lsass.exe - memory leak using poolmon

c00kie88
c00kie88 used Ask the Experts™
on
Hi all,

Im trying to understand poolmon output to determine any memory leak for lsass.exe since lsass.exe memory usage keeps increasing.
From doing some research, my understanding is i have to examine the Diff (allocations minus frees) and Bytes (number of bytes allocated minus number of bytes freed) values for each tag, and note any that continually increase.

When i checked the result, why it does have negative value? (see the attached). What does it mean?

Thank you
253.txt
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
The question is somehow confusing, the authentication service (Isass.exe) is for the verification of users either in PC or server. I had the similar problem and the processor was hitting 100% i found that my real isass.exe was renamed by virus and instead the isass.exe as virus was running on the machine. I was unable to do any activity due to this executable file. Check the same in your case.

Author

Commented:
Hi Bawer,

I have run AVG antivirus but nothing found. At the moment, the lsass.exe memory usage is over 1GB. When i checked yesterday, it was around 950MB.
I'm a bit concerned since the lsass.exe memory usage keeps increasing. And today is saturday and nobody working in the office.
True, AV will not help finding it, since these are main OS services when the Virus take over the OS services they do act like real so in this case,

Before following work around, check the following too.

msconfig, make sure only necessary services are running, or send screen shot i will select for you. Second run SFC /SCANNOW which will help fixing many windows serious issues.

If all did not help:

Workaround ,
Kill the process from the task manager incase running in debug mode.
Copy the Isass from another machine's c:\windows\systems32 and then boot your machine to debug mode and rename the existing isass.exe then place the one you copied from the similar type of OS machine.  Start computer in normal mode and check it should not consume more than 8 mb.
Acronis in Gartner 2019 MQ for datacenter backup

It is an honor to be featured in Gartner 2019 Magic Quadrant for Datacenter Backup and Recovery Solutions. Gartner’s MQ sets a high standard and earning a place on their grid is a great affirmation that Acronis is delivering on our mission to protect all data, apps, and systems.

Author

Commented:
Hi Bawer,

The system has crashed :( ..It has been restarted and lsass.exe is 45 MB now..

The system is windows 2003 32, running DC and exchange.

Will let you know more next week.

See attached for the msconfig.. I dont know what is regsvr32 /s mqrt for..
msconfig.PNG
What was the reason of the crash ?

from the MSCONFIG, remove the Re-Rite6  and the Schedhlp.

"regsvr32 /s mqrt.dll
    This command is used to register Microsoft Message Queue
    DLL. MSMQ is installed as part of Microsoft Personal Web Server.
    Accept this change. "

I do not consider this to be running in the startup , you may un-tick the same and restart the machine. Make sure you have the latest backups since the crash is not a good sign.

Author

Commented:
The lsass.exe has gone over 1.5GB. We have 8 GB physical RAM and running windows 2003 32 bits.
Have you checked on my previous note

Author

Commented:
Hi Bawer,<br /><br />I'm closing the forum without finding problem/solution since the server has migrated to different hardware. <br />I will assign the full points to you for helping me.<br /><br />Thank you

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial