P
Philip Herlihy
(Thanks for looking!)
I have a friend's machine (running XP Home, fully patched) which is unusably
slow. I can see that LSASS.exe together with one instance of SVCHOST.exe
are effectively using all CPU resources. I've run updated versions of:
# Norton Antivirus
# McAfee Stinger
# Panda Online scan
# Trend Micro Online scan
# Adaware
# Spybot
... and although a few nasties were removed, the problem remains.
I've downloaded the (excellent) Process Explorer from Sysinternals.com.
I've found that if I suspend that one SVCHOST instance, the LSASS process
goes quiet. Looking inside the SVCHOST I can see that the thread
TERMSRV.dll appears to be accounting for the activity, and if I selectively
kill that thread, the machine goes back to normal.
I've studied the registry keys:
# HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
# HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost
... but my untutored eye can't spot anything wrong.
A typical stack trace of the TERMSRV thread is:
ntdll.dll+0x8090304
RPCRT4.dll!I_RpcTransGetThreadEvent+0x9d7
RPCRT4.dll!I_RpcTransGetThreadEvent+0x147b
RPCRT4.dll!NdrContextHandleInitialize+0x82e
RPCRT4.dll!I_RpcTransGetThreadEvent+0x5d0
RPCRT4.dll!I_RpcTransGetThreadEvent+0x557
RPCRT4.dll!I_RpcTransGetThreadEvent+0x3bc
RPCRT4.dll!I_RpcTransGetThreadEvent+0x2f6
RPCRT4.dll!I_RpcTransGetThreadEvent+0x26f
RPCRT4.dll!I_RpcSendReceive+0x1f
ADVAPI32.dll!LsaRetrievePrivateData+0xdf
termsrv.dll+0x201d9
termsrv.dll+0x20428
termsrv.dll+0xd1fc
kernel32.dll!RegisterWaitForInputIdle+0x43
I thought I was a smart geezer, but this one has me beaten. Next step is a
format and reinstall, unless someone has an idea.
I have a friend's machine (running XP Home, fully patched) which is unusably
slow. I can see that LSASS.exe together with one instance of SVCHOST.exe
are effectively using all CPU resources. I've run updated versions of:
# Norton Antivirus
# McAfee Stinger
# Panda Online scan
# Trend Micro Online scan
# Adaware
# Spybot
... and although a few nasties were removed, the problem remains.
I've downloaded the (excellent) Process Explorer from Sysinternals.com.
I've found that if I suspend that one SVCHOST instance, the LSASS process
goes quiet. Looking inside the SVCHOST I can see that the thread
TERMSRV.dll appears to be accounting for the activity, and if I selectively
kill that thread, the machine goes back to normal.
I've studied the registry keys:
# HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
# HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost
... but my untutored eye can't spot anything wrong.
A typical stack trace of the TERMSRV thread is:
ntdll.dll+0x8090304
RPCRT4.dll!I_RpcTransGetThreadEvent+0x9d7
RPCRT4.dll!I_RpcTransGetThreadEvent+0x147b
RPCRT4.dll!NdrContextHandleInitialize+0x82e
RPCRT4.dll!I_RpcTransGetThreadEvent+0x5d0
RPCRT4.dll!I_RpcTransGetThreadEvent+0x557
RPCRT4.dll!I_RpcTransGetThreadEvent+0x3bc
RPCRT4.dll!I_RpcTransGetThreadEvent+0x2f6
RPCRT4.dll!I_RpcTransGetThreadEvent+0x26f
RPCRT4.dll!I_RpcSendReceive+0x1f
ADVAPI32.dll!LsaRetrievePrivateData+0xdf
termsrv.dll+0x201d9
termsrv.dll+0x20428
termsrv.dll+0xd1fc
kernel32.dll!RegisterWaitForInputIdle+0x43
I thought I was a smart geezer, but this one has me beaten. Next step is a
format and reinstall, unless someone has an idea.