Severe Performance Problems on Windows XP System

[Keith Russell]

Hi, everyone.

I truly hope someone can help, because I'm at my wit's end.

I posted to one of the Microsoft groups some time ago about a performance
problem I was having, but no one had an answer for me. Since then, I've
reinstalled Windows XP Pro twice, each time hoping that it would help, but
no such luck.

I have a 2.4-GHZ Pentium 4 with 512 MB RAM and two 120 GB hard drives, but
I often feel as though I'm working with a 100-MHz Pentium 1. :-( I've tried
everything I could think of, including minimizing the number of running
programs and disabling any services that I didn't think I needed. I've
implemented ideas I found on the Black Viper Web site. Nothing seems to
help.

I've also experimented with my virtual memory settings. I initially had a
small amount of VM space on c:, with additional space on d: (a logical
partition on the same drive). I tried various configurations of VM, and
nothing seemed to make a difference. So I moved drive d:'s VM onto the
first partition of my second drive. Again, no difference.

I've also defragmented my drives, to no effect.

I've reached the point where I'm wondering if I might have a hardware
problem, which is why I'm posting to the hardware newsgroup (with a copy to
the general XP newsgroup, just in case). One symptom that leads to this
conclusion is that while I'm working, it seems that I have almost constant
hard disk I/O.

I've run Norton Utilities' disk diagnostics, and it hasn't found anything.
What else can I do to track down the cause of this problem? What other
things (hardware or software) might be causing it?

ANY ideas very graciously accepted! Thanks in advance.

 

[Kelly]

Hi Keith,

What do you have running in the background under Msconfig/Startup and the
startup folder? Run this utility and read the log file:
http://www.dougknox.com/xp/utils/StartupTracker3.zip

Run this combo for starters, each of them:

Run Ad-Aware SE, Spybot and HijackThis:
http://www.majorgeeks.com/downloads31.html

Note: Update each program, once installed, before running.

Note2: To avoid the False-Flag for the DSO Exploit (W3), open
Spybot/Advanced Mode/Settings/Ignore Products. On the All Products Tab,
scrol to DSO Exploit and check that item only. Randy (silj)

Free Online Virus Scan
http://housecall.trendmicro.com/housecall/start_corp.asp

Added info:

Run the Task Manager, go to View/Select Columns, and turn on the following
columns: "I/O Read Bytes" and "I/O Write Bytes." This will give you details
as to which process is accessing the disk.

Although many processes will be accessing the disk, look for one with a high
total or a fast rate of increase, especially when you hear the drive being
accessed.

How to Locate and Correct Disk Space Problems on NTFS Volumes in Windows XP
http://support.microsoft.com/?kbid=315688

Windows XP Does Not Recognize All Available Disk Space
http://support.microsoft.com/default.aspx?scid=kb;en-gb;316505&ln=en-gb

Hard Disk Performance Is Slower Than You Expect
http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q308219

 

[Alex Nichol]

I posted to one of the Microsoft groups some time ago about a performance
problem I was having, but no one had an answer for me. Since then, I've
reinstalled Windows XP Pro twice, each time hoping that it would help, but
no such luck.

I have a 2.4-GHZ Pentium 4 with 512 MB RAM and two 120 GB hard drives, but
I often feel as though I'm working with a 100-MHz Pentium 1. :-( I've tried
everything I could think of, including minimizing the number of running
programs and disabling any services that I didn't think I needed. I've
implemented ideas I found on the Black Viper Web site. Nothing seems to
help.

That leads me to wonder: It will at least do no harm to check in BIOS
setup to make sure that the Level 2 CPU cache has not become disabled;
that will cause this sort of total slow down. And Level one disabled
will make the machine seem the speed of an Abacus

 

[Keith Russell]

Hi, Kelly.

Thank you VERY much for your reply. I feel that I may finally be making
some progress toward tracking this down.

I haven't replied sooner because I've been trying out all of your
suggestions, and it takes several hours for most of them on my system!

See below for what I've found so far.

What do you have running in the background under Msconfig/Startup and the
startup folder? Run this utility and read the log file:
http://www.dougknox.com/xp/utils/StartupTracker3.zip

Thanks. This is a very useful utility. I didn't see anything unexpected,
but will definitely continue to use this in the future.

Run this combo for starters, each of them:

Run Ad-Aware SE, Spybot and HijackThis:
http://www.majorgeeks.com/downloads31.html

I run both of these on a fairly regular basis, but it had been a few weeks,
so I updated them both and ran them. Both found a lot of adware, as usual,
but except for WMF registry entries, they were all just tracking cookies.

Note2: To avoid the False-Flag for the DSO Exploit (W3), open
Spybot/Advanced Mode/Settings/Ignore Products. On the All Products Tab,
scrol to DSO Exploit and check that item only. Randy (silj)

This was useful information, and new to me.

Free Online Virus Scan
http://housecall.trendmicro.com/housecall/start_corp.asp

My first inclination was not to bother with this, since I have an updated
NAV 2004, as well as the free AVG installed, but I might run it, as well,
based on what I have (and haven't) found. (Norton didn't find anything; I
haven't yet run AVG.)

Run the Task Manager, go to View/Select Columns, and turn on the following
columns: "I/O Read Bytes" and "I/O Write Bytes." This will give you details
as to which process is accessing the disk.

Although many processes will be accessing the disk, look for one with a high
total or a fast rate of increase, especially when you hear the drive being
accessed.

This is potentially your most useful suggestion of all. When my drive is
being accessed, the one process that ALWAYS displays rapidly increasing
counts is lsass.exe--and sometimes it's the ONLY one.

Since this is a single-user system, it seemed to me that there should be no
need for security authentication while I am logged on. (Is this a correct
assumption?) In searching the Web, I found that several viruses install a
file with this name. I haven't encountered the system shutdown system of
Sasser, but I wondered if one of the others might have overwritten the
Windows file.

I found three copies of lsass.exe on my system, at:

c:\windows\system32
c:\windows\servicepackfiles\i386
c:\windows\softwaredistribution\download\6ca...989

All had identical file sizes and date and time stamps, corresponding to the
approximate time that I upgraded to SP2. Another PC also has a file with
the same number of bytes.

I didn't find it in any of the "run" locations in the registry. I did find
it in six places:

HKLM\System\ControlSet001\Control\Nls\MUILanguages\RCV2\lsass.exe
HKLM\System\ControlSet001\Control\Terminal Server\Sysprocs

and similarly for ControlSet003 and CurrentControlSet

I'm guessing that these are all legitimate.

So what I'm left with is the possibility that lsass.exe has been replaced
by a malicious file, but with the identical file size of the original. Is
this a reasonable possibility, or not?

How to Locate and Correct Disk Space Problems on NTFS Volumes in Windows XP
http://support.microsoft.com/?kbid=315688

Windows XP Does Not Recognize All Available Disk Space
http://support.microsoft.com/default.aspx?scid=kb;en-gb;316505&ln=en-gb

These deal with disk space problems, which aren't an issue with me.

Hard Disk Performance Is Slower Than You Expect
http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q308219

This one looked like it might be relevant, but it wasn't.

I would appreciate any additional ideas.

Thanks.

 

[Alex Nichol]

I found three copies of lsass.exe on my system, at:

c:\windows\system32
c:\windows\servicepackfiles\i386
c:\windows\softwaredistribution\download\6ca...989

Those are: the one in use; the one cached by the SP2 installation,
against need by File Protection; and the actual download used by the
SP2 installation - you can delete that folder BTW and save space; it is
not going to be used again

All had identical file sizes and date and time stamps, corresponding to the
approximate time that I upgraded to SP2. Another PC also has a file with
the same number of bytes.

I didn't find it in any of the "run" locations in the registry. I did find
it in six places:

HKLM\System\ControlSet001\Control\Nls\MUILanguages\RCV2\lsass.exe
HKLM\System\ControlSet001\Control\Terminal Server\Sysprocs

and similarly for ControlSet003 and CurrentControlSet

I'm guessing that these are all legitimate.

Yes. Current Control set is an alias for the one of the others you are
currently running (normally 003); 001 is a fall back

So what I'm left with is the possibility that lsass.exe has been replaced
by a malicious file, but with the identical file size of the original. Is
this a reasonable possibility, or not?

Improbable - but the easy way to make sure is to rename the one in
system32. It will be replaced in a few seconds by File Protection
copying from the cache. Close and restart to bring that replacement
into use.

The only thought I have is that a service that depends on lsass is the
Distributed Transaction Coordinator. That may not be important to you
(on my system it is set on Manual and does not start), but *might* be
in a tangle, so trying the effect - cautiously - of stopping it if it is
started might give a clue

 

[Kelly]

Hi Keith,

What a great response and you are most welcome. You are very thorough!
Seems as though you have found the most prevalent issue. Alex has already
answered your questions (Thanks, Alex). )

Please, keep us informed of what you find from here, as you seem to be a
great researcher.

 

[Keith Russell]

Hi Keith,

What a great response and you are most welcome. You are very thorough!

Thanks. This is my greatest strength and my greatest weakness. ;-)

I'm a currently unemployed software engineer, so I do unfortunately do have
quite a bit of time to spend on something like this....

Seems as though you have found the most prevalent issue. Alex has already
answered your questions (Thanks, Alex). )

For some reason, Alex's post was never delivered to my ISP's news server.
Thanks for letting me know about it. I just subscribed to the newsgroup
through Microsoft's server, and found it there.

Please, keep us informed of what you find from here, as you seem to be a
great researcher.

Still nothing, but if I do find anything, I'll let you know!

 

[Keith Russell]

Hi, Alex.

Thanks very much for the reply. It got lost somewhere along the way, so I
just discovered it today (with Kelly's help).

Those are: the one in use; the one cached by the SP2 installation,
against need by File Protection; and the actual download used by the
SP2 installation - you can delete that folder BTW and save space; it is
not going to be used again

Thanks for this information. I'd guessed that the download folder could
probably be deleted. Can I delete the whole softwaredistribution directory?


Improbable - but the easy way to make sure is to rename the one in
system32. It will be replaced in a few seconds by File Protection
copying from the cache. Close and restart to bring that replacement
into use.

I know it's improbable, but I can't been able to come up with any other
possibilities yet. I tried renaming it, and the new copy is continuing to
merrily read and write to the disk almost nonstop. Do you know if this is
normal?

The only thought I have is that a service that depends on lsass is the
Distributed Transaction Coordinator. That may not be important to you
(on my system it is set on Manual and does not start), but *might* be
in a tangle, so trying the effect - cautiously - of stopping it if it is
started might give a clue

I haven't tried this yet, but will definitely do so.

Thanks again.

 

[Kelly]

I hear you! Hope all goes well with your career and system. )

 

[Keith Russell]

I hear you! Hope all goes well with your career and system. )

Thank you.

 

[Keith Russell]

Keith Russell wrote:

That leads me to wonder: It will at least do no harm to check in BIOS
setup to make sure that the Level 2 CPU cache has not become disabled;
that will cause this sort of total slow down. And Level one disabled
will make the machine seem the speed of an Abacus

Hi again, Alex.

I discovered the above message (which had also not been delivered to my
ISP's mail server) after I replied to your other one.

This was a great suggestion, and I'm embarrassed that I hadn't thought of
it myself. It made so much sense, and I was convinced that you had
correctly diagnosed the problem. Right after reading your message, I
rebooted and checked my BIOS settings--no cache settings at all!

So I called Dell support (this is a Dell 8200) to see if I was missing
something. The tech said that there was no way to enable or disable cache
in BIOS, and suggested that I run Dell's advanced diagnostics on my system.
I did so, and here I am, TWO DAYS LATER (no kidding; it took that long!),
finally able to use my system, and starting from square one again.
Diagnostics didn't find a single problem. Just to be sure, I ran the L1 and
L2 cache tests three times, and each time I was told that cache was
performing optimally.

Any other ideas?

 

[Keith Russell]

I haven't tried this yet, but will definitely do so.

Unfortunately, this didn't help, either. :-(

 

[Keith Russell]

Hi, Kelly.

Please, keep us informed of what you find from here, as you seem to be a
great researcher.

As promised....

I still have no results to report.

I did some research on Windows tasks, and ended up biting the bullet and
buying The Ultimate Troubleshooter from answersthatwork.com. Even though I
know that most, if not all, the information it provides is on their Web
page, I thought it would save me time to have it all in one place. The
program didn't find any problems with any of my running programs and
services.

Using the program in conjunction with the recommendations at blackviper.com
(and the report from StartupTracker), I again went through all my services
to make sure that I am running the ones I need and only the ones I need.

I also ran system diagnostics (see my reply to Alex) and found nothing.

The lsass.exe process still continues to churn away, reading and writing
bytes nearly nonstop. I still don't understand why an authentication server
should have to do this. However, it does seem to do the same thing on my
other XP system, which doesn't exhibit the constant disk thrashing that I
have here.

So I'm still looking for ideas. Thanks again to you and Alex for all your
excellent suggestions.

 

[thebraincell]

Have you installed Service Pack 2?