Re: lsass.exe process
From: -Xanon (anonymous_at_discussions.microsoft.com)
Date: 06/08/04
- Next message: anonymous_at_discussions.microsoft.com: "Re: OWA and RWW"
- Previous message: David Copeland [MSFT]: "Re: Multple exchange stores in SBS2003"
- In reply to: Les Connor [SBS MVP]: "Re: lsass.exe process"
- Next in thread: Les Connor [SBS MVP]: "Re: lsass.exe process"
- Reply: Les Connor [SBS MVP]: "Re: lsass.exe process"
- Messages sorted by: [ date ] [ thread ]
Date: Tue, 8 Jun 2004 13:51:02 -0700
Thank you for the tips and compilation Les! As it turns out I have been monitoring both lsass.exe and store.exe using Perfmon (the best tool for finding resource leaks in Windows ... hands down). I will adjust the health monitor settings per your suggestion to cut down on the noise and spam.
Of major concern ... Perfmon reports 586, 010, 624 of avg. _private_bytes_. This is a significantly higher number than yours and others I've seen reported. It does not seem to be climbing at the moment. (2 users) Also of interest and concern is the 1.3 GB peak reading I'm seeing for Peak Virtual Bytes. I wonder if the instrumentation is still intact after the Exchg2K3 SP1 upgrade?
Thanks Again!!
-Xanon
----- Les Connor [SBS MVP] wrote: -----
Getting alert notifications ? Store isn't actually using more memory
overall; it's using more private bytes and less (other) bytes. The health
monitor is counting private byte use, and now the default threshold is being
exceeded. Taskmgr isn't going to help you much, you have to use perfmon to
track the process more granularly.
Here's about all I know about this: (not ready for prime time warning)
<snip>
But here is something that's worth a try: (kind of a one-size-might-fit-all
solution, like the original threshold). But emphasis on the -might- part.
By default, the threshold is 104,857,600 bytes (commas added for
readability).
Store private bytes increases by about 940 mb with sp1, say the exchange
people. I found that to be approximately accurate.
So, 940 x 1024 x 1024 = 985,661,440 bytes. Let's round it to 1,000,000,000.
Take your original threshold value and add the round number, you get
1,104,857,600.
That might work.
There is an accurate way. (follows below) But is it worth the trouble ? I
have used the accurate method on one server. It works. I'm about to use the
one size might fit method on another.
Les.
<snip>
From: Raymond Fong
Subject: RE: E2k3 SP1 and Store Private Bytes
I wouldn't look at the Health Monitor for the average. Instead, bring up
Performance Monitor (Admin Tools -> Performance).
Next, right-click Counter Logs, specify Store.exe Private Byte as the name.
Next, click Add Counters, select Process, Private Bytes, Store, click Add
and Close.
Next, set the Interval to 5 minutes. Click the Log Files and write down the
location of the log file. Click the Schedule tab, set the Start log to
Manually. Set the Stop log to After 2 Days. Click OK.
Next, right click the task and select Start.
Let it run for 2 days. Check the size of the log about 12 or 24 hours later,
make sure it is not taking up much of the disk space.
When it is over, use the Performance monitor, click System Monitor, then
click View Log Data (Ctrl + L). Change the Data Source to Log files and
click add the add the log. Click the Data tab and click add to add the Store
private byte counter. From the screen you can get the "Average" (Look toward
the bottom) and the Maximum. I would add 30% more to the Average and
hopefully it should be more than the "Maximum". Now, use that number for the
threshold.
And all SBS will have the same threshold and it's not going to work for
everyone especially everyone has a different hardware and workload. The
number there is just a ballpark figure. The best is to fine tune the
settings and figure out the best number. The 30% is just a number I feel
comfortable. You can make it 25% or 50%. Alert is just an alert. Once you
got the alert, then the next step is to use Performance Monitor to find out
if it will continue using more and more and not release the memory. If it
drops back down and the server still function fine, then you may need to
increase the threshold to avoid false alarm.
Ray
<endsnip>
--
Les Connor [SBS MVP]
-------------------------------------
SBS Rocks !
"-Xanon" <anonymous@discussions.microsoft.com> wrote in message
news:7562BB0F-8A18-4671-A096-11B951B643CD@microsoft.com...
>> I had followed the directions in the Exchange 2003 SP 1 Release Notes
document (\\Exchange 2003\ReleaseNotes.HTM) cited below:
>> When you use the /3GB switch, set the hexadecimal value of the following
registry key to 0x00040000:
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session
Manager\HeapDeCommitFreeBlockThreshold
> Set the decimal value of the following registry key to zero:
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory
Management\SystemPages
>> The fix was to reset the Registry Key
'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session
Manager\HeapDeCommitFreeBlockThreshold ' back to 0.
>> lsass.exe is now behaving itself. store.exe is still holding onto +500
_MB_ of private store (two users). Hard to believe that number. Maybe the
Perf Counter is off by a decimal or two? Anyone?
>> One Down One to Go.
>> -Xanon
>>>> ----- -Xanon wrote: -----
>> Andrew,
>> Have your users logged into RWW and copied files to/from the
server/inside workstatiion using the remote session?
>> Here I found:
>> The symptoms described below (specifically lsass.exe) may be related
to moving files (large files) via RWW. After successfully copying a backup
set (+ 3GB) from the server to a remote workstation, logging off, and then
trying to login to the server again via RWW IE displayed Error 500, and in
small print, 'Bandwidth Limitations exceeded'. When I checked the server
locally it was showing all of available virtual memory was in use... most of
it (+2 GB) by lsass.exe, etc. etc. A reboot was necessary to clear the dust.
I repeated the experiment one more time and got the same results.
>> Moving the same file from the server to an inside workstation via
windows explorer does not seem to cause this problem.
>>> -Xanon
>>> ----- -Xanon wrote: -----
>> Here too ...
>> Running SBS2K3 Prem, Two NICs, SMP, 2GB Ram, Adaptec SCSI
Controllers (Raid 10, Raid 5), Exchg2K3 w/SP1 (Applied the /3GB /USERVA=3030
update to boot.ini and updated registry settings per readme.html.) No ISA or
SQL2K yet. AV and Spam Sheilds by Trend Micro, CSM. Sits behind 'Stateful
Inspection' FWs, etc.
>> No sign of Sasser and Friends. The problem began to show up
after applying Exch2K3 SP1 along with a similar 'complaint' from store.exe.
Outbound connection queues also failing more than not with the message
'Unable to bind to DNS' and the address cited in the queue matches the
address cited in the message. Used nslookup, and address lookup (default
server) worked fine.
>> At least ntbackup and VSS are working (again) ! <G>>> And the 'users can't login via RWW or OWA, from anywhere, etc.'
problem is back. A workaround (Wizard - add new user as Admin, (quickly)
revoke Admin, then add user to Mobile Users group manually.) Works for us.
>> Any suggestions (Note to 'roots', BSD is not an option in this
case) would be apprecated.
>> And before I forget ... Thank You To All the 'MVP's for taking
the time to participate and respond!
>> -Xanon
>>> ----- Jason Epperly [MSFT] wrote: -----
>> Take a look at
http://www.microsoft.com/security/incident/sasser.asp. Please
> reply back to the group if this does not resolve the
problem.
> Thanks!
>> --
> Jason Epperly
> Microsoft SBS Support
> =====================================================
> When responding to posts, please "Reply to Group" via
> your newsreader so that others may learn and benefit
> from your issue.
> =====================================================
> This posting is provided "AS IS" with no warranties, and
confers no rights.
>>> "Andrew B. Abrams" <andrew@ptllc.net> wrote in message
> news:ep6wivPOEHA.3300@TK2MSFTNGP09.phx.gbl...
>> I keep getting the following error message. Could this
be a virus?
>>> Alert on TRI01 at 5/8/2004 10:47:15 PM
>>> The lsass.exe process is allocating more memory than
usual.
>>> Use Task Manager to view the top processes by CPU or
memory usage. If a
>> service or process appears to be using an unusual amount
of resources, try
>> stopping and then restarting it.
>>> You can disable this alert or change its threshold by
using the Change
> Alert
>> Notifications task in the Server Management Monitoring
and Reporting
>> taskpad.
>>>>> Any help would be appreciated.
>>>>> Andrew
>>>
- Next message: anonymous_at_discussions.microsoft.com: "Re: OWA and RWW"
- Previous message: David Copeland [MSFT]: "Re: Multple exchange stores in SBS2003"
- In reply to: Les Connor [SBS MVP]: "Re: lsass.exe process"
- Next in thread: Les Connor [SBS MVP]: "Re: lsass.exe process"
- Reply: Les Connor [SBS MVP]: "Re: lsass.exe process"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
