lsass.exe continuously reading and writing disk

[Guest]

Is is correct for lsass.exe to be continuously reading and writing my hard
disk? Task Manager says it performs about 3 I/O reads and 3 I/O writes about
every second.

By the way, I know there is a virus isass.exe and this definitely is
Lsass.exe.

 

[Kelly]

More info:
http://www.google.com/search?hl=en&q=Lsass.exe&btnG=Google+Search
--

All the Best,
Kelly (MS-MVP/DTS&XP)

Taskbar Repair Tool Plus!
http://www.kellys-korner-xp.com/taskbarplus!.htm

 

[Guest]

Thanks, Kelly, but I had already read those google search posts. None of
them tell me if it is normal for lsass to be doing this continuous reading
and writing.

What is it doing? If it's not doing anything useful then I'd like to stop
it if I can.

 

[Uncle Grumpy]

If it's not doing anything useful then I'd like to stop
it if I can.

http://www.liutilities.com/products/wintaskspro/processlibrary/lsass/

 

[Guest]

Thanks, Uncle. I've done the scans and repairs but still lsass just keeps on
chunking away with I/O reads and writes continuously all day long.

Does it do the same for you. What I'd really like to know is if it is
supposed to be doing these reads and writes.

 

[Uncle Grumpy]

Does it do the same for you. What I'd really like to know is if it is
supposed to be doing these reads and writes.

Actually, I've no idea if it's doing that or not. Nothing has come to
my attention to indicate that it is.

I assume you've run all the checks to see if it's the trojan, or the
real thing?

 

[Guest]

Yes, I've checked it several ways and it is not a Trojan.

If you would bring up Task Manager and set it to view I/O Reads and Writes

 

[Uncle Grumpy]

Yes, I've checked it several ways and it is not a Trojan.

Then move on.

 

[Guest]

Will ANYONE tell me if it is normal for lsass.exe to be continuously reading
and writing to disk. Please don't ask me anymore about trojans.

Somebody please tell me if lsass.exe is continuously reading and writing on
your machine.

 

[Uncle Grumpy]

Will ANYONE tell me if it is normal for lsass.exe to be continuously reading
and writing to disk.

OK. It's normal.

Move ****ing on.

 

[Ian D]

Yes, I've checked it several ways and it is not a Trojan.

If you would bring up Task Manager and set it to view I/O Reads and Writes
on the View menu and checkout lsass.exe and see if yours is continuously
reading and writing I would appreciate it very much.

I started Process Explorer and monitored the lsass.exe properties.
Lsass.exe showed 0 I/O activity except when actual disk or
network transactions occurred, and that was just for short bursts.
Lsass.exe was using 3.6 MB of private memory for itself.

 

[Guest]

Thank you very much Ian. Now I know that something is wrong on my machine.

I hope that someone can give me a clue about what I should do about it.

 

[Guest]

Does the following provide any clues for anyone to help me?

Process Monitor gives me the following for File System activity:
QueryOpen C:\WINDOWS\Temp SUCCESS 8:04:06.2297603 AM
QueryOpen C:\WINDOWS\Temp SUCCESS 8:04:06.2299930 AM
QueryOpen C:\AUTOEXEC.BAT SUCCESS 8:04:06.2320563 AM
CreateFile C:\AUTOEXEC.BAT SUCCESS 8:04:06.2322141 AM
QueryNameInformationFile C:\AUTOEXEC.BAT SUCCESS 8:04:06.2323871 AM
QueryNameInformationFile C:\AUTOEXEC.BAT SUCCESS 8:04:06.2324701 AM
QueryStandardInformationFile C:\AUTOEXEC.BAT SUCCESS 8:04:06.2325530 AM
ReadFile C:\AUTOEXEC.BAT SUCCESS 8:04:06.2326251 AM
CloseFile C:\AUTOEXEC.BAT SUCCESS 8:04:06.2327027 AM
QueryOpen C:\Documents and Settings\Jim Slager\Local
Settings\Temp SUCCESS 8:04:06.2330052 AM
CreateFile C:\ SUCCESS 8:04:06.2330609 AM
QueryDirectory C:\Documents and Settings SUCCESS 8:04:06.2330942 AM
CloseFile C:\ SUCCESS 8:04:06.2331320 AM
CreateFile C:\Documents and Settings SUCCESS 8:04:06.2332447 AM
QueryDirectory C:\Documents and Settings\Jim Slager SUCCESS 8:04:06.2332809 AM
CloseFile C:\Documents and Settings SUCCESS 8:04:06.2333293 AM
CreateFile C:\Documents and Settings\Jim Slager SUCCESS 8:04:06.2334423 AM
QueryDirectory C:\Documents and Settings\Jim Slager\Local
Settings SUCCESS 8:04:06.2334802 AM
CloseFile C:\Documents and Settings\Jim Slager SUCCESS 8:04:06.2335185 AM
QueryOpen C:\Documents and Settings\Jim Slager\Local
Settings\Temp SUCCESS 8:04:06.2337106 AM
CreateFile C:\ SUCCESS 8:04:06.2337617 AM
QueryDirectory C:\Documents and Settings SUCCESS 8:04:06.2337937 AM
CloseFile C:\ SUCCESS 8:04:06.2338285 AM
CreateFile C:\Documents and Settings SUCCESS 8:04:06.2339383 AM
QueryDirectory C:\Documents and Settings\Jim Slager SUCCESS 8:04:06.2339725 AM
CloseFile C:\Documents and Settings SUCCESS 8:04:06.2340075 AM
CreateFile C:\Documents and Settings\Jim Slager SUCCESS 8:04:06.2341195 AM
QueryDirectory C:\Documents and Settings\Jim Slager\Local
Settings SUCCESS 8:04:06.2341547 AM
CloseFile C:\Documents and Settings\Jim Slager SUCCESS 8:04:06.2341910 AM

This is the file system activity for 1 minute except there are 4 more
activities that are much wider and I'll hack them up like this:

CreateFile * SUCCESS 8:04:06.2349316 AM
QueryNameInformationFile * BUFFER OVERFLOW 8:04:06.2351441 AM
QueryNameInformationFile * SUCCESS 8:04:06.2352507 AM
CloseFile * SUCCESS 8:04:06.2353459 AM

 

[Guest]

I just wanted to let you know that I am having THE EXACT SAME problem. I have
a Microsoft Support incident open on this issue and it has been escalated to
the second level (whatever that means). I will let you know when I find the
answer.

In the mean time, check out SysInternals for the Filemon, Regmon and
ProcessMonitor utilities that Microsoft has referred me to and that we will
be using to troubleshoot this problem.

Hang in there. I know you are probably pulling you hair out as I am.

 

[Guest]

Much thanks! I would be so happy if you can figure out a fix and pass it on
to me. I spent an hour or so on the phone with Dell and they were useless.

 

[Guest]

I am reading the help files of the utilities that MS referred me to. Then I
am going to track this problem with MS's help. It is driving me crazy and my
hard disk is taking a beating.

You must of had fun on the phone with Dell. I have watched some videos of
tech support calls to Dell on PC Pitstop's "Hall of Shame" webpage. They
sound either rude, totally out of touch or they have such a heavy accent that
you can't understand what they are saying.

 

[Guest]

After an almost endless runaround all they could come up with was to search
the web for anti-virus programs. It was totally worthless.

 

[Code-Curious Mom]

Although a web search turns up a slew of possibities, at least one forum
post suggests this may be normal. According to a post at
http://help.wugnet.com/windows/lsass-exe-ftopict570536.html
it is normal activity for the "terminal services" service. I tried
disabling the service and rebooting (the only way to stop it AFAIK) and the
constant I/O stopped. Disabling it seems to cause no problem here, but
check
http://www.blackviper.com/WinXP/Services/Terminal_Services.htm
to see if you might need it running.
If you come up with something else via the MS route, let us know.

 

[Guest]

Grok,

I have noticed some things using ProccessMonitor that would lead to
troubleshooting taking several different paths. To try to narrow things down
please check the following and answer the questions:

1) Using Windows Explorer, look in C:\Documents and Settings\(User Name)\.
Watch the file size of ntuser.dat.LOG (You may have to adjust your Folder
Options from Control Panel to Show hidden and system files). Does the size of
this file change as you just watch it from Windows Explorer? Do you get an
error when you right-click and try to Open it (it's just a text file)?

2) Do you have any Logitech hardware?

3) Do you have any HP hardware?

4) Do you have any of the MS Office 2007 suites installed?

5) Have you ever run RegCure, PC Pitstop Optimize or TuneUp RegistryCleaner?

 

[Guest]

Hi,

Thanks for your input.

One of the first things I did when I heard my hard disk churning away was to
shut down Terminals Services. Unfortunately, that had no effect at all.

I am open to any and all other ideas you or anyone else reading this post
might have.