Solved

lsass.exe on Server 2012 consuming 100% of processor

Posted on 2013-06-27
8
5,661 Views
Last Modified: 2013-06-28
I've run into a problem with a new file server running 2012.  It worked fine until last week when I started getting processor use alerts.  It went to 100% and stayed there...turns out it was the lsass.exe process but I don't know what caused it.  I eventually had to restart the server and it was ok for a week, now I'm seeing the same exact problem again.  Nothing else is acting up, just that one service.  I see very little results in my searches so I'm hoping someone here has seen the same problem.
0
Comment
Question by:First Last
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
8 Comments
 
LVL 47

Expert Comment

by:David
ID: 39283545
well, there is a trojan out there that replaces the msft lsass.exe and steals your data and submits it to bad people.   I'd first make sure that you have not been infected.

Also even IF that is the real program, a 100% CPU hit usually indicates you have some rogue host trying to brute force log on.    Try disconnecting the network cable to see if problem goes away.
0
 
LVL 1

Author Comment

by:First Last
ID: 39284052
I've run full scans on the machine but I don't see any infections, we're pretty well protected.  I restarted the machine last night and its settled down again this morning but I'm very concerned it will appear again, I've seen it twice so far.
0
 
LVL 64

Assisted Solution

by:btan
btan earned 500 total points
ID: 39284079
though old article but it does focus on drilling down to culprit and most of the time is network e.g. ldap calls. Using SPA can sieve out the top consumer as well, actually if the DC is holding up various roles like appl, file server etc - it tends to be high but not to the extend of whole system slows down.

http://blogs.technet.com/b/askds/archive/2007/08/20/troubleshooting-high-lsass-cpu-utilization-on-a-domain-controller-part-1-of-2.aspx

Can also do a tasklist /svc:lsass,exe to see it is used by which services (mostly network based type) ...  check the event logs as well for error or hints of event of failure ("access denied") coming from network authentication like IPSEC (or VPN from other sites or users etc)
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 
LVL 1

Author Comment

by:First Last
ID: 39284184
Hi breadtan...I'd love to be able to do that while the problem is happening but the server is compeltely unresponsive, I doubt I'd be able to do any of the commands.  I'm hoping to piece together what happened now that its running normally using logs but there is absolutely nothing in the event logs that give me a clue.
0
 
LVL 64

Assisted Solution

by:btan
btan earned 500 total points
ID: 39284274
if possible, plug out the network cable as suggested. tough to inspect further if system to slow...to carry out more depth checks...especially it is intermittent. Also the server security s/w like AV or FW log may be other to scrawl through ...
0
 
LVL 1

Author Comment

by:First Last
ID: 39284293
Ok, I can try that if I see it happen again (hoping to prevent if possible, this is a production server with all our file shares).
0
 
LVL 64

Accepted Solution

by:
btan earned 500 total points
ID: 39284300
also may want to check on this

How to Troubleshoot High LSASS.EXE CPU Utilization on an Active Directory Domain Controllers - http://support.microsoft.com/kb/2550044
0
 
LVL 1

Author Comment

by:First Last
ID: 39284349
I've been reading that one as well, I have several things to try if this happens again.  Thanks all!
0

Featured Post

Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this post we will be converting StringData saved within a text file into a hash table. This can be further used in a PowerShell script for replacing settings that are dynamic in nature from environment to environment.
This article shows how to use a free utility called 'Parkdale' to easily test the performance and benchmark any Hard Drive(s) installed in your computer. We also look at RAM Disks and their speed comparisons.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question