lsass.exe How much I/O should it be doing?

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Got a quiet hotel room for a change, and noticed that the laptop was hitting
its disk a lot. Did the usual, and discovered that the offending process was
lsass.exe, with 3-4 reads and writes per second. After 48 hours of uptime,
it was >1 million.

All the anti-viri, malicious software, etc say the machine is clean. (XP
Pro, with this past tuesdays updates). The usual sniff tests for Sasser come
up clean. The files claim to have correct signatures. Strings on the files
comes up with "export version"

This much disk activity is noticable on battery life, so I somehow doubt its
"normal" behaviour.

-dp-
http://www.the-nerds.org/
 
Ok, I just re-booted the beast. 11,000 reads, and 10,000 writes just during
the boot. and it grows by 20 every time the taskmanager updates.

Any relatively easy way to find out what file(s) it has open?
 
Random said:
Ok, I just re-booted the beast. 11,000 reads, and 10,000 writes just during
the boot. and it grows by 20 every time the taskmanager updates.

Any relatively easy way to find out what file(s) it has open?
Click to expand...

You could try process monitor. Not designed for novices, but I suspect not all
that hard to drive.

<http://www.microsoft.com/technet/sysinternals/ProcessesAndThreads/processmonitor.mspx>

There's also file monitor on the same site; it's older, but if you don't have
any luck with process monitor it might be worth a try.

Harry.
 
Thanks for the tip, its downloading as we type. And its clear that the
laptop is out of line on lsass I/O. Now home, and I checked the older laptop
(which has the same patch level of the OS). Lsass does 2 orders of magnitute
less disk activity.
 
Ok, file monitor did the trick. lsass.exe was not happy about the Gmail
notifier. I exited the notifier, and the system went quiet.... Since the
machine that isn't pounding its disk into the ground, also has the notifier
running, I will need to investigate some more. Thanks again for the tips...
 
I also have lsass continuously doing I/O at the rate of about 3 of each per
second. I downloaded File Monitor and then Process Monitor but neither of
them have led me to any smoking gun. (I don't use gmail.)

Process Monitor shows about 30 File System operations each minute but I
don't see anything that leads me to any conclusion. Can anyone help.

Please note that I have run several scans for trojans and my lsass.exe is
clean.
 
grok said:
I also have lsass continuously doing I/O at the rate of about 3 of each per
second. I downloaded File Monitor and then Process Monitor but neither of
them have led me to any smoking gun. (I don't use gmail.)

Process Monitor shows about 30 File System operations each minute but I
don't see anything that leads me to any conclusion. Can anyone help.
Click to expand...

What files are being modified or accessed?

Harry.
 
Thanks for your interest Harry. I've been adjusting Process Monitor to try
to get a small enough output to post here. Let's see if this works:

QueryOpen C:\WINDOWS\Temp SUCCESS 8:04:06.2297603 AM
QueryOpen C:\WINDOWS\Temp SUCCESS 8:04:06.2299930 AM
QueryOpen C:\AUTOEXEC.BAT SUCCESS 8:04:06.2320563 AM
CreateFile C:\AUTOEXEC.BAT SUCCESS 8:04:06.2322141 AM
QueryNameInformationFile C:\AUTOEXEC.BAT SUCCESS 8:04:06.2323871 AM
QueryNameInformationFile C:\AUTOEXEC.BAT SUCCESS 8:04:06.2324701 AM
QueryStandardInformationFile C:\AUTOEXEC.BAT SUCCESS 8:04:06.2325530 AM
ReadFile C:\AUTOEXEC.BAT SUCCESS 8:04:06.2326251 AM
CloseFile C:\AUTOEXEC.BAT SUCCESS 8:04:06.2327027 AM
QueryOpen C:\Documents and Settings\Jim Slager\Local
Settings\Temp SUCCESS 8:04:06.2330052 AM
CreateFile C:\ SUCCESS 8:04:06.2330609 AM
QueryDirectory C:\Documents and Settings SUCCESS 8:04:06.2330942 AM
CloseFile C:\ SUCCESS 8:04:06.2331320 AM
CreateFile C:\Documents and Settings SUCCESS 8:04:06.2332447 AM
QueryDirectory C:\Documents and Settings\Jim Slager SUCCESS 8:04:06.2332809 AM
CloseFile C:\Documents and Settings SUCCESS 8:04:06.2333293 AM
CreateFile C:\Documents and Settings\Jim Slager SUCCESS 8:04:06.2334423 AM
QueryDirectory C:\Documents and Settings\Jim Slager\Local
Settings SUCCESS 8:04:06.2334802 AM
CloseFile C:\Documents and Settings\Jim Slager SUCCESS 8:04:06.2335185 AM
QueryOpen C:\Documents and Settings\Jim Slager\Local
Settings\Temp SUCCESS 8:04:06.2337106 AM
CreateFile C:\ SUCCESS 8:04:06.2337617 AM
QueryDirectory C:\Documents and Settings SUCCESS 8:04:06.2337937 AM
CloseFile C:\ SUCCESS 8:04:06.2338285 AM
CreateFile C:\Documents and Settings SUCCESS 8:04:06.2339383 AM
QueryDirectory C:\Documents and Settings\Jim Slager SUCCESS 8:04:06.2339725 AM
CloseFile C:\Documents and Settings SUCCESS 8:04:06.2340075 AM
CreateFile C:\Documents and Settings\Jim Slager SUCCESS 8:04:06.2341195 AM
QueryDirectory C:\Documents and Settings\Jim Slager\Local
Settings SUCCESS 8:04:06.2341547 AM
CloseFile C:\Documents and Settings\Jim Slager SUCCESS 8:04:06.2341910 AM

This is the file system activity for 1 minute except there are 4 more
activities that are much wider and I'll hack them up like this:

CreateFile * SUCCESS 8:04:06.2349316 AM
QueryNameInformationFile * BUFFER OVERFLOW 8:04:06.2351441 AM
QueryNameInformationFile * SUCCESS 8:04:06.2352507 AM
CloseFile * SUCCESS 8:04:06.2353459 AM


and the * stands for:

C:\Documents and Settings\Jim Slager\Application
Data\Microsoft\Protect\S-1-5-21-4127160252-1390122426-107871480-1006\Preferred

I hope that you can make some sense of this.
 
grok said:
CreateFile * SUCCESS 8:04:06.2349316 AM
QueryNameInformationFile * BUFFER OVERFLOW 8:04:06.2351441 AM
QueryNameInformationFile * SUCCESS 8:04:06.2352507 AM
CloseFile * SUCCESS 8:04:06.2353459 AM


and the * stands for:

C:\Documents and Settings\Jim Slager\Application
Data\Microsoft\Protect\S-1-5-21-4127160252-1390122426-107871480-1006\Preferred
Click to expand...

This seems to be related to Microsoft's cryptography system. Have you encrypted
part or all of your file system?

Harry.
 
Have you encrypted part or all of your file system?

No, absolutely not! At least not intentionally. Please give me a clue on
what I can do about this.
 
grok said:
No, absolutely not! At least not intentionally. Please give me a clue on
what I can do about this.
Click to expand...

It was just a thought, this behaviour might be normal if certain files in the
operating system were encrypted. (I don't know; I'm just guessing.)

Unfortunately while you can check whether a particular file is encrypted by
right-clicking and selecting Properties, I don't know of any way to search for
encrypted files.

That's about all I can think of. Hopefully someone else will be able to help.

Harry.
 
I've found S-1-5-21-4127160252-1390122426-107871480-1006 in my registry under
Microsoft/Protected Storage System Provider.

And also under Windows/CurrentVersion/Group Policy and /State.
And Windows/CurrentVersion/Installer/UserData.
And windows/CurrentVersion/ProfileList.

Can anyone advise me on this?
 
grok said:
I've found S-1-5-21-4127160252-1390122426-107871480-1006 in my registry under
Microsoft/Protected Storage System Provider.
Click to expand...

If you're wanting to know what the long string of numbers means, it's a security
identifier - it identifies a user account on your computer.
And windows/CurrentVersion/ProfileList.
Click to expand...

This one should show you the username of the user account.

Harry.
 
Back
Top