Which process trigger lsass.exe for using lsarpc to start LsarLook

[Guest]

Hi,
we have already an performanceproblem within our application.

If we start some tasks with our DB2-Client we couldn't act within our
application for an duration from 10 to 15 seconds.
Our sniffer on the network shows that lsass.exe use the lsarpc interface to
start the operation LsarLookupNames4 with the operation # 0x4d within this
time intervall against our Active Directory Controller.
It seems that the LsarLookupNames4 operation try to solve the SID.

Now my questions:
- Could someone explain me which process or something else triggers the
lsass.exe in order to produce this operation?
- When will these calls are generated? Is this regularly?
- Use an DB2 Connect this operation automatically?
- Could I manipulate this operation? If yes, how.

Thanx

 

[Steven L Umbach]

I don't know the direct answer but it may help to enable auditing of process
tracking in Local Security Policy on the computer to see if process tracking
events are generated that may help you identify your problem or use a real
time file monitoring program such as filemon from SysInternals/Microsoft.

Steve

 

[Guest]

Thank you, we will try it. Before your post I've tried to catch the trogger
by process explorer from sysinternals, but we have only catch the operation
0x4C.

SYMPTOMS
When you view the Application event log on a Microsoft Windows XP-based
computer, you may see the following event:
Source: Userenv, ID 1085
The Group Policy client-side extension IP Security failed to execute. Please
look for any errors reported earlier by that extension.
This event is logged even though no serious error occurred.
Back to the top

CAUSE
This problem may occur if a security identifier (SID) in a restricted group
cannot be mapped to a name.

Could it be that these ist our problem?
--
regards
Nico

I don't know the direct answer but it may help to enable auditing of process
tracking in Local Security Policy on the computer to see if process tracking
events are generated that may help you identify your problem or use a real
time file monitoring program such as filemon from SysInternals/Microsoft.

Steve

 

[Steven L Umbach]

I don't know if that is related but you can open Local Security Policy and
go to local policies/user rights to see if and SIDs show in the user rights
assignments that could be what is causing the ID 1085 error. You can delete
the SIDs but beware in a domain computer that could indicate a problem in
resolving domain user and group names which generally is related to a
problem with DNS configuration in the client computer or possibly even the
server and in such case you want to be real careful in deleting SIDs. A big
problem for domain computers is when an ISP DNS server is listed in the
primary/secondary list in tp/ip properties.

Steve

Thank you, we will try it. Before your post I've tried to catch the
trogger
by process explorer from sysinternals, but we have only catch the
operation
0x4C.

SYMPTOMS
When you view the Application event log on a Microsoft Windows XP-based
computer, you may see the following event:
Source: Userenv, ID 1085
The Group Policy client-side extension IP Security failed to execute.
Please
look for any errors reported earlier by that extension.
This event is logged even though no serious error occurred.
Back to the top

CAUSE
This problem may occur if a security identifier (SID) in a restricted
group
cannot be mapped to a name.

Could it be that these ist our problem?