lsass.exe in CPU loop when logging in

  • Thread starter Thread starter Stewart Berman
  • Start date Start date
S

Stewart Berman

I have a Windows XP Pro SP2 Workstation. If I log in as an administrator it behaves normally. If I
login as a non administrator power user the system seems to hang. Task Manager shows lsass.exe at
between 92% and 97% CPU. This continues for several minutes and then stops.

I find a posting from about a year ago via Google that describes my situation (see below).
Unfortunately, it did not have a response.

How do I fix the problem?

Stu

**********************************************************
Jun 9 2005, 2:35 am show options

Newsgroups: microsoft.public.windowsxp.security_admin
From: test1234567 <[email protected]> - Find messages by this author
Date: Thu, 9 Jun 2005 02:35:50 -0500
Local: Thurs, Jun 9 2005 2:35 am
Subject: Re: LSASS.EXE process consuming 100% CPU time
Reply to Author | Forward | Print | Individual Message | Show original | Report Abuse

I have the same problem with two computers runnin XP

The problem starts appearing under these conditions:

- You try to copy an EFS (windows encryted) file from one computer to
the other target computer using a (home) LAN connection.

- The system warns you that the file cannot be copied unless the
encryption is removed. You select 'Ignore All' button in the encryption
dialog box.

- The file starts being copied to the targed computer (in both cases I
had also EFS active in the targed computer user profile). I noted that
during this time the processor works high only on the target computer
(may be the decryption is done there?!!)

- After the file ends beeing copied, everything seems ok.

- However, the next time you (re)start the target computer, and login
to that profile, LSASS goes to nearly 100% of CPU usage for a few
minutes. In a Pentium III 466MHz this takes about 10 minutes. In a
Centrino Mobile processor of 1.5 GHz this takes about 1 minute. After
this everything goes well.

- This happen then every time you loggin to the same user profile in
the target computer. The problem does not show for the other user
accounts (profiles).

- The source computer where the EFS file originated is not affected at
all by this problem.
**********************************************************
 
Look in the system/application logs that you can see via Event Viewer to see
if any failure/warnings are shown at the time that the user is trying to
logon. If you find any you can search Google or use http://www.eventid.net
to find more information about the event and possible solution. Also try
booting into Safe Mode as the user to see what happens. Since it seems to be
based on group membership it sounds as if the less privileged users may have
a lack or permission to something critical. You could try using secedit as
described in the link below to reset security settings back to default
defined levels to see if that helps or not. It is a long command but you can
simply copy and paste it into a command prompt. I would also do full scans
for malware and spyware using late definitions for anything you use and also
scan in Safe Mode. AdAware SE is an excellent free for personal user spyware
program if you do not currently have one. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;EN-US;313222
http://www.lavasoftusa.com/software/adaware/ --- AdAware SE
 
It appears to be a bug in Microsoft's security system startup that is somehow triggered by moving an
encrypted file to another machine on a network and decrypt it as part of the move. I suspect it is
a problem with either some attribute settings or with one of the alternative data streams.
lsass.exe is obviously trying to understand or repair the status of the files and takes ten minutes
before finally giving up.

While it may appear that the problem is affected by group membership it is actually single user
specific. Only a user who has transferred encrypted files to an unencrypted machine is affected.

I am looking for someone that has seen the problem and actually has a solution to it. I appreciate
you are trying to be helpfully but it is clear you have not seen the problem nor do you have any
knowledge of a solution. While doing the obvious things like checking the system logs and scanning
for viruses and mal wear only wastes time resetting security settings to their defaults could bring
my system to a halt. (Although I am running on a home LAN, I am running enterprise level firewall
and virus checking software and they get very upset if their settings are changed from those set by
the global engineering team.)

Stu
 
Thanks to this posting, I realized I had also copied encrypted files causing
lsass.exe to take over the system for several minutes after logon. The
problem profile was a member of the administrators group and so I did not
suspect a security issue.

I decrypted the local files and disabled EFS but it did not help. After a
lot of searching and head scratching, I finally found a bunch of files under
C:\Documents and Settings\problemuser\Application Data\Microsoft\Protect in
one of the directories. The directory was created at the time the data was
pushed to the problem target system. In my case, it contained over 16,000
files. I moved the new directory out of the Protect directory to eliminate
the CPU hit after logon.
 
I have run into the *exact* same problem, Stewart. I copied about 10GB
of data from one machine to another. The data on the original machine
was encrypted; when I attempted to copy the data, Windows warned me the
encryption would be lost on the destination machine. I chose "ignore
all," and allowed the copy to continue. Once I rebooted the
destination machine, I began getting LSASS taking up 99% of CPU
resources immediately after boot-up for about 10 minutes. Since the
destination was, in this case, a laptop, it causes a major drain on the
battery for these 10 minutes. Even after I've removed the 10GB of
files from the laptop that I had copied, LSASS still consumes my
processor as though its trying to "figure something out." I also watch
with dread as my commit charge increases at about 100kb per second from
200MB at bootup to about 330MB once LSASS finishes whatever it's doing.
The charge then levels off, so I KNOW it is LSASS causing the problem,
even though windows lists its memory usage in Task Manager as
unchanging.

If ANYONE (especially a True Microsoft Tech, not one of these Microsoft
"Certified" Impostors who seem to have no real solutions for anything
besides spewing advice about AdAware and Norton Antivirus) has
encountered this problem and knows the solution, I would greatly
appreciate it if they would share it with the rest of the world. I'll
tell you right here and now that System Event Logs show nothing
strange. I have no viruses. I have no worms. I have no adware. Just
because 90% of computer users don't know how to maintain a Windows XP
system properly doesn't mean people such as Stewart and myself do not.
Don't insult our intelligence with further finger-pointing at obviously
implausible causes of this problem. A real solution is what I think we
both want... My laptop battery will thank you for it later. :-)

Kevin
 
Thank you. Moving the files into a Zip archive solved the startup problem.

Please note that before you do this you should run: CHIPHER /H /N /U
This will identify all encrypted files on your local drive. You need to decrypt them before you
remove the contents of the Protect directory (on an XP system the files are in a directory with a
GUID for a name under the Protect directory). Once you remove the contents of the directory you
cannot decrypt files that were encrypted earlier. You can still encrypt files after you empty the
directory and you will be able to decrypt those.

Stu
 
No I have not experienced that scenario. I usually advise malware and
spyware scans because it always helps to know if the computer in question is
clean or not and I can not make that assumption unless the poster tells me
otherwise. I have never seen using secedit to restore default security
settings cause any system to come to a halt and know of no reason why it
would though yes carefully tweaked security settings would be changed if
they had not been documented or implemented in a .inf security template.

What may help is to try running filemon from SysInternals to see if it shows
anything interesting as to what is going on during that period of high CPU
usage. The other thing I would try is to at least backup the user profile
[better yet image the operating system also] and then delete that user
profile via System/advanced/user profiles while logged on as an
administrator. Then logon again to generate a new user profile to see if the
problem persists or not with a new user profile. If it does not you could
then start with a new profile, copy your needed files to it, etc. Of course
be sure to export your EFS certificate private key to a password protected
..pfx file before deleting the user profile. --- Steve
 
I know you think you are being helpful but I strongly suggest you stop giving advice unless you know
what you are talking about. The suggestions you casually toss out would take many hours. Deleting
a user's profile with the intention of recovering it from a backup is not for the faint of heart
even with a system image.

The machine I am having a problem with has two 120GB ATA drives dual booting XP and Linux and a pair
of 250GB SATA drives running as a mirrored pair. It has a DAT tape drive for backup. With all of
that I am not sure I could safely delete and recover a user's entire profile.

Stu

Steven L Umbach said:
No I have not experienced that scenario. I usually advise malware and
spyware scans because it always helps to know if the computer in question is
clean or not and I can not make that assumption unless the poster tells me
otherwise. I have never seen using secedit to restore default security
settings cause any system to come to a halt and know of no reason why it
would though yes carefully tweaked security settings would be changed if
they had not been documented or implemented in a .inf security template.

What may help is to try running filemon from SysInternals to see if it shows
anything interesting as to what is going on during that period of high CPU
usage. The other thing I would try is to at least backup the user profile
[better yet image the operating system also] and then delete that user
profile via System/advanced/user profiles while logged on as an
administrator. Then logon again to generate a new user profile to see if the
problem persists or not with a new user profile. If it does not you could
then start with a new profile, copy your needed files to it, etc. Of course
be sure to export your EFS certificate private key to a password protected
.pfx file before deleting the user profile. --- Steve


Stewart Berman said:
It appears to be a bug in Microsoft's security system startup that is
somehow triggered by moving an
encrypted file to another machine on a network and decrypt it as part of
the move. I suspect it is
a problem with either some attribute settings or with one of the
alternative data streams.
lsass.exe is obviously trying to understand or repair the status of the
files and takes ten minutes
before finally giving up.

While it may appear that the problem is affected by group membership it is
actually single user
specific. Only a user who has transferred encrypted files to an
unencrypted machine is affected.

I am looking for someone that has seen the problem and actually has a
solution to it. I appreciate
you are trying to be helpfully but it is clear you have not seen the
problem nor do you have any
knowledge of a solution. While doing the obvious things like checking the
system logs and scanning
for viruses and mal wear only wastes time resetting security settings to
their defaults could bring
my system to a halt. (Although I am running on a home LAN, I am running
enterprise level firewall
and virus checking software and they get very upset if their settings are
changed from those set by
the global engineering team.)

Stu
Click to expand...
Click to expand...
 
Am having exactly the same issue, and am trying to resolve it.
Unfortunately removing all the encrypted files does not solve the
problem, lsass.exe just keeps on running (until it stops). Can anyone
give me any advice on solving this? As said, the CHIPER command shows
no encrypted files.

Also (or maybe connected to the above), I don't understand this part of
your post:
<<remove the contents of the Protect directory (on an XP system the
files are in a directory with a GUID for a name under the Protect
directory)>>

Can you elaborate?
 
Does this happen with all user accounts that you try to logon to or a
specific user account? If it is all user accounts you most likely have some
other issue that could be malware related. Try booting into Safe Mode and
make sure that your computer is clean from malware and spyware [well as
clean as the programs you use can make it]. If you can not logon
successfully to any account in either regular or Safe Mode you may want to
look at using something like Bart's PE to try and clean/repair your
computer. Though I doubt it will help in your case be sure to try last
known good configuration in the alternate startup mode if you can not
logon. --- Steve
 
Then what I would try is to backup needed data [including favorites, address
book, emails] from your user account, export your EFS private key to a
password protected .pfx file if you use EFS, logon as an administrator other
then that account, use system/advanced/user profiles - settings to delete
that profile, logon as the user again to create a new user profile based on
the default profile to see if that helps or not. If it does than restore
your data to your new profile. It would also be a good idea to backup your
entire user profile [under documents and settings - usename folder and
subfolders] beforehand in case you needs parts of it after the fact and I
would also try using file and settings transfer wizard to backup your
profile settings to a file though restoring that could possibly cause the
problem to occur again. Also spyware often only affects specific user
accounts if you have not checked for that yet. --- Steve
 
That is not good news if you have no other user account that is in the local
administrators group. Try booting into Safe Mode to see if that makes a
difference or not. If you have another computer you could try placing your
hard drive into it as a secondary/slave and then backup your data and
manually delete the administrator profile under documents and settings from
the other operating system. Then when you startup again and try to logon as
an administrator a new user profile will be created based on the default
user profile. --- Steve
 
8 yrs on, I hope someone hears me, especially Stewart Berman. Also enjoyed Stewart strong language towards Steven…

Encountered the same issue few weeks ago on XP SP2, Pentium 2. The lsass.exe causes 6 hrs high CPU/HDD activity on a limited user account [90,000 objects inside the GUID], & 40 min activity on an admin account [12,000 objects inside the GUID]. Concerned about HDD MTTF, capacitors & fan lifetime. The built-in admin is unaffected since no encrypted data was copied via workgroup to its account.

Can’t risk installing SP3.

Question, can I move the GUID directory to somewhere else, then re-move it to the original location at the time of decryption?
 
Back
Top