0

I found one of our Windows Server(2008 R2) use 98% memory(16GB in all). In Task manager, lsass.exe was found using about 15GB memory. After restart the server, lsass.exe occupy about 10MB memory, and then every 1min~3min increase about 348KB. The Windows server is running WinCC and OPC ua server.

We have tried some ways to resolve this but no one works :(

  1. Restart Server and not start wincc or opcua server. Memory of lsass.exe still increase after restart.
  2. Use antivirus software to scan the server, no virus found.
  3. Install some system patches (kb3156417, kb976932) after reading some related lsass.exe memory leak posts. it doesn't work. Memory of lsass.exe still increase after restart.
  4. We installed Process Monitor and found some "useful" information. **lsass.exe do some repeated "CreateFile" operation and result is NAME NOT FOUND while memory of lsass.exe increase every time. ** By install more patch or ddl, we make all the NAME NOT FOUND to SUCCESS, but the memory leak seems not resolved. Here are the before and after screenshots. Some dll missed and lsass.exe cant find them All NAME NOT FOUND turn to SUCCESS

We check another health/normal Windows Server. The memory of lsass only take 10MB memory and doesn't increase. Process Monitor shows no repeated operations like CreateFile. The only different between these two server is the unhealthy one installed opcua server and the healthy one ont. Only one operation by lsass.exe in 15 mins

Not we get a conclusion: some unknown process is calling lsass.exe repeatedly since the server is on. Before we found the process and fix it, we can only choose to restart the server regularly =,=

Anybody know which process will call lsass.exe repeatedly or how to fix the lsass.exe memory increase?

Improve this question
New contributor
chan_ac is a new contributor to this site. Take care in asking for clarification, commenting, and answering. Check out our Code of Conduct.

1 Answer 1

Reset to default
1

Local Security Authority Subsystem Service (LSASS) is a process in Microsoft Windows operating systems that is responsible for enforcing the security policy on the system. So it's a critical system process, I would check if you have all the latest updates. You might have a lot of group policies which are being processed. Usually when notice this behavior a call to Microsoft support is the way to go, but 2008 R2 is not supported anymore.

Improve this answer
2
  • yes, we have realized lsass.exe is important, so we haven't do any sensitive operation on it. The most confusing thing to us now is even we don't start wincc or opcua server, the memory still increase after reboot. We will try more official updates. anyway thx bro!
    – chan_ac
    Dec 4 at 8:49
  • It could also be that a threat actor is misusing lsass using an exploit or something like that. So make sure you have proper hardening and so on in place. And verify all process using process explorer with a check to virustotal
    – Turdie
    Dec 4 at 8:51

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .