Solved

lsass.exe on Server 2012 consuming 100% of processor

Posted on 2013-06-27
8
4,459 Views
Last Modified: 2013-06-28
I've run into a problem with a new file server running 2012.  It worked fine until last week when I started getting processor use alerts.  It went to 100% and stayed there...turns out it was the lsass.exe process but I don't know what caused it.  I eventually had to restart the server and it was ok for a week, now I'm seeing the same exact problem again.  Nothing else is acting up, just that one service.  I see very little results in my searches so I'm hoping someone here has seen the same problem.
0
Comment
Question by:First Last
  • 4
  • 3
8 Comments
 
LVL 47

Expert Comment

by:dlethe
Comment Utility
well, there is a trojan out there that replaces the msft lsass.exe and steals your data and submits it to bad people.   I'd first make sure that you have not been infected.

Also even IF that is the real program, a 100% CPU hit usually indicates you have some rogue host trying to brute force log on.    Try disconnecting the network cable to see if problem goes away.
0
 
LVL 1

Author Comment

by:First Last
Comment Utility
I've run full scans on the machine but I don't see any infections, we're pretty well protected.  I restarted the machine last night and its settled down again this morning but I'm very concerned it will appear again, I've seen it twice so far.
0
 
LVL 61

Assisted Solution

by:btan
btan earned 500 total points
Comment Utility
though old article but it does focus on drilling down to culprit and most of the time is network e.g. ldap calls. Using SPA can sieve out the top consumer as well, actually if the DC is holding up various roles like appl, file server etc - it tends to be high but not to the extend of whole system slows down.

http://blogs.technet.com/b/askds/archive/2007/08/20/troubleshooting-high-lsass-cpu-utilization-on-a-domain-controller-part-1-of-2.aspx

Can also do a tasklist /svc:lsass,exe to see it is used by which services (mostly network based type) ...  check the event logs as well for error or hints of event of failure ("access denied") coming from network authentication like IPSEC (or VPN from other sites or users etc)
0
 
LVL 1

Author Comment

by:First Last
Comment Utility
Hi breadtan...I'd love to be able to do that while the problem is happening but the server is compeltely unresponsive, I doubt I'd be able to do any of the commands.  I'm hoping to piece together what happened now that its running normally using logs but there is absolutely nothing in the event logs that give me a clue.
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 61

Assisted Solution

by:btan
btan earned 500 total points
Comment Utility
if possible, plug out the network cable as suggested. tough to inspect further if system to slow...to carry out more depth checks...especially it is intermittent. Also the server security s/w like AV or FW log may be other to scrawl through ...
0
 
LVL 1

Author Comment

by:First Last
Comment Utility
Ok, I can try that if I see it happen again (hoping to prevent if possible, this is a production server with all our file shares).
0
 
LVL 61

Accepted Solution

by:
btan earned 500 total points
Comment Utility
also may want to check on this

How to Troubleshoot High LSASS.EXE CPU Utilization on an Active Directory Domain Controllers - http://support.microsoft.com/kb/2550044
0
 
LVL 1

Author Comment

by:First Last
Comment Utility
I've been reading that one as well, I have several things to try if this happens again.  Thanks all!
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now