LSASS high CPU usage for while after boot-up

[Guest]

I've setup a brand-new computer with Windows XP Pro SP1. And updated Norton Antivirus was installed immediately after setup (and done two complete systems scans afterwards, so no, I don't think we're talking virus here). All WindowsUpdate suggested updates were immediately applied upon install of Windows. And other than drivers and software that accompanied the motherboard (from GigaByte), no other software has been installed thus far (although about 30 gigs worth of image data has been dumped to the secondary partition of the system)

After the first couple of days, I noticed that the computer was really unresponsive right after booting up, and for some time (approx ten minutes) thereafter. Task Manager shows that the LSASS.EXE service is going nuts, with the other services hardly using any CPU time. I leave the room and Let the system do its own thing for a little while, and when I come back, LSASS has dropped back to zero CPU usage, though its total usage at that point is very high (as seen in Task Manager)

Most Internet searches turn up information regarding LSASS vulnerability exploits, and some Microsoft KB articles discuss problems with high CPU usage by LSASS on domain controllers, but though I can find a few instances of similar XP Pro LSASS CPU usage, I can find no posted, authoritative information regarding what is happening or how to remedy it

So, any ideas? What is LSASS really doing? What is its point in life

Pat Furrie

 

[Nick Spence]

Process File: lsass or lsass.exe
Process Name: Local Security Authority Service
Description: Windows Local Security Authority Server
Process handles Windows security mechanisms. It verifies
the validity of user logons to your computer or server.
Technically, the software generates the process that is
responsible for authenticating users for the Winlogon
service.
Company: Microsoft Corp.
System Process: Yes
Security Risk ( Virus/Trojan/Worm/Adware/Spyware ): No
Common Errors: N/A


There is what it is and what it does, but just because you
ran a virus scan does not mean that you have a clean
system. (according to PC World Magazine) PC-illin 04 is
the best anti-virus catching a large percent of virus with
no false positives. But! just because you ran 2 virus
scans (with the same program I assume) does not mean you
caught it. Most viruses will "piggyback" of critical
windows files fooling even an experience user. So, you may
want to try another virus scanner, some good ones (free)
are

AVG-Anti Virus (http://www.grisoft.com)
Trend Micro House Call (http://housecall.antivirus.com)

If all is still ok, try SpyBot Search and Destroy
(http://www.safer-networking.org), or Ad-Aware
(http://www.lavasoftusa.com)

You may want to try this web site as well, it lists system
and security processes in windows.

http://www.liutilities.com/products/wintaskspro/processlibr
ary/

Hope this helps.

-----Original Message-----
I've setup a brand-new computer with Windows XP Pro SP1.

And updated Norton Antivirus was installed immediately
after setup (and done two complete systems scans
afterwards, so no, I don't think we're talking virus
here). All WindowsUpdate suggested updates were
immediately applied upon install of Windows. And other
than drivers and software that accompanied the motherboard
(from GigaByte), no other software has been installed thus
far (although about 30 gigs worth of image data has been
dumped to the secondary partition of the system).

After the first couple of days, I noticed that the

computer was really unresponsive right after booting up,
and for some time (approx ten minutes) thereafter. Task
Manager shows that the LSASS.EXE service is going nuts,
with the other services hardly using any CPU time. I
leave the room and Let the system do its own thing for a
little while, and when I come back, LSASS has dropped back
to zero CPU usage, though its total usage at that point is
very high (as seen in Task Manager).

Most Internet searches turn up information regarding

LSASS vulnerability exploits, and some Microsoft KB
articles discuss problems with high CPU usage by LSASS on
domain controllers, but though I can find a few instances
of similar XP Pro LSASS CPU usage, I can find no posted,
authoritative information regarding what is happening or
how to remedy it.

 

[Crimson Castle]

Hello,

I had a similar problem with my machine too. Here is my specs

P4 3.0G Prescott, 1G DDR-RAM, AsusP4P800s motherboard, Cable Modem service,
and running XP Pro SP1.

In the first week of May, I had just installed my new CPU and motherboard -
then had to switch over from Win2K to XP Pro. I reformated my HD and
installed XP Pro SP1 from the CD then I went to update the patches for XP.

Meanwhile, I had installed my AV program - CA's VET - latest definitions. I
did not install my firewall - that was a fatal mistake.

After I had patched XP, I noticed my computer started to go crazy. The CPU
started running hot, I had high HD activity, the cable modem lights all went
constant. There was sluggish reaction time in my computer.

Initially, I thought it was just a bad patch or teething problems with the
new system.

But after i pressed ctrl-alt-del, I found several processes running in the
background - one of them was called wuamgrd.exe - VET scanned it and said it
was OK. I did the google search on it and SOPHOS and Trend Micro both
claimed it was a virus. I followed their advice on removing it from the
registry.

It seems I got hit by the Win32 worm also known as Backdoor.Agobot.gy,
W32.Randex.gen, BKDR_SDBOT.GEN

According to Sophos it is W32/RBot-A is a worm with a backdoor component
that spreads on weakly protected network shares on the Windows platform. The
worm spreads by scanning random IP addresses for open SMB ports (445) and
trying to copy itself to the Windows system folder on the remote Admin$ and
C$ shares as the file wuamgrd.exe.
W32/RBot-A uses an internal dictionary of common passwords to gain access.
The worm attempts to schedule the copied file for later execution on the
remote machine.

W32/RBot-A also has a backdoor component that allows a malicious user remote
access to an infected computer. When run the worm attempts to contact a
remote IRC server and join a specific channel to listen for commands.

Besides the capability to spread W32/RBot-A also allows the remote user to
set up a proxy server, start a HTTP server on a user specified port, collect
system information, add or delete shares and users, kill processes, download
and execute files, send email, remotely control a connected web cam, sniff
network traffic or launch a denial-of-service attack against a user
specified target.

In order to run automatically when Windows starts up W32/RBot-A copies
itself to the file wuamgrd.exe in the Windows system folder and creates the
following registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft Update = wuamgrd.exe

etc..

So what I did was I physically disconnected my cable modem, then reformated
the whole HD again, reinstalled XP PRO, installed my ZONE ALARM PRO
firewall, then connected the cable modem and went to the windows update site
to patch XP.

I also went to the blackviper.com site to terminate all the unnecessary
clutter and default vulnerabilities that XP has.

My system is very fast and working perfectly now. I'm now using Grisoft
AVG.