	Desired Access: Read
9:16:04,9635036	lsass.exe	800	RegQueryValue	HKLM\SECURITY\Policy\SecDesc\(Default)	SUCCESS	Type: REG_NONE, Length: 200, Data: 01 00 04 80 AC 00 00 00 BC 00 00 00 00 00 00 00
9:16:04,9635360	lsass.exe	800	RegCloseKey	HKLM\SECURITY\Policy\SecDesc	SUCCESS	
9:16:04,9637515	lsass.exe	800	RegCloseKey	HKLM\SECURITY\Policy	SUCCESS

Open in new window

0
Comment
Question by:rknetwork
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 2
  • 2
  • +2
15 Comments
 
LVL 92

Expert Comment

by:nobus
ID: 24084548
did you install all drivers for the motherboard ?
no errors in device manager?
test your disk and ram for a start
ram : www.memtest.org
disk : http://www.tacktech.com/display.cfm?ttid=287
0
 
LVL 6

Author Comment

by:rknetwork
ID: 24084726
All tested, latest drivers.

This got nothing to do with the hardware, software is causing this activity.
0
 
LVL 92

Expert Comment

by:nobus
ID: 24085751
ok then - that's not my league...
0
Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

 
LVL 9

Expert Comment

by:Sander Stad
ID: 24104778
You could try tu use Proces Monitor. It's not an easy program but you'll get it to work.
You can download it at: http://www.microsoft.com/technet/sysinternals/ProcessesAndThreads/processmonitor.mspx
 
 With this program you can see what the lsass proces is doing and maybe find the culprit that's causing all the I/O.
I've seen programs like GMail Notifier that caused this to happen.

Good luck
0
 
LVL 6

Author Comment

by:rknetwork
ID: 24106902
sstad, you did not read my question at all
0
 
LVL 9

Expert Comment

by:Sander Stad
ID: 24107134
Ow my mistake. I was busy answering another question with the same subject.
Sorry
0
 
LVL 6

Author Comment

by:rknetwork
ID: 24126115
This issue is hard to resolve and it becomes pain in the a..
Only real solutions please.  I know that this behavour is NOT normal.
0
 
LVL 8

Expert Comment

by:skywalker39
ID: 24126142
Hi rknetwork,

Have you ran any Anti-Virus applications? According to Symantec it's W32.Nimos.Worm or W32.HLLW.Lovgate.C@mm. McAfee W32.Sasser.E.Worm (Lsasss.exe)
0
 
LVL 6

Author Comment

by:rknetwork
ID: 24126320
No Viruses found
0
 
LVL 6

Author Comment

by:rknetwork
ID: 24128977
This issue is related to CD-ROM and NOT related to lsass.exe

Disabled CD-ROM (through Device Manger) and light stopped blinking (lsass.exe kept running same way)

CD-ROM is UJ230AS and it's working properly

Updated firmware of it, updated driver, disabled autorun (completely), but HDD light is still blinking

There is something in OS what causes this to happen (and it's NOT lsass.exe)

With different OS (even with BartPE) - no issues at all
0
 
LVL 6

Accepted Solution

by:
rknetwork earned 0 total points
ID: 24129858
Found how to fix it. You need to disable AutoRun option in the registry.

http://it.angarka.ru/viewtopic.php?f=3&t=3
0
 
LVL 1

Expert Comment

by:DJM2009
ID: 24633125
I understand you have found a solution to the problem, but I would question the need to disable Autorun because lsass.exe aka the  "Local Security Authentication Server" is eating up all your resources
0
 
LVL 6

Author Comment

by:rknetwork
ID: 24636451
DJM2009, your problem got nothing to do with mine
0
 
LVL 1

Expert Comment

by:DJM2009
ID: 24642326
Sorry, maybe I wasnt clear, I dont have a problem. I was just saying I cant understand why you would need to disable Autorun to stop the local security authentication server process from causing excessive HD usage.
0
 
LVL 6

Author Comment

by:rknetwork
ID: 24644206
Correction:

lsass.exe had nothing to do with the constant hard drive activity, however lsass.exe was acting up EXACTLY at the same time when activity led was coming up. EXACTLY in the same millisecond (counted). It still does, but disabling Autorun fixed the led.

I think it's a reasonable confusion.

Thanks.
0

Featured Post

Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The Windows functions GetTickCount and timeGetTime retrieve the number of milliseconds since the system was started. However, the value is stored in a DWORD, which means that it wraps around to zero every 49.7 days. This article shows how to solve t…
This article helps those who get the 0xc004d307 error when trying to rearm (reset the license) Office 2013 in a Virtual Desktop Infrastructure (VDI) and/or those trying to prep the master image for Microsoft Key Management (KMS) activation. (i.e.- C…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
In this video, viewers are given an introduction to using the Windows 10 Snipping Tool, how to quickly locate it when it's needed and also how make it always available with a single click of a mouse button, by pinning it to the Desktop Task Bar. Int…
Suggested Courses

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question