LSASS.EXE runs every second

[Bob M]

I noticed the hard drive access light flashing every second, along with a
slight clunking sound from the disk. Windows Task Manager tells me that
LSASS.EXE is reading and writing I/O at that interval. From what I read, Lsass
is a "Local Security System Server" having something to do with WinLogon
service, whatever that is. I probably do not want to shut it down, but is
there a way to let it run less often? I don't want it beating up on the hard
drive any more than in necessary.

 

[beb]

That process should not be that active. Run and virus and spyware scan of
your system. Check your event viewer logs of any errors and warnings.

 

[Bob M]

That process should not be that active. Run and virus and spyware scan of
your system. Check your event viewer logs of any errors and warnings.

I ran Mcfee, and it found no virus. Where are these logs you refer to?
This is a new desktop computer from Gateway, running XP Home, media edition
2005.
My Laptop running XP Home does not access the disk this often.

 

[Guest]

Start, Control Panel
Administrative Tools
Event Viewer

 

[Steve N.]

I ran Mcfee, and it found no virus. Where are these logs you refer to?
This is a new desktop computer from Gateway, running XP Home, media edition
2005.
My Laptop running XP Home does not access the disk this often.

You're infected with something, alright. LSASS and WINLOGON services
should not be active unless logon/logoff actions are being performed.

Update your a/v and scan in safe mode. Also download and update Ad-Aware
and Spybot Search and Destroy, and also Stinger (use Google to find
them, easy to find) and scan with them all in safe mode. You might also
download and use another a/v program (again scan in safe mode). I've had
good results with AVG Free. Using one anti-virus/malware program on an
infected system is rarely sufficient anymore. Modern threats by their
nature quickly become blended or multiple threats.

Steve N.

 

[Guest]

I had a similar problem. you boot up, get the error message, click ok and it
shuts down & reboots again? There is a hotfix on microsoft.com for this.
Microsoft says that if you have SP2 the hotfix is already there, but I still
had a problem. I also run Mcafee with constant updates. The hotfix that
microsoft emailed me didn't work for me. I couldn't run windows, not even in
safe mode. I could eventually get into DOS, but the hotfix only works in
windows xp catch 22 right? I called Microsoft tech support, and spoke to a
nice guy for over an hour, free of charge. He walked me through a variety of
steps to overcome my problem. I had already taken most of the steps they
wanted me to, but did it again anyway.

here are some of the microsoft knowlege stuff i looked at:
http://support.microsoft.com/kb/324049/en-us
http://www.microsoft.com/security/incident/sasser.mspx
(this didn't work): http://support.microsoft.com/kb/307545/en-us

Sorry, I can't find the main one that gives you the hotfix number you can
refer to when you contact microsoft.
After speaking with microsoft my only option left was to reinstall windows
removing all other operating systems. If you have not done this before, I'm
giving you **major warning*** you will not be able to run any programs
installed on the same hard drive as windows AND anything contained in
documents and settings under any user name with current windows will not be
accessable. (You can get it after reinstalling windows, but it's time
consuming). You have to login as an administrator in safe mode, then right
click on the file folder you want access to and go to security settings, and
play with them. look up how to on the microsoft website.
What happened prior to my problem.... clicked on expolorer & i thought the
microsoft website came up to check for updates (it does sometimes) when i
did, it probably transmitted my information to a hyjacked site and screwed me
all up.

I have to go, hope this helps & good luck
PS i bought a new computer because i didn't want to have to install all my
programs again back in the older one.

 

[Bob M]

I had a similar problem. you boot up, get the error message, click ok and it
shuts down & reboots again?

No, it is nothing like that at all. It just runs the disk every second. Were
you replying to some other poster?

 

[Bob M]

You're infected with something, alright. LSASS and WINLOGON services
should not be active unless logon/logoff actions are being performed.

Update your a/v and scan in safe mode. Also download and update Ad-Aware
and Spybot Search and Destroy, and also Stinger (use Google to find
them, easy to find) and scan with them all in safe mode. You might also
download and use another a/v program (again scan in safe mode). I've had
good results with AVG Free. Using one anti-virus/malware program on an
infected system is rarely sufficient anymore. Modern threats by their
nature quickly become blended or multiple threats.

Steve N.

OK, I will check to see if there are any recent updates to the McAfee that
came with this new computer. I have not yet installed any Spybot type programs
yet.

One correction to a comment I made earlier where I said that the HP Laptop
running XP Home edition does not access the Hard Drive every second. On
further investigation, the Lsass.exe process does I/O reads and Writes with
about the same frequency as does the Gateway Desktop. The disk activity light
on the laptop just does not show this activity.

To see the activity, I go <alt-ctl-del> to see the Task Manager, select the
Process tab, and using "View", Select Columns, add the I/O Reads and Writes
columns. I notice that csrss.exe runs with a similar frequency. The laptop has
been in use for 3 years, and I have not noticed any odd behaviour.
Do you realy think it is a virus, or just an over agressive setting for this
Lsass function?

I previously had tried shutting down everything in the Startup Tab of
msconfig, but that did not stop the disk access frequency. Nor did unplugging
the connection to the DSL line.

On an older computer, I disabled "Write-Behind-Caching" on the hard drives to
avoid data loss, but when I look at the properties on this XP computer, "Write
Caching & Quick Removal" selection is greyed out, so I can't tinker with it.

 

[Bob M]

That process should not be that active. Run and virus and spyware scan of
your system. Check your event viewer logs of any errors and warnings.

About the only thing that looks unusual in the System log is an "Event 7031"
which repeats at 7 minute intervals.

 

[MAP]

I noticed the hard drive access light flashing every second, along
with a slight clunking sound from the disk. Windows Task Manager
tells me that LSASS.EXE is reading and writing I/O at that interval.
From what I read, Lsass is a "Local Security System Server" having
something to do with WinLogon service, whatever that is. I probably
do not want to shut it down, but is there a way to let it run less
often? I don't want it beating up on the hard drive any more than in
necessary.

You could have a valid program running in the background constantly, that
interfaces with this service. Ignore it.

LSASS.EXE is also reading and writing on my system (minus the HD light,
which could just be a speed difference between our two systems) and recently
I was very "very" bored and ran all of these tools which showed that my
system was clean.

1.David Lipmans 4 AV scanner
2.NOD32
3.Online scans at Kasperski and Trend Micro
4.Ewido
5.Spysweeper
6.Ad-Aware
7.Process Guard is installed

As long as this process is in your system32 folder their is nothing to worry
about.
You can download this "trial version" of WinTasks5 which is similar to the
tasks manager but provides more useful information including the location of
the running services.
http://www.liutilities.com/products/trial/

Run an online scan just to double check McCrappy
http://www.kaspersky.com/virusscanner

Please post back with anything you find.

 

[MAP]

About the only thing that looks unusual in the System log is an
"Event 7031" which repeats at 7 minute intervals.

http://support.microsoft.com/?kbid=813425

 

[Bob M]

LSASS.EXE is also reading and writing on my system (minus the HD light,
which could just be a speed difference between our two systems) and recently
I was very "very" bored and ran all of these tools which showed that my
system was clean.

FWIW, the speed of this cpu is 2.8 Ghz. The laptop, where I do not notice disk
activity each second is 1.6 Ghz.

Run an online scan just to double check McCrappy
http://www.kaspersky.com/virusscanner

Please post back with anything you find.

Thaks for your suggestions.
I ran the Kaspersky suite, and it found no "Malware"

I suspect that it is simply Lsass doing what it was designed to do. I just
wish I knew how to tell it to relax a bit.