It is a MS Windows 2003 box and noticed a very busy hard drive.
What is pegging the Hard Drive?
Let us launch Task Manager and include “Process ID”, “I/O reads” and “I/O Writes” in the list of columns we are interested in trending.
Here is a capture we took at 08:08 PM
Another screen capture at 08:08 PM
Here is IO reads at the beginning and end of our time slot.
csrss.exe is growing the biggest.
- 4397 – 4248 = 149
- 3154 – 2194 = 960
- 2975 – 1378 = 1597
Dig More into lsass.exe
SysInternals – Process Explorer
- We are tracking the right lsass.exe; as it is the one in C:\Windows\System32
- One never knows if a virus is bearing same name
- The Parent Process’s name is winlogon.exe
- That is lsass.exe is started whenever a user logs on
- We confirmed the Read and Write Deltas of 3
The services that are reliant on our process are:
- Security Accounts Manager
All of them are vital security related services.
- TCP ports:
- UCP Ports
- IP interfaces :- All – Ports – 4500,500
- IP Interfaces :- Localhost [127.0.0.1] only :- Ports – 1026
- Review privileges. i.e. SeImpersonatePrivilege, SeManagerVolumePrivilege
Services – Terminal Services
Our read and write delta is at 3. From Google the culprit is usually “Terminal Services”.
If you can live without “Remote Desktop” experience, disable “Terminal Services”
Control Panel – Applet – Services
Review Services applet and pay attention to “Terminal Services”
- Even though at Manual, something is triggering its initiation.
- As we noted that it is started
Let us go in and disable the Service
- We were able to disable the Service
- But, from the GUI, we are unable to stop currently running Service \ Process
- To effect the change we have to restart the box
Let us stop any current process
Identify Process ID
tasklist /svc | findstr /C:TermService
Abruptly Stop Process
Be very careful with this step and only take if you must!
Map Process to Services
tasklist /svc | findstr /C:TermService
If Lone Service Using Process, kill Process
If Terminal Services is the only process being hosted by our container ( svchost.exe ), then it is safe to kill it.
taskkill /F /FI "SERVICES eq TermService"
Other Checks & Changes
- Turn off CDROM Autorun
- Disable un-needed services and change services of other services from Automatic to Manual
- Turn off visual effects
- Review Auto Start up programs
- Temporarily enable OpenFiles and review constantly “opened files“
- Review “Automatic Updates” settings
The registry fix:
- Click Start, and then click Run.
- Type regedit, and then click OK.
- Locate and then click the following registry subkey:
- If the value for Autorun is 1, right-click Autorun, and then click Modify. In the Value data box, type 0, and then click OK.
Services – Microsoft OS
- Consider disabling the following services
- Terminal Services ( unless you require Remote Desktop access )
- Web Element Manager ( Provides access to extensible Web user interface elements for a remotely managed server. If this service is stopped, it will restart automatically. If this service is disabled, the Remote Administration Tools Web user interface for server administration will not function properly )
- Indexing Service
- Consider changing the “Status” on the following services to manual
- Print Spooler
- Computer Browser
Change “System Properties – Performance Options – Visual Effects” from having “Let Windows choose what’s best for my computer” to “Adjust for performance“.
Let Windows Choose
Adjust for best performance
Auto Start Applications
Use mconfig.exe or another tool to review applications that are auto-starting.
Have to dedicate to Google and WordPress.
The post was originally started on April 28th, 2014:
Exactly, 1 year and 4 months later, I can change it’s status from Private to Published:
- Troubleshooting High LSASS CPU Utilization on a Domain Controller (Part 1 of 2)
- lsass.exe generating high I/O Reads and Writes, 3 per second continually
Services – Terminal Services ( TermServices)
- Start / Stop / Enable / Disable Terminal services from command line
- Enable Remote Desktop Command line
- Disable autorun autoplay via group policy
- Steve Riley on Security – Autorun: good for you?
- How to disable Autoplay and Autorun feature in Windows