none
lsass.exe uses huge amount of bandwidth

    Question

  • Hi,

    We recently started to receive notices from our server hosting provider that excessive amount of bandwidth are being used within an hour, I then downloaded NelBalancer to see what service is using the bandwidth. It showed lsass.exe and Service Traffic and svchost.exe as using huge amount of bandwidth.

    Not sure why these services are using so much bandwidth, basically need to know if it is normal/necessary and if not how to fix it.

    Your assistance would be appreciated.

    Monday, December 5, 2016 2:08 PM

All replies

  • NickeyO,

    Did you deploy a domain controller to your hosting provider? How many other domain controllers do you have in your infrastructure?

    If this is a domain controller, high usage of lsass is (relatively) normal depending on the size of your environment and across however many domain controllers you have in your infrastructure. Also, if this DC is a FSMO role holder, esp. the PDC, you're likely to see higher-than-average utilization of lsass.


    Ron Arestia, MCSE Server Infrastructure & Cloud Platform and Infrastructure

    Monday, December 5, 2016 2:58 PM
  • Hi Ron

    Thank you for your reply.

    If I go to Active Directory Users and Computers and select Domain Controllers only the server are listed, with the Server Name, Type is Computer, DC Type is GC and Site is Default-First-Site-Name.

    Note we have 6 users including the Administrator accessing the server using Remote Desktop, they work on a construction management software application and each users uses his own account, the users are also setup on the construction software separately and everything are working fine. Note even on weekends or evenings when no one is logged in we still receive these usage bursts notifications, also we do not host our website or email on this server.

    The Bandwidth use is now exceeding 15GB it does not seem normal, it would use this excessive amount of bandwidth then nothing at all for a couple of weeks then again start running, so it seems like it is not constant but almost like an update.

    Would like to send a screenshot, but according to Microsoft I cannot send images till my account is verified, in my account the email and mobile number are verified, however the Microsoft account issue are not priority right now and for another thread.


    • Edited by NickeyO Tuesday, December 6, 2016 7:06 AM
    Tuesday, December 6, 2016 6:51 AM
  • Hi,
    As far as I know, windows updates using Background Intelligent Transfer Service (BITS) .may also use svchost.exe to eat most of bandwidth. You could have a try to test by disabling windows updates or disabling BITS service, then see if the bandwidth is released or not. Then please enable them back.
    But Microsoft don’t suggest to disable windows updates, since windows operating system updates /security updates will protect your pc from known vulnerabilities that are discovered time to time. The suggestion is just used to test and try to find out the cause.
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Tuesday, December 6, 2016 8:51 AM
    Moderator
  • Hi Wendy,

    I am not comfortable disabling windows update, also the biggest bandwidth user is lsass.exe using 15.6GB and Service Traffic 14.9GB, svchost.exe only used 0.9GB, also shows as uploaded.

    Thanks

    Nico

    Tuesday, December 6, 2016 11:43 AM
  • Hi Wendy,

    Have disabled windows updates to check if it release the bandwidth, but there are still an excessive amount of bandwidth being used.

    Wednesday, December 7, 2016 5:14 AM
  • Hi,

    Did you or users suffer performance issue which caused by the high bandwidth? And have you scanned the system for virus?

    In addition, you could follow the article as below regarding to troubleshoot Lsass.exe high CPU usage and have a try it:

    http://setspn.blogspot.sg/2014/09/active-directory-lsassexe-high-cpu-usage.html

    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

    Best regards,

    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Friday, December 9, 2016 5:42 AM
    Moderator
  • Hi,

    I am checking how the issue going, if you still have any questions, please feel free to contact us.

    And if the replies as above are helpful, we would appreciate you to mark them as answers, and if you resolve it using your own solution, please share your experience and solution here. It will be greatly helpful to others who have the same question.

    Appreciate for your feedback.

    Best regards,

    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, December 12, 2016 8:26 AM
    Moderator
  • Hi Wendy

    Apologies for late reply. Yes it is affecting performance. Just installed Symantec End Point and did a scan, the scan quarantined Remacc.Ammyy, which I deleted.

    Will also follow the steps in the article and will let you know of the outcome.

    Thanks,

    Nico

    Thursday, December 15, 2016 7:27 PM
  • Hi Nico,
    Ok, if you have any questions, please feel free to contact us. Appreciate for your feedback.
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Tuesday, December 20, 2016 1:45 AM
    Moderator