lsass.exe keeps laptop from going into standby

[Pteron]

I'm running Windows XP SP 2, on a Dell XPS 1710 laptop. About two weeks ago,
my computer became unable to stay in standby; it would enter standby
normally, but would come right out of it. After much research, I discovered
reason for this was that the Windows process lsass.exe was reading to and
writing from the hard drive, approximately three times (each) every second.
(This comes from the I/O Reads and I/O Writes columns of Windows Task
Manager.) This reading/writing appears to happen constantly, from the time
the computer is turned on, until it is turned off. By placing the Task
Manager processes in alphabetical order, I've verified that it is (lowercase
"L")sass.exe and not (uppercase "i")sass.exe. I've run a full BitDefender
virus scan, and spyware scans with BitDefender, Spybot, and AdAware, none of
which turn up anything odd. I cannot disable lsass.exe, as I get a "This is a
critical system process. Task Manager cannot end this process." error
message. I've seen one post in another forum that said that Microsoft was
aware of the problem, but I've seen nothing to corroborate this. Apparently
(also from looking through forums) a couple of other people have had this
issue, but I haven't seen any working solutions for it. My questions, then,
are these:

Is is possible to determine why lsass.exe keeps reading and writing to the
hard drive? (I.e. can its calling program be found?)
Is it possible to disable lsass.exe?
Is Microsoft aware of this issue? Are they working on it?

Thank you for any and all help.

 

[gsjutla]

LSASS is a critical service and cannot be stopped.

Local security authentication server service (LSASS)

• Security subsystem invoked to verify account information and logon
validation to the local machine or domain.

• It receives authentication request from Winlogon and calls the appropriate
authentication component (implemented as a DLL) to perform account
verification and validation such as checking whether a password matches what
is stored in the active directory or the SAM.

• Upon a successful authentication, LSASS generates an access token object
that contains the user’s security profile.

• This access token is used by Winlogon to create the initial shell process.
Processes launched from the shell, by default, inherit this access token.

• Generates tokens, which contain user and group information as well as
information about the security privileges for that user. After the initial
logon process is complete, all users are identified by their security
identifier (SID) and the associated access tokens.

• Helps validate access to resources via security rights and privileges
assigned to a user/group.

• Manages the Audit policy and settings. When an audit alert is generated by
the Security Reference Monitor, the LSA is charged with writing that alert to
the appropriate system log.


Services/Components under Lsass

• NT LM security support provider - Provides security for RPC programs.
• Netlogon - network logon, secure channel.
• LDAP - queries made to AD are mainly LDAP.
• KCC - generates AD replication topology.
• KDC - Kerberos key distribution centre - allows user to logon to the
network using kerberos authentication protocol. Grants kerberos tickets to
users.
• Policy agent - IPSEC
• Protected Storage - It protects sensitive information. If the Protected
Storage service stops, private keys will be inaccessible, the Windows
Certificate Services service will not operate, Secure Multipurpose Internet
Mail Extensions (S/MIME) and SSL will not work, and smart card logon will
fail.
• SamSs - Security Accounts Manager
• HTTP SSL
• IPSEC services

Now let us try to fix your issue. Get the latest hotfix for lSASS. Ensure
you have the latest dll's for files mentioned in KB902058.

Also download process explorer from sysinternals.com and setup the symbol
information under options menu and "configure symbols". Download and install
"windows debugging tools" from
http://www.microsoft.com/whdc/devtools/debugging/installx86.mspx

Set the path to windows debugging tools and symbol path as
SRV*c:\symbols*http://msdl.microsoft.com/download/symbols

Expand the lass service and see what handles it has open, right clik on
lsass and open properties, go to thread tab and see what is running under
lsass.

 

[Pteron]

My apologies for the delay. Here's what I've done so far:

I wasn't sure where to find "the lastest hotfix for lsass"; I assumed they
were the files referenced in KB902058.

I checked KB902058: since I didn't have any of the referenced symptoms,
(especially since I'm not running a server, and I don't have to restart my
computer) I didn't request the files referenced in the hotfix.

I did download process explorer and windows debugging tools. I wasn't sure
how to "set the path to windows debugging tools". I set it to

C:\Program Files\Debugging Tools for Windows\dbghelp.dll

I did check to see the status of the lsasrv.dll files on my computer. That,
along with the threads in lsass.exe, are in a screenshot at

http://www.jonathankmack.com/images.html

Over time, the first thread (kernel32.dll!BaseThreadStartThunk) changes its
CSwitch Delta entry: it mostly stays at 3, but sometimes goes higher (as in
the 15 on the screenshot) CSwitchDelta of other threads sometimes changes,
but that's seldom.

Does anything stand out?