Solved

lsass.exe causes constant hard drive activity

Posted on 2009-04-06
15
2,832 Views
Last Modified: 2012-06-27
Hard drive led keeps blinking constantly 24/7 every second.

Clean Install of Vista Ultimate with latest Windows Updates, No Activity, No Internet Connection, no Third Party software is installed

Same issue found on the second computer running Vista, which is on completely different hardware

Ran Task Manager with I/O read,write columns enabled.
Found that lsass.exe is the only process which reads and writes a LOT.
R/W bytes are changing at the same time when the Hard Drive led is blinking
So I found this process, GOOD!

Installed Process Monitor from Sysinternals and confirmed that lsass.exe is trying to access the Registry every second with the same number of commands (loop) (see Attached Code Snippet)

Searched through whole Google & EE, no one has a solution to this problem.
Some people say that it's normal behavior.

Well here are my concerns:
- My HDD's lifetime is going down faster
- It's bringing down my HDD's performance (very little but still)
- LED is blinking all the time - it's very annoying
- Something is not right

Question - What is this? =)
9:16:04,9627235	lsass.exe	800	RegOpenKey	HKLM\SECURITY\Policy	SUCCESS	Desired Access: Read/Write

9:16:04,9627747	lsass.exe	800	RegOpenKey	HKLM\SECURITY\Policy\SecDesc	SUCCESS	Desired Access: Read

9:16:04,9628154	lsass.exe	800	RegQueryValue	HKLM\SECURITY\Policy\SecDesc\(Default)	BUFFER OVERFLOW	Length: 12

9:16:04,9628513	lsass.exe	800	RegCloseKey	HKLM\SECURITY\Policy\SecDesc	SUCCESS	

9:16:04,9628838	lsass.exe	800	RegOpenKey	HKLM\SECURITY\Policy\SecDesc	SUCCESS	Desired Access: Read

9:16:04,9629178	lsass.exe	800	RegQueryValue	HKLM\SECURITY\Policy\SecDesc\(Default)	SUCCESS	Type: REG_NONE, Length: 200, Data: 01 00 04 80 AC 00 00 00 BC 00 00 00 00 00 00 00

9:16:04,9629516	lsass.exe	800	RegCloseKey	HKLM\SECURITY\Policy\SecDesc	SUCCESS	

9:16:04,9632074	lsass.exe	800	RegCloseKey	HKLM\SECURITY\Policy	SUCCESS	

9:16:04,9633362	lsass.exe	800	RegOpenKey	HKLM\SECURITY\Policy	SUCCESS	Desired Access: Read/Write

9:16:04,9633742	lsass.exe	800	RegOpenKey	HKLM\SECURITY\Policy\SecDesc	SUCCESS	Desired Access: Read

9:16:04,9634084	lsass.exe	800	RegQueryValue	HKLM\SECURITY\Policy\SecDesc\(Default)	BUFFER OVERFLOW	Length: 12

9:16:04,9634405	lsass.exe	800	RegCloseKey	HKLM\SECURITY\Policy\SecDesc	SUCCESS	

9:16:04,9634703	lsass.exe	800	RegOpenKey	HKLM\SECURITY\Policy\SecDesc	SUCCESS	Desired Access: Read

9:16:04,9635036	lsass.exe	800	RegQueryValue	HKLM\SECURITY\Policy\SecDesc\(Default)	SUCCESS	Type: REG_NONE, Length: 200, Data: 01 00 04 80 AC 00 00 00 BC 00 00 00 00 00 00 00

9:16:04,9635360	lsass.exe	800	RegCloseKey	HKLM\SECURITY\Policy\SecDesc	SUCCESS	

9:16:04,9637515	lsass.exe	800	RegCloseKey	HKLM\SECURITY\Policy	SUCCESS

Open in new window

0
Comment
Question by:rknetwork
  • 8
  • 2
  • 2
  • +2
15 Comments
 
LVL 91

Expert Comment

by:nobus
ID: 24084548
did you install all drivers for the motherboard ?
no errors in device manager?
test your disk and ram for a start
ram : www.memtest.org
disk : http://www.tacktech.com/display.cfm?ttid=287
0
 
LVL 6

Author Comment

by:rknetwork
ID: 24084726
All tested, latest drivers.

This got nothing to do with the hardware, software is causing this activity.
0
 
LVL 91

Expert Comment

by:nobus
ID: 24085751
ok then - that's not my league...
0
 
LVL 9

Expert Comment

by:Sander Stad
ID: 24104778
You could try tu use Proces Monitor. It's not an easy program but you'll get it to work.
You can download it at: http://www.microsoft.com/technet/sysinternals/ProcessesAndThreads/processmonitor.mspx
 
 With this program you can see what the lsass proces is doing and maybe find the culprit that's causing all the I/O.
I've seen programs like GMail Notifier that caused this to happen.

Good luck
0
 
LVL 6

Author Comment

by:rknetwork
ID: 24106902
sstad, you did not read my question at all
0
 
LVL 9

Expert Comment

by:Sander Stad
ID: 24107134
Ow my mistake. I was busy answering another question with the same subject.
Sorry
0
 
LVL 6

Author Comment

by:rknetwork
ID: 24126115
This issue is hard to resolve and it becomes pain in the a..
Only real solutions please.  I know that this behavour is NOT normal.
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 8

Expert Comment

by:skywalker39
ID: 24126142
Hi rknetwork,

Have you ran any Anti-Virus applications? According to Symantec it's W32.Nimos.Worm or W32.HLLW.Lovgate.C@mm. McAfee W32.Sasser.E.Worm (Lsasss.exe)
0
 
LVL 6

Author Comment

by:rknetwork
ID: 24126320
No Viruses found
0
 
LVL 6

Author Comment

by:rknetwork
ID: 24128977
This issue is related to CD-ROM and NOT related to lsass.exe

Disabled CD-ROM (through Device Manger) and light stopped blinking (lsass.exe kept running same way)

CD-ROM is UJ230AS and it's working properly

Updated firmware of it, updated driver, disabled autorun (completely), but HDD light is still blinking

There is something in OS what causes this to happen (and it's NOT lsass.exe)

With different OS (even with BartPE) - no issues at all
0
 
LVL 6

Accepted Solution

by:
rknetwork earned 0 total points
ID: 24129858
Found how to fix it. You need to disable AutoRun option in the registry.

http://it.angarka.ru/viewtopic.php?f=3&t=3
0
 
LVL 1

Expert Comment

by:DJM2009
ID: 24633125
I understand you have found a solution to the problem, but I would question the need to disable Autorun because lsass.exe aka the  "Local Security Authentication Server" is eating up all your resources
0
 
LVL 6

Author Comment

by:rknetwork
ID: 24636451
DJM2009, your problem got nothing to do with mine
0
 
LVL 1

Expert Comment

by:DJM2009
ID: 24642326
Sorry, maybe I wasnt clear, I dont have a problem. I was just saying I cant understand why you would need to disable Autorun to stop the local security authentication server process from causing excessive HD usage.
0
 
LVL 6

Author Comment

by:rknetwork
ID: 24644206
Correction:

lsass.exe had nothing to do with the constant hard drive activity, however lsass.exe was acting up EXACTLY at the same time when activity led was coming up. EXACTLY in the same millisecond (counted). It still does, but disabling Autorun fixed the led.

I think it's a reasonable confusion.

Thanks.
0

Featured Post

Too many email signature updates to deal with?

Do you feel like you are taking up all of your time constantly visiting users’ desks to make changes to email signatures? Wish you could manage all signatures from one central location, easily design them and deploy them quickly to users? Well, there is an easy way!

Join & Write a Comment

Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now