lsass.exe and svchost.exe

[Birgitta]

lsass.exe uses 60% and svchost.exe 40%. I can't get the
CPU down to normal levels. It remains at 100% at all
times. Reboots did not help. One security entry found:
IPSec Services failed to initialize IKE module with error
code: The attempted operation is not supported for the
type of object referenced. IPSec Services could not be
started.
Event ID 615; Category: Policy Change.
Not sure if this is related to CPU usage.

Thanks in advance

 

[Paul B T Hodges]

Hey Birgitta,

Both lsass.exe and svchost may be viruses masquerading as legitimate
processes.

How many lsass and svchost processes do you see in taskmanager ?

There should be one lsass and normally 4 svchosts.

Try this online virus scan
http://security.symantec.com/sscv6/default.asp?productid=symhome&langid=ie&venid=sym

Free Anti virus software www.grisoft.com
Free Firewall www.zonelabs.com
Free Adware Blocker http://www.lavasoftusa.com/support/download/
Free malware and spyware cleaner http://www.safer-networking.org/

Paul

 

[aragorn]

xp has many services named svchost, so it's hard to tell
what yours does.
The Isass.exe Provides end-to-end security between clients
and servers on TCP/IP networks. If this service is
stopped, TCP/IP security between clients and servers on
the network will be impaired. If this service is disabled,
any services that explicitly depend on it will fail to
start.

If you want to disable it, go to start/control
panel/administrativ tools/services.
Go also to the help section and check for default settings
in the services.

 

[Paul B T Hodges]

I think she said lsass.exe which manages local accounts, not Isass.exe.
If so, Do not disable it.

Paul

 

[Birgitta]

Hi Paul,

I have one of each processes and I run a virus scan but
it came out negativ.

Birgitta

 

[Paul B T Hodges]

Only 1 Svchost ?
Are you sure, what are you running, xp home or xp professional.

Sort the processes in the task manager process screen into alphabetical
order by clicking on the heading "Image name"
Perhaps you missed 1 or 2.

Also go into search, and search the system for svchost.exe and lsass.exe and
post where you find them.

Paul

 

[Birgitta]

Hi Paul,

I run XP home.
You are right. I have 3 svchost.exe system and 1 svchost
Network Service and 1 svchost Local Service.
( Only one svchost.exe system is aktiv 40%)

But I have only 1 lsass.exe 60%

Birgitta

 

[Paul B T Hodges]

So you're saying you have 5 svchost processes ?

Paul

 

[Birgitta]

YES

Birgitta

-----Original Message-----
So you're saying you have 5 svchost processes ?

Paul




.

 

[Paul B T Hodges]

I think thats one too many.

Since you have window xp home you don't have the tasklist.exe command like
we do in professional. Seems crazy not to have included it for
troubleshooting problems.
However you can download it here.

http://www.computerhope.com/download/winxp.htm

I just downloaded it and ran a file compare with the one on my xp
professional sp1 system and its identical.

Put it in your \windows\system32 directory.

Now go into taskmanager/process tab

Click on the cpu column heading to sort the column into cpu usage order.

Make a note of the PID number for the svchost process using the cpu.

Now go to a command prompt, and run the newly downloaded tasklist command

tasklist /svc

This will list all the service tasks withing the svchost processes.
Find the PID number you made a note of.
Which service tasks are listed next to it. If there are none, its probably a
virus.
If you need help, the tasklist command can also have its output redirected
to a file

from a command prompt type

tasklist /svc > tasks.txt

You can now open tasks.txt with notepad and copy/paste a list of all your
tasks into a reply post.

The lsass.exe process, as you will see, houses 3 service tasks, or it does
on my system !

These are

Policy Agent
ProtectedStorage
SamsS

SERVICE_NAME: PolicyAgent
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : D:\WINDOWS\System32\lsass.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : IPSEC Services
DEPENDENCIES : RPCSS
: Tcpip
: IPSec
SERVICE_START_NAME : LocalSystem


SERVICE_NAME: ProtectedStorage
TYPE : 120 WIN32_SHARE_PROCESS (interactive)
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : D:\WINDOWS\system32\lsass.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Protected Storage
DEPENDENCIES : RpcSs
SERVICE_START_NAME : LocalSystem

SERVICE_NAME: samss
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING

(NOT_STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

One of these IS ipsec, so perhaps once we've fixed this svchost, we'll have
a look at what that ipsec error is you're getting.

Paul