Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Lsass.exe Causing Runaway I/o Writes


  • Please log in to reply
6 replies to this topic

#1 Gator Girl

Gator Girl

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:29 AM

Posted 02 January 2008 - 09:28 AM

I am running under Windows XP Home, SP2. I noticed that my disk is constantly cranking, even when I'm not logged on. After investigating for a number of days, using Task Manager and pulling up the I/O writes column, I found that lsass.exe is performing an unbelievable number of writes. I've had the computer up for about 15 minutes this morning, and there have already been 15,000 writes.

I've already done the following, multiple times:

Scanned for viruses
Ran AdAware
Ran Spybot

I also did some house cleaning, uninstalling unused programs, defragmenting the drive, cleaning up temp folders.

Nothing has worked. Please help!

BC AdBot (Login to Remove)

 


m

#2 sharpe95

sharpe95

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:29 AM

Posted 02 January 2008 - 10:45 AM

"lsass.exe" is the Local Security Authentication Server. It verifies the validity of user logons to your PC/Server. It generates the process responsible for authenticating users for the Winlogon service. This process is performed by using authentication packages such as the default Msgina.dll. If authentication is successful, Lsass generates the user's access token, which is used to launch the initial shell. Other processes that the user initiates inherit this token.


http://www.neuber.com/taskmanager/process/lsass.exe.html

If lsass.exe isn't located in C:\Windows\System32, then it's probably a malicious file. Can you check where lsass.exe is located using Task Manager or another program?

EDIT: I looked at the comments on that url, and one showed:

Its just a normal OS file. If you have problems with your computer shutting you down saying there was an error with it...Then you should look into the sasser virus. Once you update to the windows xp service packet 2 you will have the lsass.exe file in two if not 3 folders. All three in windows one in the service packet folder one in the system32 folder and one on some computers is in a folder called SoftwareDistribution. If the file is in any or all of these directories it is fine.


Edited by sharpe95, 02 January 2008 - 10:50 AM.


#3 Gator Girl

Gator Girl
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:29 AM

Posted 02 January 2008 - 11:04 AM

Thanks for the quick reply. I checked and lsass.exe is running under:

C:\\WINDOWS\System32\lsass.exe

#4 Gator Girl

Gator Girl
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:29 AM

Posted 02 January 2008 - 11:08 AM

I went back to double check -- it's running under

C:\\WINDOWS\system32\lsass.exe (with a little "s")

Is that significant? Some system processes are running under System32, some under system32.

#5 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:06:29 AM

Posted 02 January 2008 - 11:40 AM

I would post in our malware forum to make sure
Mark
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#6 tswsl1989

tswsl1989

  • Members
  • 260 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cymru/Wales
  • Local time:11:29 AM

Posted 02 January 2008 - 11:48 AM

This seems to be a relatively common issue . Look for "Lsass disk writes" on google. www.google.co.uk/search?q=Lsass+disk+writes
The System32/system32 distinction is unlikely to be significant as, although Windows XP preserves the case used naming files, WXP is not case-sensitive, so system32 and System32 (and even SYSTEM32) are all equally valid.

Check the malware forum JIC though
Tom

Tswsl1989
Duct tape is like the force. It has a light side, a dark side, and it holds the universe together

#7 usasma

usasma

    Still visually handicapped (avatar is memory developed by my Dad


  • BSOD Kernel Dump Expert
  • 25,077 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southeastern CT, USA
  • Local time:05:29 AM

Posted 02 January 2008 - 04:57 PM

The lsass exploit was supposed to be fixed in SP2 - but there are still viruses out there masquerading as variants of it. But, since this is the correct name and it's in the correct directory I wouldn't expect it to be a virus.

I have seen issues with lsass.exe and some Windows Update issues - so I'd wonder if that was the problem here. But the visit to the malware forums is probably a good thing to do just to be sure.
My browser caused a flood of traffic, sio my IP address was banned. Hope to fix it soon. Will get back to posting as soon as Im able.

- John  (my website: http://www.carrona.org/ )**If you need a more detailed explanation, please ask for it. I have the Knack. **  If I haven't replied in 48 hours, please send me a message. My eye problems have recently increased and I'm having difficult reading posts. (23 Nov 2017)FYI - I am completely blind in the right eye and ~30% blind in the left eye.<p>If the eye problems get worse suddenly, I may not be able to respond.If that's the case and help is needed, please PM a staff member for assistance.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users