Microsoft – Task Manager – lsass.exe – Consistent I/O Read of 3

Forward

It is a MS Windows 2003 box and noticed a very busy hard drive.

 

What is pegging the Hard Drive?

Task Manager

Let us launch Task Manager and include “Process ID”, “I/O reads” and “I/O Writes” in the list of columns we are interested in trending.

Here is a capture we took at 08:08 PM

TaskManager0808PM

 

Another screen capture at 08:08 PM

TaskManager0808PMv2

 

Explanation

Here is IO reads at the beginning and end of our time slot.

csrss.exe is growing the biggest.

  1. svchost.exe
    • 4397 – 4248 = 149
  2. lsass.exe
    • 3154 – 2194 = 960
  3. csrss.exe
    • 2975 – 1378 = 1597

 

Dig More into lsass.exe

SysInternals – Process Explorer

Image

image

 

Explanation

  1. Path
    • We are tracking the right lsass.exe; as it is the one in C:\Windows\System32
    • One never knows if a virus is bearing same name
  2. The Parent Process’s name is winlogon.exe
    • That is lsass.exe is started whenever a user logs on

 

Performance

performance

 

Explanation

  1. We confirmed the Read and Write Deltas of 3

 

Services

Services

 

Explanation:

The services that are reliant on our process are:

  1. NetLogon
  2. PolicyAgent
  3. ProtectedStorage
  4. Security Accounts Manager

All of them are vital security related services.

 

TCP/IP

TCPIP

 

Explanation:

  1. TCP ports:
    • 1205
  2. UCP Ports
    • IP interfaces :- All – Ports – 4500,500
    • IP Interfaces :- Localhost [127.0.0.1] only :- Ports – 1026

 

Security

Security

 

 

Explanation:

  1. Review privileges. i.e. SeImpersonatePrivilege, SeManagerVolumePrivilege

 

Services – Terminal Services

Our read and write delta is at 3.  From Google the culprit is usually “Terminal Services”.

If you can live without “Remote Desktop” experience, disable “Terminal Services”

Control Panel – Applet – Services

Permanent Solution

Current Setting

Review Services applet and pay attention to “Terminal Services”

TerminalServicesManual

Explanation:
  1. Even though at Manual, something is triggering its initiation.
  2. As we noted that it is started

 

Disable Service

Let us go in and disable the Service

TerminalServicesDisabledUnableToStop

 

Explanation
  1. We were able to disable the Service
  2. But, from the GUI, we are unable to stop currently running Service \ Process
  3. To effect the change we have to restart the box

 

Session Solution

Let us stop any current process

Identify Process ID

Textual


   tasklist /svc | findstr /C:TermService


Image tasklist

Abruptly Stop Process

Be very careful with this step and only take if you must!

Map Process to Services

Command


   tasklist /svc | findstr /C:TermService

Image

mapExecutableToService

 

If Lone Service Using Process, kill Process

If Terminal Services is the only process being hosted by our container ( svchost.exe ), then it is safe to kill it.

 


   taskkill /F /FI "SERVICES eq TermService"

 

killServiceProcess

Other Checks & Changes

  1. Turn off CDROM Autorun
  2. Disable un-needed services and change services of other services from Automatic to Manual
  3. Turn off visual effects
  4. Review Auto Start up programs
  5. Temporarily enable OpenFiles and review constantly “opened files
  6. Review “Automatic Updates” settings

 

CDROM

The registry fix:

  • Click Start, and then click Run.
  • Type regedit, and then click OK.
  • Locate and then click the following registry subkey:
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CDRom
  • If the value for Autorun is 1, right-click Autorun, and then click Modify. In the Value data box, type 0, and then click OK.

 

Services – Microsoft OS

  • Consider disabling the following services
    • Terminal Services ( unless you require Remote Desktop access )
    • Web Element Manager ( Provides access to extensible Web user interface elements for a remotely managed server. If this service is stopped, it will restart automatically. If this service is disabled, the Remote Administration Tools Web user interface for server administration will not function properly )
    • Indexing Service
  • Consider changing the “Status” on the following services to manual
    • Print Spooler
    • Computer Browser

Performance Options

Change “System Properties – Performance Options – Visual Effects” from having “Let Windows choose what’s best for my computer” to “Adjust for performance“.

Let Windows Choose

Original

Adjust for best performance

Revised

 

Auto Start Applications

Use mconfig.exe or another tool to review applications that are auto-starting.

Startup-cftmon

 

OPENFILES

Syntax


openfiles /Query

Output

OpenedFiles

Wordpres

Have to dedicate to Google and WordPress.

The post was originally started on April 28th, 2014:

Revision History

RevisionHistory

Exactly, 1 year and 4 months later, I can change it’s status from Private to Published:

Original

 

References

LSASS.EXE

 

Services – Terminal Services ( TermServices)

 

CD AUTORUN

 

OpenFiles

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s