Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

lsass.exe on Server 2012 consuming 100% of processor

Posted on 2013-06-27
8
Medium Priority
?
6,241 Views
Last Modified: 2013-06-28
I've run into a problem with a new file server running 2012.  It worked fine until last week when I started getting processor use alerts.  It went to 100% and stayed there...turns out it was the lsass.exe process but I don't know what caused it.  I eventually had to restart the server and it was ok for a week, now I'm seeing the same exact problem again.  Nothing else is acting up, just that one service.  I see very little results in my searches so I'm hoping someone here has seen the same problem.
0
Comment
Question by:First Last
  • 4
  • 3
8 Comments
 
LVL 47

Expert Comment

by:David
ID: 39283545
well, there is a trojan out there that replaces the msft lsass.exe and steals your data and submits it to bad people.   I'd first make sure that you have not been infected.

Also even IF that is the real program, a 100% CPU hit usually indicates you have some rogue host trying to brute force log on.    Try disconnecting the network cable to see if problem goes away.
0
 
LVL 1

Author Comment

by:First Last
ID: 39284052
I've run full scans on the machine but I don't see any infections, we're pretty well protected.  I restarted the machine last night and its settled down again this morning but I'm very concerned it will appear again, I've seen it twice so far.
0
 
LVL 65

Assisted Solution

by:btan
btan earned 2000 total points
ID: 39284079
though old article but it does focus on drilling down to culprit and most of the time is network e.g. ldap calls. Using SPA can sieve out the top consumer as well, actually if the DC is holding up various roles like appl, file server etc - it tends to be high but not to the extend of whole system slows down.

http://blogs.technet.com/b/askds/archive/2007/08/20/troubleshooting-high-lsass-cpu-utilization-on-a-domain-controller-part-1-of-2.aspx

Can also do a tasklist /svc:lsass,exe to see it is used by which services (mostly network based type) ...  check the event logs as well for error or hints of event of failure ("access denied") coming from network authentication like IPSEC (or VPN from other sites or users etc)
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
LVL 1

Author Comment

by:First Last
ID: 39284184
Hi breadtan...I'd love to be able to do that while the problem is happening but the server is compeltely unresponsive, I doubt I'd be able to do any of the commands.  I'm hoping to piece together what happened now that its running normally using logs but there is absolutely nothing in the event logs that give me a clue.
0
 
LVL 65

Assisted Solution

by:btan
btan earned 2000 total points
ID: 39284274
if possible, plug out the network cable as suggested. tough to inspect further if system to slow...to carry out more depth checks...especially it is intermittent. Also the server security s/w like AV or FW log may be other to scrawl through ...
0
 
LVL 1

Author Comment

by:First Last
ID: 39284293
Ok, I can try that if I see it happen again (hoping to prevent if possible, this is a production server with all our file shares).
0
 
LVL 65

Accepted Solution

by:
btan earned 2000 total points
ID: 39284300
also may want to check on this

How to Troubleshoot High LSASS.EXE CPU Utilization on an Active Directory Domain Controllers - http://support.microsoft.com/kb/2550044
0
 
LVL 1

Author Comment

by:First Last
ID: 39284349
I've been reading that one as well, I have several things to try if this happens again.  Thanks all!
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Windows Server 2003 introduced persistent Volume Shadow Copies and made 2003 a must-do upgrade.  Since then, it's been a must-implement feature for all servers doing any kind of file sharing.
In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
Finding and deleting duplicate (picture) files can be a time consuming task. My wife and I, our three kids and their families all share one dilemma: Managing our pictures. Between desktops, laptops, phones, tablets, and cameras; over the last decade…
In this video, viewers are given an introduction to using the Windows 10 Snipping Tool, how to quickly locate it when it's needed and also how make it always available with a single click of a mouse button, by pinning it to the Desktop Task Bar. Int…

972 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question