• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 6437
  • Last Modified:

lsass.exe on Server 2012 consuming 100% of processor

I've run into a problem with a new file server running 2012.  It worked fine until last week when I started getting processor use alerts.  It went to 100% and stayed there...turns out it was the lsass.exe process but I don't know what caused it.  I eventually had to restart the server and it was ok for a week, now I'm seeing the same exact problem again.  Nothing else is acting up, just that one service.  I see very little results in my searches so I'm hoping someone here has seen the same problem.
0
First Last
Asked:
First Last
  • 4
  • 3
3 Solutions
 
DavidPresidentCommented:
well, there is a trojan out there that replaces the msft lsass.exe and steals your data and submits it to bad people.   I'd first make sure that you have not been infected.

Also even IF that is the real program, a 100% CPU hit usually indicates you have some rogue host trying to brute force log on.    Try disconnecting the network cable to see if problem goes away.
0
 
First LastAuthor Commented:
I've run full scans on the machine but I don't see any infections, we're pretty well protected.  I restarted the machine last night and its settled down again this morning but I'm very concerned it will appear again, I've seen it twice so far.
0
 
btanExec ConsultantCommented:
though old article but it does focus on drilling down to culprit and most of the time is network e.g. ldap calls. Using SPA can sieve out the top consumer as well, actually if the DC is holding up various roles like appl, file server etc - it tends to be high but not to the extend of whole system slows down.

http://blogs.technet.com/b/askds/archive/2007/08/20/troubleshooting-high-lsass-cpu-utilization-on-a-domain-controller-part-1-of-2.aspx

Can also do a tasklist /svc:lsass,exe to see it is used by which services (mostly network based type) ...  check the event logs as well for error or hints of event of failure ("access denied") coming from network authentication like IPSEC (or VPN from other sites or users etc)
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
First LastAuthor Commented:
Hi breadtan...I'd love to be able to do that while the problem is happening but the server is compeltely unresponsive, I doubt I'd be able to do any of the commands.  I'm hoping to piece together what happened now that its running normally using logs but there is absolutely nothing in the event logs that give me a clue.
0
 
btanExec ConsultantCommented:
if possible, plug out the network cable as suggested. tough to inspect further if system to slow...to carry out more depth checks...especially it is intermittent. Also the server security s/w like AV or FW log may be other to scrawl through ...
0
 
First LastAuthor Commented:
Ok, I can try that if I see it happen again (hoping to prevent if possible, this is a production server with all our file shares).
0
 
btanExec ConsultantCommented:
also may want to check on this

How to Troubleshoot High LSASS.EXE CPU Utilization on an Active Directory Domain Controllers - http://support.microsoft.com/kb/2550044
0
 
First LastAuthor Commented:
I've been reading that one as well, I have several things to try if this happens again.  Thanks all!
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now