Solved

lsass.exe causes constant hard drive activity

Posted on 2009-04-06
15
2,864 Views
Last Modified: 2012-06-27
Hard drive led keeps blinking constantly 24/7 every second.

Clean Install of Vista Ultimate with latest Windows Updates, No Activity, No Internet Connection, no Third Party software is installed

Same issue found on the second computer running Vista, which is on completely different hardware

Ran Task Manager with I/O read,write columns enabled.
Found that lsass.exe is the only process which reads and writes a LOT.
R/W bytes are changing at the same time when the Hard Drive led is blinking
So I found this process, GOOD!

Installed Process Monitor from Sysinternals and confirmed that lsass.exe is trying to access the Registry every second with the same number of commands (loop) (see Attached Code Snippet)

Searched through whole Google & EE, no one has a solution to this problem.
Some people say that it's normal behavior.

Well here are my concerns:
- My HDD's lifetime is going down faster
- It's bringing down my HDD's performance (very little but still)
- LED is blinking all the time - it's very annoying
- Something is not right

Question - What is this? =)
9:16:04,9627235	lsass.exe	800	RegOpenKey	HKLM\SECURITY\Policy	SUCCESS	Desired Access: Read/Write
9:16:04,9627747	lsass.exe	800	RegOpenKey	HKLM\SECURITY\Policy\SecDesc	SUCCESS	Desired Access: Read
9:16:04,9628154	lsass.exe	800	RegQueryValue	HKLM\SECURITY\Policy\SecDesc\(Default)	BUFFER OVERFLOW	Length: 12
9:16:04,9628513	lsass.exe	800	RegCloseKey	HKLM\SECURITY\Policy\SecDesc	SUCCESS	
9:16:04,9628838	lsass.exe	800	RegOpenKey	HKLM\SECURITY\Policy\SecDesc	SUCCESS	Desired Access: Read
9:16:04,9629178	lsass.exe	800	RegQueryValue	HKLM\SECURITY\Policy\SecDesc\(Default)	SUCCESS	Type: REG_NONE, Length: 200, Data: 01 00 04 80 AC 00 00 00 BC 00 00 00 00 00 00 00
9:16:04,9629516	lsass.exe	800	RegCloseKey	HKLM\SECURITY\Policy\SecDesc	SUCCESS	
9:16:04,9632074	lsass.exe	800	RegCloseKey	HKLM\SECURITY\Policy	SUCCESS	
9:16:04,9633362	lsass.exe	800	RegOpenKey	HKLM\SECURITY\Policy	SUCCESS	Desired Access: Read/Write
9:16:04,9633742	lsass.exe	800	RegOpenKey	HKLM\SECURITY\Policy\SecDesc	SUCCESS	Desired Access: Read
9:16:04,9634084	lsass.exe	800	RegQueryValue	HKLM\SECURITY\Policy\SecDesc\(Default)	BUFFER OVERFLOW	Length: 12
9:16:04,9634405	lsass.exe	800	RegCloseKey	HKLM\SECURITY\Policy\SecDesc	SUCCESS	
9:16:04,9634703	lsass.exe	800	RegOpenKey	HKLM\SECURITY\Policy\SecDesc	SUCCESS	Desired Access: Read
9:16:04,9635036	lsass.exe	800	RegQueryValue	HKLM\SECURITY\Policy\SecDesc\(Default)	SUCCESS	Type: REG_NONE, Length: 200, Data: 01 00 04 80 AC 00 00 00 BC 00 00 00 00 00 00 00
9:16:04,9635360	lsass.exe	800	RegCloseKey	HKLM\SECURITY\Policy\SecDesc	SUCCESS	
9:16:04,9637515	lsass.exe	800	RegCloseKey	HKLM\SECURITY\Policy	SUCCESS

Open in new window

0
Comment
Question by:rknetwork
  • 8
  • 2
  • 2
  • +2
15 Comments
 
LVL 92

Expert Comment

by:nobus
ID: 24084548
did you install all drivers for the motherboard ?
no errors in device manager?
test your disk and ram for a start
ram : www.memtest.org
disk : http://www.tacktech.com/display.cfm?ttid=287
0
 
LVL 6

Author Comment

by:rknetwork
ID: 24084726
All tested, latest drivers.

This got nothing to do with the hardware, software is causing this activity.
0
 
LVL 92

Expert Comment

by:nobus
ID: 24085751
ok then - that's not my league...
0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 
LVL 9

Expert Comment

by:Sander Stad
ID: 24104778
You could try tu use Proces Monitor. It's not an easy program but you'll get it to work.
You can download it at: http://www.microsoft.com/technet/sysinternals/ProcessesAndThreads/processmonitor.mspx
 
 With this program you can see what the lsass proces is doing and maybe find the culprit that's causing all the I/O.
I've seen programs like GMail Notifier that caused this to happen.

Good luck
0
 
LVL 6

Author Comment

by:rknetwork
ID: 24106902
sstad, you did not read my question at all
0
 
LVL 9

Expert Comment

by:Sander Stad
ID: 24107134
Ow my mistake. I was busy answering another question with the same subject.
Sorry
0
 
LVL 6

Author Comment

by:rknetwork
ID: 24126115
This issue is hard to resolve and it becomes pain in the a..
Only real solutions please.  I know that this behavour is NOT normal.
0
 
LVL 8

Expert Comment

by:skywalker39
ID: 24126142
Hi rknetwork,

Have you ran any Anti-Virus applications? According to Symantec it's W32.Nimos.Worm or W32.HLLW.Lovgate.C@mm. McAfee W32.Sasser.E.Worm (Lsasss.exe)
0
 
LVL 6

Author Comment

by:rknetwork
ID: 24126320
No Viruses found
0
 
LVL 6

Author Comment

by:rknetwork
ID: 24128977
This issue is related to CD-ROM and NOT related to lsass.exe

Disabled CD-ROM (through Device Manger) and light stopped blinking (lsass.exe kept running same way)

CD-ROM is UJ230AS and it's working properly

Updated firmware of it, updated driver, disabled autorun (completely), but HDD light is still blinking

There is something in OS what causes this to happen (and it's NOT lsass.exe)

With different OS (even with BartPE) - no issues at all
0
 
LVL 6

Accepted Solution

by:
rknetwork earned 0 total points
ID: 24129858
Found how to fix it. You need to disable AutoRun option in the registry.

http://it.angarka.ru/viewtopic.php?f=3&t=3
0
 
LVL 1

Expert Comment

by:DJM2009
ID: 24633125
I understand you have found a solution to the problem, but I would question the need to disable Autorun because lsass.exe aka the  "Local Security Authentication Server" is eating up all your resources
0
 
LVL 6

Author Comment

by:rknetwork
ID: 24636451
DJM2009, your problem got nothing to do with mine
0
 
LVL 1

Expert Comment

by:DJM2009
ID: 24642326
Sorry, maybe I wasnt clear, I dont have a problem. I was just saying I cant understand why you would need to disable Autorun to stop the local security authentication server process from causing excessive HD usage.
0
 
LVL 6

Author Comment

by:rknetwork
ID: 24644206
Correction:

lsass.exe had nothing to do with the constant hard drive activity, however lsass.exe was acting up EXACTLY at the same time when activity led was coming up. EXACTLY in the same millisecond (counted). It still does, but disabling Autorun fixed the led.

I think it's a reasonable confusion.

Thanks.
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
PerfMon Report Time Out 6 29
Slow Restore if incremental backups using RDiff.exe 4 21
Unable to Uninstall Visual Studio 2015 7 28
sql server service accounts 4 30
Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
I'm a big fan of Windows' offline folder caching and have used it on my laptops for over a decade.  One thing I don't like about it, however, is how difficult Microsoft has made it for the cache to be moved out of the Windows folder.  Here's how to …
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

825 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question