Re: 100% cpu usage for LSASS.EXE on DC intermittently, consistent

"Phillip Windell" wrote:

> > I've done a simple procedure that appears to have eliminated the issue.
> > Please bare with me for 24hours and I'll get back to you on what has
> > happened between now and then with this issue.
>
> Sounds good. We'll see what happens.
>

Last night I 'dis-connected' the specific DC from the network for 5 mins. I
didn't reboot (i.e. didn't clear memory of any executing programs). For the
next 15 hours the server's behavior was normal (usual per previous
experience).

When I checked on the 16th hour LSASS.EXE was again running at 98% for 10
sec, then there was an interval of 60 secs when cpu was normal (pretty much
idle on this DC), then the cycle repeats, just like the event looked before.

Tonight after hours I intend to reboot this DC to see if it forces this
'event' to move to another DC just like the previous reboot did last weekend
when I caused the event to move to this DC...

I still don't see any evidence of worm activity in the sniffer capture logs
(in either direction). I also don't see a lot of difference in the sniffer
logs between when the event was not occuring and when it is occuring (that is
there is no spike in either network traffic or communication patterns (hosts
contacted) when CPU spikes as I would expect with a network worm).

As a standard practice I don't load any 3rd party software on my DCs. But
I'm considering putting up a temporary DC (think of it as a honey-pot) with
an AV as you suggest. If I do can you answer the following.

1) If I then log a pay call to MS on this after I install an AV on the DC,
will microsoft still support it.

2) We have a site license for McAfee AV (currently at version 8.0i) is that
a supported AV on a DC.

3) Are there any known requirements (features to turn on/off) to installing
an AV on a DC to be considered still running a 'supported' installation.

I intend on moving my W2K AD domain to W2K3 this summer and if installing an
AV on DCs is a recommended option, I'd like to know that before I start
building new servers. I prefer new builds to upgrades.

Finally, even though you don't want to entertain this option. What TCP/UDP
port does in-bound LSASS.EXE communicate (listen) on - I'd like to filter my
sniffer captures by this port to see who is kicking off that process by
remotely sending packets to this server.



.

Relevant Pages

  • Automatic Updates repeatedly installing KB948109
    ... Well after reading the KB article about problems with repeatedly installing ... support (and getting back a blank response and a link to the KB, ... it logs it as not having had to update anything. ... possibility that it is simply a wrong registry entry not logging that the ...
    (microsoft.public.windowsxp.general)
  • Re: corrupted profiles and much more
    ... contacted HP Support directly about these problems? ... the machine did not come with Vista SP1 preinstalled)? ... issues started right after installing that update, ...
    (microsoft.public.security)
  • Re: corrupted profiles and much more
    ... crossposted it to Windows Update newsgroup) but it must've gotten lost in the ether because it hasn't appeared. ... I'd recommend either contacting HP Support or Microsoft Vista SP1 Support, ... issues started right after installing that update, ...
    (microsoft.public.security)
  • Re: Error 372 - Failed to load control from
    ... may I know whether you are launching the VB6 app in Windows ... After installing an application to a Vista machine the following error is ... If the UAC was turned off and a member of the Admin group had attempted to ... Microsoft Online Community Support ...
    (microsoft.public.vb.bugs)
  • Re: corrupted profiles and much more
    ... contacted HP Support directly about these problems? ... issues started right after installing that update, ... Windows) and allowed for most settings in IE security tab, ... conflicting security systems (Windows, Norton, HP ProtectTools, GPO ...
    (microsoft.public.security)
Loading