none
lsass.exe generating high I/O Reads and Writes, 3 per second continually

    Question

  • Friends I am posting this in Security since lsass.exe deals with services for authentication and my suspicion is that this issue is not about lsass.exe itself but some dependency perhaps peculiar to Lenovo.

    The hardware is a Thinkpad T61 with oem-image of Windows Vista Home Premium.  Its been scrubbed, no malware, and tuned well and performs adequately for Vista.  The one remaining bug is the one in my Title. I have turned off every authentication-device related service I can find, yet lsass.exe continues to churn away all the time, nonstop, whenever the system is on.  by the end of a typical workday it will accumulate in excess of 100,000 I/O Reads/Writes.  I have searched exhaustively for answers and despite many threads on the same issue, I have seen no valid answers.  In most cases the subject/post is abandoned.  I posted this issue on Social/Microsoft-Answers and a respondent suggested I post it here.

    So what could possibly be triggering lsass.exe to perform simultaneously 3 I/O reads and 3 I/O writes per second?  How to remedy?

    I note that this particular model thinkpad did come from the source with numerous security/authentication features. And to repeat myself, all of the services related thereto that I can identify are turned OFF at this point.

    I note in passing that neither CPU usage nor Memory allocation for lsass.exe is excessive or abnormal.

    I also note in passing that on my own personal thinkpad running Win7, lsass.exe is dormant once I'm logged in.  The I/O count is trivial.

    thanks for any direction you can provide.

    Thursday, December 08, 2011 10:36 PM

Answers

  • hi techwest,

    first of all i would like to introduce you with lsass.exe before i go further.

    lsass.exe is an extremely important system process of the Microsoft Windows operating system that handles what are known as ‘local security’ matters and issues. More specifically, it deals with handling the processes behind your initial logon on to your PC.It basically verifies the validity of user logons to your PC/Server.

    If, however, the problems that you are encountering with the lsass.exe program are not infection related, then you need to take a different approach.Assuming that the problem lies within the functionality of the Windows operating system itself, then you might want to think first about any new programs that have recently been installed. Unless they are critical, try uninstalling them to see whether this fixes the problem. for more info on How to Fix lsass.exe click here.

    • Marked as answer by Sabrina Shen Wednesday, December 21, 2011 6:28 AM
    Thursday, December 15, 2011 1:25 PM

All replies

  • Mine has millions, so what?
     
    --
    ..
    --
    "Techwest" wrote in message news:03638144-f4da-4349-b246-a27ec3727e70...
    > Friends I am posting this in Security since lsass.exe deals with services
    > for authentication and my suspicion is that this issue is not about
    > lsass.exe itself but some dependency perhaps peculiar to Lenovo.
    >
    > The hardware is a Thinkpad T61 with oem-image of Windows Vista Home
    > Premium. Its been scrubbed, no malware, and tuned well and performs
    > adequately for Vista. The one remaining bug is the one in my Title. I
    > have turned off every authentication-device related service I can find,
    > yet lsass.exe continues to churn away all the time, nonstop, whenever the
    > system is on. by the end of a typical workday it will accumulate in
    > excess of 100,000 I/O Reads/Writes. I have searched exhaustively for
    > answers and despite many threads on the same issue, I have seen no valid
    > answers. In most cases the subject/post is abandoned. I posted this
    > issue on Social/Microsoft-Answers and a respondent suggested I post it
    > here.
    >
    > So what could possibly be triggering lsass.exe to perform simultaneously 3
    > I/O reads and 3 I/O writes per second? How to remedy?
    >
    > I note that this particular model thinkpad did come from the source with
    > numerous security/authentication features. And to repeat myself, all of
    > the services related thereto that I can identify are turned OFF at this
    > point.
    >
    > I note in passing that neither CPU usage nor Memory allocation for
    > lsass.exe is excessive or abnormal.
    >
    > I also note in passing that on my own personal thinkpad running Win7,
    > lsass.exe is dormant once I'm logged in. The I/O count is trivial.
    >
    > thanks for any direction you can provide.
    >
     
     
    • Proposed as answer by David J. Manley Saturday, January 21, 2012 11:05 PM
    • Unproposed as answer by David J. Manley Saturday, January 21, 2012 11:05 PM
    Monday, December 12, 2011 7:51 AM
  • hi techwest,

    first of all i would like to introduce you with lsass.exe before i go further.

    lsass.exe is an extremely important system process of the Microsoft Windows operating system that handles what are known as ‘local security’ matters and issues. More specifically, it deals with handling the processes behind your initial logon on to your PC.It basically verifies the validity of user logons to your PC/Server.

    If, however, the problems that you are encountering with the lsass.exe program are not infection related, then you need to take a different approach.Assuming that the problem lies within the functionality of the Windows operating system itself, then you might want to think first about any new programs that have recently been installed. Unless they are critical, try uninstalling them to see whether this fixes the problem. for more info on How to Fix lsass.exe click here.

    • Marked as answer by Sabrina Shen Wednesday, December 21, 2011 6:28 AM
    Thursday, December 15, 2011 1:25 PM
  • You may find that the act of running "Task Manager" is causing the 3 I/O reads/writes.

    On the assumption that you have tried other approaches without success e.g.

    a) Disabling the Terminal Services service

    b) Turning off the polling of optical drives (see http://forums.techguy.org/windows-xp/577417-solved-why-does-lsass-exe.html)

    try the following diagnosis approach. It may reveal the cause.

    1) there is a prerequisite that you have installed process monitor (c.f. sysinternals.com).

    2) Invoke "Task Manager". Try to be running as few other programs as possible (e.g. copy this text into notepad and close your browser).

    3.0) Invoke "Process Monitor" (procmon.exe).

    3.1) Set the process monitor filter to be to "include" where the "Process Name" is lsass.exe or csrss.exe. 

    3.2) Turn off capturing events (menu item File/Capture Events should be unticked).

    3.3) Clear the display (menu Edit/Clear Display or CTRL+X).

    3.4) Turn on capturing events (menu item File/Capture Events or CTRL+E).

    3.5) Wait for 10 seconds or so.

    3.6) Turn off capturing events (menu item File/Capture Events or CTRL+E).

    3.7) Examine the output. It will probably show repeated calls to "RegOpenKey", "RegQueryKey" and "RegCloseKey" against the registry's HKLM\Security\Policy tree (and sub-tree). Scroll to the bottom of the listed event to confirm that they are occurring repeatedly. You should also see the occasional "Process Profiling" event.

    4.0) Close "Task Manager".

    5.0) In "Process Monitor", repeat steps 3.3 through 3.5 i.e.

    5.1) Clear the display (menu Edit/Clear Display or CTRL+X).

    5.2) Turn on capturing events (menu item File/Capture Events or CTRL+E).

    5.3) Wait for 10 seconds or so.

    5.4) Examine the output. There should be a substantial reduction of calls to "RegOpenKey", "RegQueryKey" and "RegCloseKey" against the registry's HKLM\Security\Policy tree (and sub-tree) after an initial few. Scroll to the bottom of the listed event. You should see mainly "Process Profiling" events.

    5.5) Invoke "Task Manager" again.

    5.6) The calls to "RegOpenKey", "RegQueryKey" and "RegCloseKey" should start appearing more frequently in the event list.

    5.7) Turn off capturing events (menu item File/Capture Events or CTRL+E).

    5.8) Exit "Process Monitor"

    If you are seeing the behaviour as described above, the evidence implies that the I/O reads are as a direct result of "Task Manager" running. N.B. other processes may result in these events being recorded, so it is helpful to suspend or terminate them while the diagnosis is conducted. For example, I usually run BOINC Manager and "snoozed" it while undertaking my diagnosis.

    It would be helpful (for me and others) to know whether or not this is the cause of your problem, so please reply if you get the chance.

    Regards,

    David

    • Proposed as answer by David J. Manley Saturday, January 21, 2012 11:41 PM
    • Edited by David J. Manley Sunday, January 22, 2012 12:20 AM Minor typo corrections
    Saturday, January 21, 2012 11:40 PM
  • I have the same issue with very slow computer  (XP SP3) and most I/O writes going to lsass.exe.  I performed the above comparison and it does not appear that taskmgr is responsible for them.
    Friday, February 17, 2012 10:48 PM
  • So a quick sanity check. Can you confirm

    a) what the "Status" and "Startup type" values are for the "Terminal Services" service (accessed via Start/Control Panel/Administrative Tools/Services)

    b) what is the value of the registry key "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CDRom\Autorun" 

    David

    Saturday, February 18, 2012 9:12 AM