What are these Isass processes?

[Terry Pinnell]

I'm trying to work out why I sometimes get such slow performance on
this Quad Core Q9450 2.66 GHz, 4 GB, running XP Pro. I just ran
Process Monitor (ProcMon) and even though I'm not actively *doing*
much in any of the applications currently loaded, I see hundreds if
not thousands of the following types of entry dominating activity.
What are they and do they offer the experts any clues please?

Process = Isass.exe, PID = 804

Operation Path Result
--------- ---- ------
RegOpenKey HKLM\SECURITY\Policy SUCCESS
RegOpenKey HKLM\SECURITY\Policy\SecDesc SUCCESS
RegQueryValue HKLM\SECURITY\Policy\SecDesc\(Default) BUFFER OVERFLOW
RegCloseKey HKLM\SECURITY\Policy\SecDesc SUCCESS
RegOpenKey HKLM\SECURITY\Policy\SecDesc SUCCESS
RegQueryValue HKLM\SECURITY\Policy\SecDesc\(Default) SUCCESS
RegCloseKey HKLM\SECURITY\Policy\SecDesc SUCCESS
RegCloseKey HKLM\SECURITY\Policy SUCCESS
RegOpenKey HKLM\SECURITY\Policy SUCCESS
RegOpenKey HKLM\SECURITY\Policy\SecDesc SUCCESS
RegQueryValue HKLM\SECURITY\Policy\SecDesc\(Default) BUFFER OVERFLOW
RegCloseKey HKLM\SECURITY\Policy\SecDesc SUCCESS
RegOpenKey HKLM\SECURITY\Policy\SecDesc SUCCESS
RegQueryValue HKLM\SECURITY\Policy\SecDesc\(Default) SUCCESS
RegCloseKey HKLM\SECURITY\Policy\SecDesc SUCCESS
etc

 

[David H. Lipman]

From: "Terry Pinnell" <[email protected]>

| I'm trying to work out why I sometimes get such slow performance on
| this Quad Core Q9450 2.66 GHz, 4 GB, running XP Pro. I just ran
| Process Monitor (ProcMon) and even though I'm not actively *doing*
| much in any of the applications currently loaded, I see hundreds if
| not thousands of the following types of entry dominating activity.
| What are they and do they offer the experts any clues please?

| Process = Isass.exe, PID = 804

| Operation Path Result
| --------- ---- ------
| RegOpenKey HKLM\SECURITY\Policy SUCCESS
| RegOpenKey HKLM\SECURITY\Policy\SecDesc SUCCESS
| RegQueryValue HKLM\SECURITY\Policy\SecDesc\(Default) BUFFER OVERFLOW
| RegCloseKey HKLM\SECURITY\Policy\SecDesc SUCCESS
| RegOpenKey HKLM\SECURITY\Policy\SecDesc SUCCESS
| RegQueryValue HKLM\SECURITY\Policy\SecDesc\(Default) SUCCESS
| RegCloseKey HKLM\SECURITY\Policy\SecDesc SUCCESS
| RegCloseKey HKLM\SECURITY\Policy SUCCESS
| RegOpenKey HKLM\SECURITY\Policy SUCCESS
| RegOpenKey HKLM\SECURITY\Policy\SecDesc SUCCESS
| RegQueryValue HKLM\SECURITY\Policy\SecDesc\(Default) BUFFER OVERFLOW
| RegCloseKey HKLM\SECURITY\Policy\SecDesc SUCCESS
| RegOpenKey HKLM\SECURITY\Policy\SecDesc SUCCESS
| RegQueryValue HKLM\SECURITY\Policy\SecDesc\(Default) SUCCESS
| RegCloseKey HKLM\SECURITY\Policy\SecDesc SUCCESS
| etc

| --
| Terry, East Grinstead, UK

ISASS.EXE or LSASS.EXE

LSASS.EXE, executed from %windir%\system32 is normal, and safe.

ISASS.EXE has a very high probability of being malware !

 

[Gerry]

Terry

Malwarebytes' Anti-Malware
1.36 -freeware (if you upgrade you pay).
http://www.download.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html

Run Malwarebytes' in safe mode and turn off your current anti-virus
before you do to avoid a conflict. Disregard the invitation on the web
site regarding the Registry Optimiser -a Registry Optimiser is not a
helpful utility.


--


Hope this helps.

Gerry
~~~~
FCA
Stourport, England
Enquire, plan and execute
~~~~~~~~~~~~~~~~~~~

 

[David H. Lipman]

From: "BeeCeeBee" <[email protected]>

| There is little doubt that you have picked up a pretty bad worm or trojan (sasser most
| likely)

| You need to follow a good disinfection process and not rely on one of these fix all
| programs that usually do more harm then good. If you know what to do great, otherwise
| feel free to visit us at the link below. -- BeeCeeBee Posted via
| http://computerhelpforums.net Forum to USENET Gateway

Sasser is DEAD.

There are other I-worms that may exploit LSASS via TCP port 445 but the Lsass worm is
dead.

At this point we do NOT know that the PC is infected. I have only stated the if ISASS.EXE
is found it can be malware. Many trojans use that name and are not I-worms and definitely
not Sasser.

 

[Terry Pinnell]

Terry

Malwarebytes' Anti-Malware
1.36 -freeware (if you upgrade you pay).
http://www.download.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html

Run Malwarebytes' in safe mode and turn off your current anti-virus
before you do to avoid a conflict. Disregard the invitation on the web
site regarding the Registry Optimiser -a Registry Optimiser is not a
helpful utility.

Thanks all and my apologies for mistaking Lsass.exe for Isass.exe.
That 'l' looked like a capital I to my tired eyes!

With that cleared up, can anyone offer any suggestions as to why I am
at times getting such a flood of these Lsass.exe processes please?

 

[Gerry]

Terry

Are there any yellow question marks in Device Manager? Right click on
the My Computer icon on your Desktop and select Properties,
Hardware,Device Manager. If yes what is the Device Error code?

Are any devices malfunctioning? Select Start, All Programs, Accessories,
System Tools, System Information. Open Components under System Summary
and click on Problem Devices. Is anything listed there?

Have a look in the System and Application logs in Event Viewer for Errors
and Warnings and post copies here. Don't post any more than 48 hours ago.

You can access Event Viewer by selecting Start, Control Panel,
Administrative Tools, and Event Viewer. When researching the meaning
of the error, information regarding Event ID, Source and Description
are important.

A tip for posting copies of Error Reports! Right click on the Report in the
list and select Properties. In the window, which appears are three buttons
towards the top right of the window. The top one has an arrow up, underneath
is an arrow down and third is a button resembling two pages. Click the
button and close Event Viewer. It is not obvious but this action places a
copy of the report in your Clipboard. Now start your message (email) and do
a paste into the body of the message. Make sure this is the first paste
after exiting from Event Viewer.

Try HD Tune only gives information and does not fix any
problems.

Download and run it and see what it turns up. You want HD Tune
(freeware) version 2.55 not HD Tune Pro (not Freeware) version 3.00.
http://www.hdtune.com/

Select the Info tabs and place the cursor on the drive under Drive
letter and then double click the two page icon ( copy to Clipboard )
and copy into a further message.

Select the Health tab and then double click the two page icon ( copy to
Clipboard ) and copy into a further message. Make sure you do a full
surface scan with HD Tune.

What is your motherboard make and model?

--


Hope this helps.

Gerry
~~~~
FCA
Stourport, England
Enquire, plan and execute
~~~~~~~~~~~~~~~~~~~

 

[Alister]

Thanks all and my apologies for mistaking Lsass.exe for Isass.exe.
That 'l' looked like a capital I to my tired eyes!

With that cleared up, can anyone offer any suggestions as to why I am
at times getting such a flood of these Lsass.exe processes please?

Terry, East Grinstead, UK

"lsass.exe" is the Local Security Authentication Server. It verifies the
validity of user logons to your PC/Server. It generates the process
responsible for authenticating users for the Winlogon service. This process
is performed by using authentication packages such as the default
Msgina.dll. If authentication is successful, Lsass generates the user's
access token, which is used to launch the initial shell. Other processes
that the user initiates inherit this token.

If you are seeing a lot of activity from this process it can sometimes mean
that you have a Trojan or malware allowing access to your PC from the
internet.

Conversely some Antivirus programs regularly check files, folders and the
registry, and each time it does that it will generate an authentication
request.

Any software on your PC that accesses the registry will also generate an
authentication request whenever it does it.

Unfortunately, there are too many different reasons to give you a definitive
answer.

Alister

 

[Terry Pinnell]

Terry

Are there any yellow question marks in Device Manager? Right click on
the My Computer icon on your Desktop and select Properties,
Hardware,Device Manager. If yes what is the Device Error code?

Are any devices malfunctioning? Select Start, All Programs, Accessories,
System Tools, System Information. Open Components under System Summary
and click on Problem Devices. Is anything listed there?

Thanks Gerry, much appreciate the detailed suggestions.

All OK in Device Manager.

Have a look in the System and Application logs in Event Viewer for Errors
and Warnings and post copies here. Don't post any more than 48 hours ago.

You can access Event Viewer by selecting Start, Control Panel,
Administrative Tools, and Event Viewer. When researching the meaning
of the error, information regarding Event ID, Source and Description
are important.

A tip for posting copies of Error Reports! Right click on the Report in the
list and select Properties. In the window, which appears are three buttons
towards the top right of the window. The top one has an arrow up, underneath
is an arrow down and third is a button resembling two pages. Click the
button and close Event Viewer. It is not obvious but this action places a
copy of the report in your Clipboard. Now start your message (email) and do
a paste into the body of the message. Make sure this is the first paste
after exiting from Event Viewer.

Under APPLICATION there are 2 or 3 types of Warning, but no recent
Errors
-----------------
Event Type: Warning
Event Source: EventSystem
Event Category: (54)
Event ID: 4353
Date: 28/04/2009
Time: 19:06:43
User: N/A
Computer: TERRY-INTEL
Description:
The COM+ Event System attempted to fire the
EventObjectChange::ChangedSubscription event but received a bad return
code. HRESULT was 80040201.



Event Type: Warning
Event Source: EventSystem
Event Category: (52)
Event ID: 4356
Date: 28/04/2009
Time: 19:06:43
User: N/A
Computer: TERRY-INTEL
Description:
The COM+ Event System failed to create an instance of the subscriber
partition:{41E90F3E-56C1-4633-81C3-6E8BAC8BDD70}!new:{D3938AB0-5B9D-11D1-8DD2-00AA004ABD5E}.
CoGetObject returned HRESULT 80070424.



Event Type: Warning
Event Source: EventSystem
Event Category: (54)
Event ID: 4353
Date: 28/04/2009
Time: 19:06:43
User: N/A
Computer: TERRY-INTEL
Description:
The COM+ Event System attempted to fire the
EventObjectChange::ChangedSubscription event but received a bad return
code. HRESULT was 80040201.


Event Type: Warning
Event Source: EventSystem
Event Category: (52)
Event ID: 4356
Date: 28/04/2009
Time: 19:06:43
User: N/A
Computer: TERRY-INTEL
Description:
The COM+ Event System failed to create an instance of the subscriber
partition:{41E90F3E-56C1-4633-81C3-6E8BAC8BDD70}!new:{D3938AB0-5B9D-11D1-8DD2-00AA004ABD5E}.
CoGetObject returned HRESULT 80070424.


etc
etc (Total of 8 similar pairs, 16 entries, all with same timestamp as
above)



Event Type: Warning
Event Source: Userenv
Event Category: None
Event ID: 1517
Date: 28/04/2009
Time: 19:04:39
User: NT AUTHORITY\SYSTEM
Computer: TERRY-INTEL
Description:
Windows saved user TERRY-INTEL\Terry registry while an application or
service was still using the registry during log off. The memory used
by the user's registry has not been freed. The registry will be
unloaded when it is no longer in use.

This is often caused by services running as a user account, try
configuring the services to run in either the LocalService or
NetworkService account.
[How?!]

UNDER SYSTEM there's just one recent Error
------------------------------------------
Event Type: Error
Event Source: Dhcp
Event Category: None
Event ID: 1002
Date: 27/04/2009
Time: 13:06:58
User: N/A
Computer: TERRY-INTEL
Description:
The IP address lease 192.168.1.33 for the Network Card with network
address 001E8CD64F1B has been denied by the DHCP server 192.168.1.1
(The DHCP Server sent a DHCPNACK message).

[Totally meaningless to me I'm afraid!]

Try HD Tune only gives information and does not fix any
problems.

Download and run it and see what it turns up. You want HD Tune
(freeware) version 2.55 not HD Tune Pro (not Freeware) version 3.00.
http://www.hdtune.com/

OK, I've installed it. But can you confirm that you're suggesting I
use the SCAN tab, not the default BENCHMARK? My main drive is 750 GB
and I also have another identical one for backups, plus an external
1TB drive. I suspect even the first (C will take a long time, so
I'll do that overnight.

Select the Info tabs and place the cursor on the drive under Drive
letter and then double click the two page icon ( copy to Clipboard )
and copy into a further message.

Select the Health tab and then double click the two page icon ( copy to
Clipboard ) and copy into a further message. Make sure you do a full
surface scan with HD Tune.

What is your motherboard make and model?

CPU is an Intel CoreT 2 Quad Core Q9450 (2.66 GHz, 12 MB cache, 1333
MHz) with PCI-Express Mainboard - SLI nForce 650i SLI(C55)

 

[Terry Pinnell]

"lsass.exe" is the Local Security Authentication Server. It verifies the
validity of user logons to your PC/Server. It generates the process
responsible for authenticating users for the Winlogon service. This process
is performed by using authentication packages such as the default
Msgina.dll. If authentication is successful, Lsass generates the user's
access token, which is used to launch the initial shell. Other processes
that the user initiates inherit this token.

If you are seeing a lot of activity from this process it can sometimes mean
that you have a Trojan or malware allowing access to your PC from the
internet.

Conversely some Antivirus programs regularly check files, folders and the
registry, and each time it does that it will generate an authentication
request.

Any software on your PC that accesses the registry will also generate an
authentication request whenever it does it.

Unfortunately, there are too many different reasons to give you a definitive
answer.

Thanks Alister, appreciate your help.

Both Spybot Search & Ad-Aware consistently report no critical
problems.

But I do have AVG (Free) installed and I often see much activity in
Task Manager for various AVG services. In the AVG user interface there
seems no way to toggle its various elements on/off in order to test
it. So I'm experimenting with AutoRun for this.

 

[Terry Pinnell]

OK, I've installed it. But can you confirm that you're suggesting I
use the SCAN tab, not the default BENCHMARK? My main drive is 750 GB
and I also have another identical one for backups, plus an external
1TB drive. I suspect even the first (C will take a long time, so
I'll do that overnight.


CPU is an Intel CoreT 2 Quad Core Q9450 (2.66 GHz, 12 MB cache, 1333
MHz) with PCI-Express Mainboard - SLI nForce 650i SLI(C55)

Meanwhile, before I do any scans, here are the pastes you requested
from the Info & Health tabs respectively. One initial query that's not
directly related to my post is why my two HDs are not running under
UDMA Mode 7. Whatever that is, I assume it's faster?

INFO
*****

HD Tune: SAMSUNG HD753LJ Information

Firmware version : 1AA01109
Serial number : S13UJ1KQ244327
Capacity : 698.6 GB (~750.2 GB)
Buffer size : 33553920 bytes
Standard : ATA/ATAPI-0 - SATA II
Supported mode : UDMA Mode 7 (Ultra ATA/512)
Current mode : UDMA Mode 6 (Ultra ATA/133)

S.M.A.R.T : yes
48-bit Address : yes
Read Look-Ahead : yes
Write Cache : yes
Host Protected Area : yes
Device Configuration Overlay : yes
Automatic Acoustic Managment : yes
Power Managment : yes
Advanced Power Managment : yes
Power-up in Standby : yes
Security Mode : yes
Firmware Upgradable : yes

Partition : 1
Drive letter : C:\
Label :
Capacity : 715394 MB
Usage : 26.21%
Type : NTFS
Bootable : Yes

===================
HD Tune: SAMSUNG HD753LJ Information

Firmware version : 1AA01109
Serial number : S13UJ1KQ244325
Capacity : 698.6 GB (~750.2 GB)
Buffer size : 33553920 bytes
Standard : ATA/ATAPI-0 - SATA II
Supported mode : UDMA Mode 7 (Ultra ATA/512)
Current mode : UDMA Mode 6 (Ultra ATA/133)

S.M.A.R.T : yes
48-bit Address : yes
Read Look-Ahead : yes
Write Cache : yes
Host Protected Area : yes
Device Configuration Overlay : yes
Automatic Acoustic Managment : yes
Power Managment : yes
Advanced Power Managment : yes
Power-up in Standby : yes
Security Mode : yes
Firmware Upgradable : yes

Partition : 1
Drive letter : I:\
Label : BackupEtc
Capacity : 715402 MB
Usage : 35.32%
Type : NTFS
Bootable : No

====================

HD Tune: WD 10EAVS External Information

Firmware version : 1.75
Serial number :
Capacity : 931.5 GB (~1000.2 GB)
Buffer size : 0 KB
Standard :
Supported mode :
Current mode :

S.M.A.R.T : no
48-bit Address : no
Read Look-Ahead : no
Write Cache : no
Host Protected Area : no
Device Configuration Overlay : no
Automatic Acoustic Managment : no
Power Managment : no
Advanced Power Managment : no
Power-up in Standby : no
Security Mode : no
Firmware Upgradable : no

Partition : 1
Drive letter : K:\
Label : My Book
Capacity : 953867 MB
Usage : 22.56%
Type : NTFS
Bootable : No
====================

HEALTH
******

HD Tune: SAMSUNG HD753LJ Health

ID Current Worst Thres Data Status
(01) Raw Read Error Rate 100 100 51 0 Ok
(03) Spin Up Time 77 77 11 7770 Ok
(04) Start/Stop Count 100 100 0 82 Ok
(05) Reallocated Sector Count 100 100 10 0 Ok
(07) Seek Error Rate 100 100 51 0 Ok
(08) Seek Time Performance 100 100 15 0 Ok
(09) Power On Hours Count 98 98 0 7817 Ok
(0A) Spin Retry Count 100 100 51 0 Ok
(0B) Calibration Retry Count 100 100 0 0 Ok
(0C) Power Cycle Count 100 100 0 82 Ok
(0D) Soft Read Error Rate 100 100 0 0 Ok
(B7) (unknown attribute) 100 100 0 0 Ok
(B8) (unknown attribute) 100 100 99 0 Ok
(BB) (unknown attribute) 100 100 0 0 Ok
(BC) (unknown attribute) 100 100 0 0 Ok
(BE) (unknown attribute) 71 67 0 538050589 Ok
(C2) Temperature 71 64 0 571605021 Ok
(C3) Hardware ECC Recovered 100 100 0 7310226 Ok
(C4) Reallocated Event Count 100 100 0 0 Ok
(C5) Current Pending Sector 100 100 0 0 Ok
(C6) Offline Uncorrectable 100 100 0 0 Ok
(C7) Ultra DMA CRC Error Count 100 100 0 0 Ok
(C8) Write Error Rate 100 100 0 0 Ok
(C9) (unknown attribute) 100 100 0 0 Ok

Power On Time : 7817
Health Status : Ok
===================
HD Tune: SAMSUNG HD753LJ Health

ID Current Worst Thresh Data Status
(01) Raw Read Error Rate 100 100 51 0 Ok
(03) Spin Up Time 78 78 11 7520 Ok
(04) Start/Stop Count 100 100 0 79 Ok
(05) Reallocated Sector Count 100 100 10 0 Ok
(07) Seek Error Rate 253 253 51 0 Ok
(08) Seek Time Performance 100 100 15 0 Ok
(09) Power On Hours Count 98 98 0 7817 Ok
(0A) Spin Retry Count 100 100 51 0 Ok
(0B) Calibration Retry Count 100 100 0 0 Ok
(0C) Power Cycle Count 100 100 0 79 Ok
(0D) Soft Read Error Rate 100 100 0 0 Ok
(B7) (unknown attribute) 100 100 0 0 Ok
(B8) (unknown attribute) 100 100 99 0 Ok
(BB) (unknown attribute) 100 100 0 0 Ok
(BC) (unknown attribute) 100 100 0 0 Ok
(BE) (unknown attribute) 73 69 0 470876187 Ok
(C2) Temperature 73 67 0 487653403 Ok
(C3) Hardware ECC Recovered 100 100 0 3517944 Ok
(C4) Reallocated Event Count 100 100 0 0 Ok
(C5) Current Pending Sector 100 100 0 0 Ok
(C6) Offline Uncorrectable 100 100 0 0 Ok
(C7) Ultra DMA CRC Error Count 100 100 0 0 Ok
(C8) Write Error Rate 100 100 0 0 Ok
(C9) (unknown attribute) 253 253 0 0 Ok

Power On Time : 7817
Health Status : Ok
====================

 

[Gerry]

Terry

I am struggling with the Event Viewer reports. Found similar reports but not
many identical. I found your post last January.

What is your version of Windows XP -Home, Professional or whatever?

Can you please check the StartUp type for the services mentioned below.

Select Start, Control Panel, Administrative Tools, Services and right click
on Com + Event System and select Properties. The StartUp type should be
Manual.

Repeat for System Event Notification. The StartUp type should be Automatic.

Repeat for Com + System Applications. The StartUp type should be Manual.

Repeat for DCOM Server Process Launcher. The StartUp type should be
Automatic.

Would you please check C:\Program Files\ComPlus Applications and advise
details of any applications listed there. You may not have any. Make sure
you are able to see Hidden System files.

Some solutions to similar errors refer to unregistering MobSync.exe.
However, I suggest we sit on that idea until we see what is revealed by my
earlier questions.

The reports from HD Tune are fine. With these Event Viewer reports I do not
think a surface scan is required. It would take quite a time. Benchmarking
is not needed.


--


Hope this helps.

Gerry
~~~~
FCA
Stourport, England
Enquire, plan and execute
~~~~~~~~~~~~~~~~~~~

Terry

Are there any yellow question marks in Device Manager? Right click on
the My Computer icon on your Desktop and select Properties,
Hardware,Device Manager. If yes what is the Device Error code?

Are any devices malfunctioning? Select Start, All Programs,
Accessories, System Tools, System Information. Open Components under
System Summary
and click on Problem Devices. Is anything listed there?

Thanks Gerry, much appreciate the detailed suggestions.

All OK in Device Manager.

Have a look in the System and Application logs in Event Viewer for
Errors and Warnings and post copies here. Don't post any more than
48 hours ago.

You can access Event Viewer by selecting Start, Control Panel,
Administrative Tools, and Event Viewer. When researching the meaning
of the error, information regarding Event ID, Source and Description
are important.

A tip for posting copies of Error Reports! Right click on the Report
in the list and select Properties. In the window, which appears are
three buttons towards the top right of the window. The top one has
an arrow up, underneath is an arrow down and third is a button
resembling two pages. Click the button and close Event Viewer. It is
not obvious but this action places a copy of the report in your
Clipboard. Now start your message (email) and do a paste into the
body of the message. Make sure this is the first paste after exiting
from Event Viewer.

Under APPLICATION there are 2 or 3 types of Warning, but no recent
Errors
-----------------
Event Type: Warning
Event Source: EventSystem
Event Category: (54)
Event ID: 4353
Date: 28/04/2009
Time: 19:06:43
User: N/A
Computer: TERRY-INTEL
Description:
The COM+ Event System attempted to fire the
EventObjectChange::ChangedSubscription event but received a bad return
code. HRESULT was 80040201.



Event Type: Warning
Event Source: EventSystem
Event Category: (52)
Event ID: 4356
Date: 28/04/2009
Time: 19:06:43
User: N/A
Computer: TERRY-INTEL
Description:
The COM+ Event System failed to create an instance of the subscriber
partition:{41E90F3E-56C1-4633-81C3-6E8BAC8BDD70}!new:{D3938AB0-5B9D-11D1-8DD2-00AA004ABD5E}.
CoGetObject returned HRESULT 80070424.



Event Type: Warning
Event Source: EventSystem
Event Category: (54)
Event ID: 4353
Date: 28/04/2009
Time: 19:06:43
User: N/A
Computer: TERRY-INTEL
Description:
The COM+ Event System attempted to fire the
EventObjectChange::ChangedSubscription event but received a bad return
code. HRESULT was 80040201.


Event Type: Warning
Event Source: EventSystem
Event Category: (52)
Event ID: 4356
Date: 28/04/2009
Time: 19:06:43
User: N/A
Computer: TERRY-INTEL
Description:
The COM+ Event System failed to create an instance of the subscriber
partition:{41E90F3E-56C1-4633-81C3-6E8BAC8BDD70}!new:{D3938AB0-5B9D-11D1-8DD2-00AA004ABD5E}.
CoGetObject returned HRESULT 80070424.


etc
etc (Total of 8 similar pairs, 16 entries, all with same timestamp as
above)



Event Type: Warning
Event Source: Userenv
Event Category: None
Event ID: 1517
Date: 28/04/2009
Time: 19:04:39
User: NT AUTHORITY\SYSTEM
Computer: TERRY-INTEL
Description:
Windows saved user TERRY-INTEL\Terry registry while an application or
service was still using the registry during log off. The memory used
by the user's registry has not been freed. The registry will be
unloaded when it is no longer in use.

This is often caused by services running as a user account, try
configuring the services to run in either the LocalService or
NetworkService account.
[How?!]

UNDER SYSTEM there's just one recent Error
------------------------------------------
Event Type: Error
Event Source: Dhcp
Event Category: None
Event ID: 1002
Date: 27/04/2009
Time: 13:06:58
User: N/A
Computer: TERRY-INTEL
Description:
The IP address lease 192.168.1.33 for the Network Card with network
address 001E8CD64F1B has been denied by the DHCP server 192.168.1.1
(The DHCP Server sent a DHCPNACK message).

[Totally meaningless to me I'm afraid!]

Try HD Tune only gives information and does not fix any
problems.

Download and run it and see what it turns up. You want HD Tune
(freeware) version 2.55 not HD Tune Pro (not Freeware) version 3.00.
http://www.hdtune.com/

OK, I've installed it. But can you confirm that you're suggesting I
use the SCAN tab, not the default BENCHMARK? My main drive is 750 GB
and I also have another identical one for backups, plus an external
1TB drive. I suspect even the first (C will take a long time, so
I'll do that overnight.

Select the Info tabs and place the cursor on the drive under Drive
letter and then double click the two page icon ( copy to Clipboard )
and copy into a further message.

Select the Health tab and then double click the two page icon (
copy to Clipboard ) and copy into a further message. Make sure you
do a full surface scan with HD Tune.

What is your motherboard make and model?

CPU is an Intel CoreT 2 Quad Core Q9450 (2.66 GHz, 12 MB cache, 1333
MHz) with PCI-Express Mainboard - SLI nForce 650i SLI(C55)

 

[Terry Pinnell]

Terry

I am struggling with the Event Viewer reports. Found similar reports but not
many identical. I found your post last January.

What is your version of Windows XP -Home, Professional or whatever?

Can you please check the StartUp type for the services mentioned below.

Select Start, Control Panel, Administrative Tools, Services and right click
on Com + Event System and select Properties. The StartUp type should be
Manual.

Repeat for System Event Notification. The StartUp type should be Automatic.

Repeat for Com + System Applications. The StartUp type should be Manual.

Repeat for DCOM Server Process Launcher. The StartUp type should be
Automatic.

Would you please check C:\Program Files\ComPlus Applications and advise
details of any applications listed there. You may not have any. Make sure
you are able to see Hidden System files.

Some solutions to similar errors refer to unregistering MobSync.exe.
However, I suggest we sit on that idea until we see what is revealed by my
earlier questions.

The reports from HD Tune are fine. With these Event Viewer reports I do not
think a surface scan is required. It would take quite a time. Benchmarking
is not needed.

Thanks Gerry. I'll report back with answers tomorrow.

29 April 2009, 22:38 UK time

 

[Terry Pinnell]

Terry

I am struggling with the Event Viewer reports. Found similar reports but not
many identical. I found your post last January.

What is your version of Windows XP -Home, Professional or whatever?

XP Pro, SP2.

Can you please check the StartUp type for the services mentioned below.


Select Start, Control Panel, Administrative Tools, Services and right click
on Com + Event System and select Properties. The StartUp type should be
Manual.
Yes.

Repeat for System Event Notification. The StartUp type should be Automatic.

No such Service! I know from my old notes that I used to have it, in
between 'SSDP Discovery Service' and 'System Restore Service'. Where
can it have gone? Is this definitely included with XP Pro?

Repeat for Com + System Applications. The StartUp type should be Manual.

Yes. (It's currently Stopped; is that OK?)

Repeat for DCOM Server Process Launcher. The StartUp type should be
Automatic.
Yes

Would you please check C:\Program Files\ComPlus Applications and advise
details of any applications listed there. You may not have any. Make sure
you are able to see Hidden System files.

Folder is empty. (Nothing is hidden.)

Some solutions to similar errors refer to unregistering MobSync.exe.
However, I suggest we sit on that idea until we see what is revealed by my
earlier questions.

If we're talking about the same thing then, yes, I tracked down an MS
article suggesting running this:
regsvr32 "%systemroot%\system32\mobsync.dll" /u
I did so anyway, from the RUN box! What would be the corresponding
command if I need to reverse it please?

The reports from HD Tune are fine. With these Event Viewer reports I do not
think a surface scan is required. It would take quite a time. Benchmarking
is not needed.

And in Event Viewer this morning there's another batch of 16
'Warnings' identical to those on 28th April that I reported. The time
stamp is 15:11. And under System I see one warning at 15:08:

Event Type: Warning
Event Source: Tcpip
Event Category: None
Event ID: 4226
Date: 29/04/2009
Time: 15:08:17
User: N/A
Computer: TERRY-INTEL
Description:
TCP/IP has reached the security limit imposed on the number of
concurrent TCP connect attempts.

But my system doesn't seem noticeably sluggish at present. So we're
dealing with a one-off or intermittent problem. Still an incredible
number of those Lsass.exe entries in ProcMon, FWIW. But from Alister's
reply I gather these could be perfectly valid and no source of
concern.

 

[Terry Pinnell]

As well as the answers posted earlier this morning I thought it might
be useful to show you a snapshot of my XP Pro (SP2) Task Manager:

http://i154.photobucket.com/albums/s247/terrypin999/LsassResources-TM.jpg

I sorted these by 'I/O Read Bytes' which shows that Lsass is currently
behind only my overnight backup program, SecondCopy, and Explorer. It
seems to show constant activity, as per my original post with a
ProcMon sample.

 

[Gerry]

Terry

System Event Notification
http://www.blackviper.com/WinXP/Services/System_Event_Notification.htm

Will need to check what is needed to get it back.

I have some work to do today so my available free time for research is
limited until later.

--


Hope this helps.

Gerry
~~~~
FCA
Stourport, England
Enquire, plan and execute
~~~~~~~~~~~~~~~~~~~

 

[Terry Pinnell]

Terry

System Event Notification
http://www.blackviper.com/WinXP/Services/System_Event_Notification.htm

Will need to check what is needed to get it back.

I have some work to do today so my available free time for research is
limited until later.

Thanks Gerry, appreciate your help. No hurry anyway - I reckon this
will take some time to sort ;-)

I had tried the Black Viper site (and quite a few more) but so far
I've found none that mention the ABSENCE of this service from the
list.

 

[Gerry]

Terry

Registering a dll -see link
http://www.symatech.net/register-dll

Do you have a sens.dll in your system 32 folder?

c:\windows\system32\sens.dll

A description of Svchost.exe in Windows XP Professional Edition
http://support.microsoft.com/kb/314056

Please note the details of the Registry keys.

Select Start, Control Panel, Administrative Tools, Services and right click
on IPSEC Service and select Properties. The StartUp type should be
Automatic.

Repeat for Protected Storage. The StartUp type should be Automatic.

Repeat for Security Accounts Manager. The StartUp type should be Automatic.

What firewall are you using?


--


Hope this helps.

Gerry
~~~~
FCA
Stourport, England
Enquire, plan and execute
~~~~~~~~~~~~~~~~~~~

 

[Terry Pinnell]

Terry

Registering a dll -see link
http://www.symatech.net/register-dll

Thanks Gerry, duly bookmarked.

Do you have a sens.dll in your system 32 folder?

c:\windows\system32\sens.dll

Yes. 38.0 KB (38,912 bytes), created 28 February 2006.

A description of Svchost.exe in Windows XP Professional Edition
http://support.microsoft.com/kb/314056

Looks a bit daunting. Will study later.

Please note the details of the Registry keys.

Select Start, Control Panel, Administrative Tools, Services and right click
on IPSEC Service and select Properties. The StartUp type should be
Automatic.

Yes, it is.

Repeat for Protected Storage. The StartUp type should be Automatic.

It was manual, now auto.

Repeat for Security Accounts Manager. The StartUp type should be Automatic.

I had this disabled. Is it needed for a stand-alone user? Meanwhile,
I've set it to auto.

What firewall are you using?

The built-in XP version.

 

[Gerry]

Terry

Select Start, Control Panel, Administrative Tools, Services and right
click on Distributed Transaction Coordinator Service and select
Properties. The StartUp type should be Manual.

Is System Event Notification still mising from the list of services?

--


Hope this helps.

Gerry
~~~~
FCA
Stourport, England
Enquire, plan and execute
~~~~~~~~~~~~~~~~~~~

 

[Terry Pinnell]

Terry

Select Start, Control Panel, Administrative Tools, Services and right
click on Distributed Transaction Coordinator Service and select
Properties. The StartUp type should be Manual.

I had it disabled (another one of those recommendations I'd read).
After setting it to Manual I couldn't start it, but after looking at
its dependencies I changed Security Accounts to Manual Started and
then I could start Distributed Transaction Coordinator Service.

Is System Event Notification still mising from the list of services?

But after closing & restarting Services, System Event Notification is
still missing.

And I'm now back to that sluggish performance, with many Lsass.exe
entries again displayed in Process Monitor.