Solved

lsass.exe on Server 2012 consuming 100% of processor

Posted on 2013-06-27
8
4,958 Views
Last Modified: 2013-06-28
I've run into a problem with a new file server running 2012.  It worked fine until last week when I started getting processor use alerts.  It went to 100% and stayed there...turns out it was the lsass.exe process but I don't know what caused it.  I eventually had to restart the server and it was ok for a week, now I'm seeing the same exact problem again.  Nothing else is acting up, just that one service.  I see very little results in my searches so I'm hoping someone here has seen the same problem.
0
Comment
Question by:First Last
  • 4
  • 3
8 Comments
 
LVL 47

Expert Comment

by:dlethe
ID: 39283545
well, there is a trojan out there that replaces the msft lsass.exe and steals your data and submits it to bad people.   I'd first make sure that you have not been infected.

Also even IF that is the real program, a 100% CPU hit usually indicates you have some rogue host trying to brute force log on.    Try disconnecting the network cable to see if problem goes away.
0
 
LVL 1

Author Comment

by:First Last
ID: 39284052
I've run full scans on the machine but I don't see any infections, we're pretty well protected.  I restarted the machine last night and its settled down again this morning but I'm very concerned it will appear again, I've seen it twice so far.
0
 
LVL 62

Assisted Solution

by:btan
btan earned 500 total points
ID: 39284079
though old article but it does focus on drilling down to culprit and most of the time is network e.g. ldap calls. Using SPA can sieve out the top consumer as well, actually if the DC is holding up various roles like appl, file server etc - it tends to be high but not to the extend of whole system slows down.

http://blogs.technet.com/b/askds/archive/2007/08/20/troubleshooting-high-lsass-cpu-utilization-on-a-domain-controller-part-1-of-2.aspx

Can also do a tasklist /svc:lsass,exe to see it is used by which services (mostly network based type) ...  check the event logs as well for error or hints of event of failure ("access denied") coming from network authentication like IPSEC (or VPN from other sites or users etc)
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 1

Author Comment

by:First Last
ID: 39284184
Hi breadtan...I'd love to be able to do that while the problem is happening but the server is compeltely unresponsive, I doubt I'd be able to do any of the commands.  I'm hoping to piece together what happened now that its running normally using logs but there is absolutely nothing in the event logs that give me a clue.
0
 
LVL 62

Assisted Solution

by:btan
btan earned 500 total points
ID: 39284274
if possible, plug out the network cable as suggested. tough to inspect further if system to slow...to carry out more depth checks...especially it is intermittent. Also the server security s/w like AV or FW log may be other to scrawl through ...
0
 
LVL 1

Author Comment

by:First Last
ID: 39284293
Ok, I can try that if I see it happen again (hoping to prevent if possible, this is a production server with all our file shares).
0
 
LVL 62

Accepted Solution

by:
btan earned 500 total points
ID: 39284300
also may want to check on this

How to Troubleshoot High LSASS.EXE CPU Utilization on an Active Directory Domain Controllers - http://support.microsoft.com/kb/2550044
0
 
LVL 1

Author Comment

by:First Last
ID: 39284349
I've been reading that one as well, I have several things to try if this happens again.  Thanks all!
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Internet Protocol Security question 3 73
PDF to JPG 13 47
Changing passwords 3 22
Unable to connect C# program to an SQL database - Exception occurs. 4 22
A procedure for exporting installed hotfix details of remote computers using powershell
In this article, I will show you HOW TO: Perform a Physical to Virtual (P2V) Conversion the easy way from a computer backup (image).
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target. To install the necessary roles, go to Server Manager, and select Add Roles and Featu…

803 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question