none
Need Help. Lsass.exe uploading at full capacity RRS feed

  • Question

  • I am desperate as I don't know what to do. lsass.exe is uploading at my full capacity so my internet access is unusable. Checked it via Virus scan and did a sfc /scannow and it came up clean. Cannot stop the service for obvious reasons. What should I look at to fix this issue. Please any help is appreciated. Thank you

    OS. Windows Server 2012R2

    • Edited by Frank Pirr Friday, October 14, 2016 3:12 PM
    Friday, October 14, 2016 3:11 PM

Answers

  • It started at the same time for me....

    Go to windows firewall > Inbound Rules > Active Directory Domain Controller - LDAP (UDP-in) and change the connection to "Allow the connection if it is secure" 

    • Marked as answer by Frank Pirr Friday, October 14, 2016 7:04 PM
    Friday, October 14, 2016 7:03 PM

All replies

  • lsass.exe is uploading at my full capacity

    I'd try a Safe Mode boot. What roles / application are installed? I'd also look at what is being uploaded and to where. Understanding these may help you resolve the issue.

     

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.


    Friday, October 14, 2016 3:16 PM
  • I tried a safe mode boot to run sfc. I will try again to run with Network.  As for Roles;

    AD DS

    DNS

    File and Storage Services

    IIS

    Remote Access

    Local Server

    How do I determine where it is being uploaded to. That is what I am really trying to figure out. Thank you

    Friday, October 14, 2016 3:21 PM
  • Just ran Safe Mode with Networking and have the exact same issue.

    How do I determine what is being uploaded? Thank you

    Friday, October 14, 2016 3:25 PM
  • You may be able to use wireshark or network monitor. It isn't recommended to mix active directory domain service roles with other applications like that. If you can't figure it out you could stand up a new one, patch it fully, join existing domain, promote it and migrate FSMO roles over. You could also install hyper-v role on host, then ADDS on one VM and applications installed on other VMs

     

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    Friday, October 14, 2016 3:28 PM
  • I downloaded Wireshack but am still trying to figure it out. Is there any way to limit the bandwidth for LSASS for uploads?
    Friday, October 14, 2016 3:55 PM
  • May depend on the process but you could possibly block the ports on your internet device.

     https://msdn.microsoft.com/en-us/library/cc875824.aspx?f=255&MSPPError=-2147217396

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    Friday, October 14, 2016 4:00 PM
  • Hi Frank. Did you have any luck fixing this? I am having the exact same problem!

    Problem seemed to start yesterday afternoon (10/13/16 around 2-3PM PST). I run three servers at three different branch offices. All Windows Server 2012 R2.

    All of them seem to be consuming most or all upload bandwidth with lsass.exe. This seemed to start out of nowhere! I am trying to narrow it down now but it is very frustrating. Please post if you figured anything out. There doesn't seem to be a lot of info online for this specific issue.

    Friday, October 14, 2016 6:55 PM
  • Thank you for your help. You helped me figure out to block UDP 389 on my router and that fixed my issue. Many thanks!!!!!
    Friday, October 14, 2016 6:56 PM
  • Good to hear it helps, you're welcome.

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    Friday, October 14, 2016 6:58 PM
  • Actually. That took down my website. Changed it to only allow secure connections via windows firewall. That seems to have fixed it!
    Friday, October 14, 2016 7:01 PM
  • It started at the same time for me....

    Go to windows firewall > Inbound Rules > Active Directory Domain Controller - LDAP (UDP-in) and change the connection to "Allow the connection if it is secure" 

    • Marked as answer by Frank Pirr Friday, October 14, 2016 7:04 PM
    Friday, October 14, 2016 7:03 PM
  • Let me know if you need any more help Sabin
    Friday, October 14, 2016 7:10 PM
  • Thank you! That seemed to fix the problem, although I had to do a little more to get it fixed.

    I actually had to block port 389 for both TCP and UDP. That fixed it 100%. When I set it to "Allow the connection if it is secure", it seemed to help for a minute, but then the problem returned. Also it seems like blocking TCP was what really helped the most.

    However now I am having problems with my clients accessing Active Directory, so I am trying to figure out how to handle this. And what I still don't know is why this started happening all of a sudden!

    I am definitely not an expert in this field so I do a lot by trial and error, but port 389 did ring a bell. I run an off-site Wordpress site for our employees that uses an LDAP authentication plugin to sync their Windows logins with Wordpress. It has been working great for months. But it does sync to Active Directory of our server on-site at the office through port 389. I am guessing that could be causing issues too. However its not a public site and employees must login to use it, but I guess that doesn't matter if it was an Apache attack or something. (I'm probably not using the right terms).

    Anyway if you have any more suggestions or solutions, please let me know. I am thinking at the router level I can manually add the IPs for my local subnets on port 389, and the single static IP for my off-site Wordpress site, and then block all other IPs on port 389. Maybe that will help...

    Friday, October 14, 2016 7:40 PM
  • Success! I was able to fix it now 100% without blocking port 389. In fact, I have Windows Firewall set back to "Allow All Connections" and no more lsass.exe problems.

    It seems the problem was caused by my careless port forwarding on my router of port 389. I had it set to unrestricted port forwarding of port 389 to my server on all TCP and UDP ports. Yikes!

    I changed it to port forward on port 389 only for one single IP, that of my off-site Wordpress site. That seemed to do the trick. Thank you again so much for your help Frank!

    Friday, October 14, 2016 8:08 PM
  • Thank you!  I had experienced lsass.exe sending massive amounts of data on Windows Server 2012 R2 with no apparent changes made to the server.   

    This firewall setting brought it down from over 1,000,000+ B/sec to 22 B/sec.  

    You have made me very happy :)  :) 

    Sunday, March 18, 2018 4:41 PM
  • Whilst I don't understand the impact of setting this "Allow the connection if it is secure" value, I can verify that this immediately reduced my outbound lsass.exe traffic by about 90%, 

    Thanks!

    Tuesday, April 10, 2018 11:43 PM
  • lsass.exe - was using 4 tb bandwidth in one month. was running very small in background and during night executing high. looks like a crypto miner. I did the same rule on inbound and that brought down. But found dns.exe also doing the same. So block all UDP and left the ports we required. Really good work guys.
    Monday, April 30, 2018 12:09 PM
  • Thanks it work for me
    Wednesday, June 6, 2018 1:26 PM
  • Thanks a lot, it worked for me.

    Windows Server 2016

    Tuesday, July 10, 2018 4:03 PM
  • Hello Frank, I have exactly the same problem. I tried many antiviruses, malvare tools...etc but still the lsass.exe is uploading almost all bandwidth. When I close the port 389, then the problem is solved. BUT I don't want to close this port or this process. Is any solution how to cure this virus infection??? Thank you 
    Saturday, July 28, 2018 7:22 PM
  • Awesome. Really helped me to sort out the issue.

    Thanks buddy:)

    Wednesday, August 29, 2018 5:58 AM
  • This one was the best for me:

    SabinVI wrote:

    I actually had to block port 389 for both TCP and UDP. That fixed it 100%. When I set it to "Allow the connection if it is secure", it seemed to help for a minute, but then the problem returned. Also it seems like blocking TCP was what really helped the most.

    Thanks a lot to all for this threat.

    Friday, October 19, 2018 10:40 AM
  • <!-- Go to windows firewall > Inbound Rules > Active Directory Domain Controller - LDAP (UDP-in) and change the connection to "Allow the connection if it is secure" -->

    This will greatly impact any other authentication requests on the network.  Instead, go to Advanced tab and uncheck Public.  This will stop the high bandwidth issue but still allow local authentication to function properly.

    Wednesday, November 7, 2018 12:49 PM
  • Ken thank you!  I have been suffering through authentication requests for a month trying to figure out how to solve this!  I will get my first good night's sleep tonight.

    Friday, November 9, 2018 2:09 AM
  • Thank you, very useful!
    Tuesday, November 20, 2018 6:19 AM
  • I solved similar issue blocking the folowing ports

    TCP 88,445,464,389,636,3268,3269

    UDP 445,464,389,636

    Also, try changing remote desktop 3389 default port, to avoid bruteforce login to your server.

    Wednesday, November 21, 2018 9:58 AM
  • This is a CLDAP ddos attack

    https://www.akamai.com/uk/en/resources/our-thinking/threat-advisories/connection-less-lightweight-directory-access-protocol-reflection-ddos-threat-advisory.jsp

    Sunday, February 3, 2019 1:17 PM
  • It started at the same time for me....

    Go to windows firewall > Inbound Rules > Active Directory Domain Controller - LDAP (UDP-in) and change the connection to "Allow the connection if it is secure" 


    Thnx, helped for me . . . .
    Saturday, February 16, 2019 6:21 AM
  • Hi,

    I’ve also the problem that «LSASS.EXE» is sending data at full bandwidth.

    My machine is the domain server for small network running Server 2016 with Symantec endpoint protection.

    Symantec endpoint protection is just a test version to evaluate, maybe I will uninstall it since it is too expensive for such a small network and it did not help to solve this problem.

    My knowledge is not the best concerning such things and my English could also be better.

    I tried to follow your discussion, but I’m a little confused. What is now the solution of that problem? Maybe I need a simple step by step how-to.

    If you need more information to analyze this strange behavior let me know.

    Thanks,
    Klaus

    Sunday, February 24, 2019 12:51 PM