Re: lsass.exe process
From: Les Connor [SBS MVP] (les.connor_at_DEL.cfive.ca)
Date: 06/08/04
- Next message: Alex B: "Re: FTP/license"
- Previous message: Timothy A. Zank: "Free CAL Offer"
- In reply to: -Xanon: "Re: lsass.exe process"
- Next in thread: -Xanon: "Re: lsass.exe process"
- Reply: -Xanon: "Re: lsass.exe process"
- Messages sorted by: [ date ] [ thread ]
Date: Tue, 8 Jun 2004 16:37:30 -0500
My store private bytes are in that range, server has 3 gb ram. Prior to sp1
is was ~ 900 mb lower, which is somewhat consistent with the behaviour we
are instructed to expect.
On a different server with 1 gb of ram and a different workload the number
is much smaller. Hence Ray says the threshold should be established in the
environment. I just don't know how they got away with having a defaul
threshold work in the first place - unless it was sufficiently high to be of
little value.
There are no real issues with this, my only interest is in finding an easy
way to recalibrate the threshold to a hopefully meaningful value.
-- Les Connor [SBS MVP] ------------------------------------- SBS Rocks ! "-Xanon" <anonymous@discussions.microsoft.com> wrote in message news:559F3211-7CE1-4FA9-91BB-26A5CBBD7B2F@microsoft.com... > Thank you for the tips and compilation Les! As it turns out I have been monitoring both lsass.exe and store.exe using Perfmon (the best tool for finding resource leaks in Windows ... hands down). I will adjust the health monitor settings per your suggestion to cut down on the noise and spam. > > Of major concern ... Perfmon reports 586, 010, 624 of avg. _private_bytes_. This is a significantly higher number than yours and others I've seen reported. It does not seem to be climbing at the moment. (2 users) Also of interest and concern is the 1.3 GB peak reading I'm seeing for Peak Virtual Bytes. I wonder if the instrumentation is still intact after the Exchg2K3 SP1 upgrade? > > Thanks Again!! > > -Xanon > > ----- Les Connor [SBS MVP] wrote: ----- > > Getting alert notifications ? Store isn't actually using more memory > overall; it's using more private bytes and less (other) bytes. The health > monitor is counting private byte use, and now the default threshold is being > exceeded. Taskmgr isn't going to help you much, you have to use perfmon to > track the process more granularly. > > Here's about all I know about this: (not ready for prime time warning) > > <snip> > But here is something that's worth a try: (kind of a one-size-might-fit-all > solution, like the original threshold). But emphasis on the -might- part. > > By default, the threshold is 104,857,600 bytes (commas added for > readability). > Store private bytes increases by about 940 mb with sp1, say the exchange > people. I found that to be approximately accurate. > > So, 940 x 1024 x 1024 = 985,661,440 bytes. Let's round it to 1,000,000,000. > > Take your original threshold value and add the round number, you get > 1,104,857,600. > > That might work. > > There is an accurate way. (follows below) But is it worth the trouble ? I > have used the accurate method on one server. It works. I'm about to use the > one size might fit method on another. > > Les. > > <snip> > From: Raymond Fong > Subject: RE: E2k3 SP1 and Store Private Bytes > > > I wouldn't look at the Health Monitor for the average. Instead, bring up > Performance Monitor (Admin Tools -> Performance). > Next, right-click Counter Logs, specify Store.exe Private Byte as the name. > Next, click Add Counters, select Process, Private Bytes, Store, click Add > and Close. > Next, set the Interval to 5 minutes. Click the Log Files and write down the > location of the log file. Click the Schedule tab, set the Start log to > Manually. Set the Stop log to After 2 Days. Click OK. > Next, right click the task and select Start. > > Let it run for 2 days. Check the size of the log about 12 or 24 hours later, > make sure it is not taking up much of the disk space. > > When it is over, use the Performance monitor, click System Monitor, then > click View Log Data (Ctrl + L). Change the Data Source to Log files and > click add the add the log. Click the Data tab and click add to add the Store > private byte counter. From the screen you can get the "Average" (Look toward > the bottom) and the Maximum. I would add 30% more to the Average and > hopefully it should be more than the "Maximum". Now, use that number for the > threshold. > > And all SBS will have the same threshold and it's not going to work for > everyone especially everyone has a different hardware and workload. The > number there is just a ballpark figure. The best is to fine tune the > settings and figure out the best number. The 30% is just a number I feel > comfortable. You can make it 25% or 50%. Alert is just an alert. Once you > got the alert, then the next step is to use Performance Monitor to find out > if it will continue using more and more and not release the memory. If it > drops back down and the server still function fine, then you may need to > increase the threshold to avoid false alarm. > > Ray > <endsnip> > > -- > Les Connor [SBS MVP] > ------------------------------------- > SBS Rocks ! > > > > "-Xanon" <anonymous@discussions.microsoft.com> wrote in message > news:7562BB0F-8A18-4671-A096-11B951B643CD@microsoft.com... > >> I had followed the directions in the Exchange 2003 SP 1 Release Notes > document (\\Exchange 2003\ReleaseNotes.HTM) cited below: > >> When you use the /3GB switch, set the hexadecimal value of the following > registry key to 0x00040000: > > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session > Manager\HeapDeCommitFreeBlockThreshold > > Set the decimal value of the following registry key to zero: > > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory > Management\SystemPages > >> The fix was to reset the Registry Key > 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session > Manager\HeapDeCommitFreeBlockThreshold ' back to 0. > >> lsass.exe is now behaving itself. store.exe is still holding onto +500 > _MB_ of private store (two users). Hard to believe that number. Maybe the > Perf Counter is off by a decimal or two? Anyone? > >> One Down One to Go. > >> -Xanon > >>>> ----- -Xanon wrote: ----- > >> Andrew, > >> Have your users logged into RWW and copied files to/from the > server/inside workstatiion using the remote session? > >> Here I found: > >> The symptoms described below (specifically lsass.exe) may be related > to moving files (large files) via RWW. After successfully copying a backup > set (+ 3GB) from the server to a remote workstation, logging off, and then > trying to login to the server again via RWW IE displayed Error 500, and in > small print, 'Bandwidth Limitations exceeded'. When I checked the server > locally it was showing all of available virtual memory was in use... most of > it (+2 GB) by lsass.exe, etc. etc. A reboot was necessary to clear the dust. > I repeated the experiment one more time and got the same results. > >> Moving the same file from the server to an inside workstation via > windows explorer does not seem to cause this problem. > >>> -Xanon > >>> ----- -Xanon wrote: ----- > >> Here too ... > >> Running SBS2K3 Prem, Two NICs, SMP, 2GB Ram, Adaptec SCSI > Controllers (Raid 10, Raid 5), Exchg2K3 w/SP1 (Applied the /3GB /USERVA=3030 > update to boot.ini and updated registry settings per readme.html.) No ISA or > SQL2K yet. AV and Spam Sheilds by Trend Micro, CSM. Sits behind 'Stateful > Inspection' FWs, etc. > >> No sign of Sasser and Friends. The problem began to show up > after applying Exch2K3 SP1 along with a similar 'complaint' from store.exe. > Outbound connection queues also failing more than not with the message > 'Unable to bind to DNS' and the address cited in the queue matches the > address cited in the message. Used nslookup, and address lookup (default > server) worked fine. > >> At least ntbackup and VSS are working (again) ! <G>>> And the 'users can't login via RWW or OWA, from anywhere, etc.' > problem is back. A workaround (Wizard - add new user as Admin, (quickly) > revoke Admin, then add user to Mobile Users group manually.) Works for us. > >> Any suggestions (Note to 'roots', BSD is not an option in this > case) would be apprecated. > >> And before I forget ... Thank You To All the 'MVP's for taking > the time to participate and respond! > >> -Xanon > >>> ----- Jason Epperly [MSFT] wrote: ----- > >> Take a look at > http://www.microsoft.com/security/incident/sasser.asp. Please > > reply back to the group if this does not resolve the > problem. > > Thanks! > >> -- > > Jason Epperly > > Microsoft SBS Support > > ===================================================== > > When responding to posts, please "Reply to Group" via > > your newsreader so that others may learn and benefit > > from your issue. > > ===================================================== > > This posting is provided "AS IS" with no warranties, and > confers no rights. > >>> "Andrew B. Abrams" <andrew@ptllc.net> wrote in message > > news:ep6wivPOEHA.3300@TK2MSFTNGP09.phx.gbl... > >> I keep getting the following error message. Could this > be a virus? > >>> Alert on TRI01 at 5/8/2004 10:47:15 PM > >>> The lsass.exe process is allocating more memory than > usual. > >>> Use Task Manager to view the top processes by CPU or > memory usage. If a > >> service or process appears to be using an unusual amount > of resources, try > >> stopping and then restarting it. > >>> You can disable this alert or change its threshold by > using the Change > > Alert > >> Notifications task in the Server Management Monitoring > and Reporting > >> taskpad. > >>>>> Any help would be appreciated. > >>>>> Andrew > >>>
- Next message: Alex B: "Re: FTP/license"
- Previous message: Timothy A. Zank: "Free CAL Offer"
- In reply to: -Xanon: "Re: lsass.exe process"
- Next in thread: -Xanon: "Re: lsass.exe process"
- Reply: -Xanon: "Re: lsass.exe process"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
