LSASS.exe or Local Security Authority Subsystem Service is a process on Windows operating system. It is valuable in enforcing the security policy on the computer. When a user logs in to the Windows Server, it is responsible for handling the password changes and creating the access tokens while updating the security log. It is often targeted by malware and mimicked. The original location of this file is C:\Windows\System32 when C: is your system partition. So, if the process with a similar name is running on the Task Manager but the location is different, you know that the process is a threat and is exploiting the security on your computer. In this article, we will be discussing the high resource consumption on the original lsass.exe on Windows.
lsass.exe High CPU and Disk usage
The main cause of this High CPU and Disk usage issue cannot be narrowed down to a single culprit, and that is malware. So start by running a full system scan using your antivirus software. You may also run System File Checker at boot time to replace a potentially damaged lsass.exe file.
If you need to investigate further, you can use the Performance Monitor’s Active Directory Data Collector set on a computer.
This method will work only on the recent versions of Windows Server. To fix this error, we need to start by running the Active Directory Data Collector.
Start by opening the Server Manager or by opening the Performance Monitor.
To open the Performance Monitor, you can hit WINKEY + R button combinations to launch the Run utility. Now, type in the following and hit Enter:
Now, from the left side navigation bar, navigate to Diagnostics > Reliability, and Performance > Data Collector Sets > System.
Right-click on Active Directory Diagnostics and then select Start in the context menu.
It will take about 300 seconds or 5 minutes depending upon the performance capabilities of your hardware to gather the required data and will then take some additional time to compile a report. And these both timings are interdependent on each other.
Once compiled, the report can be found under Diagnostics > Reliability and Performance > Reports > System > Active Directory Diagnostics.
This report will contain all the information and conclusions in the report. This does not mean that it will contain the exact cause of the error but will help you investigate the real cause of the issue.
lsass.exe terminated unexpectedly
The message that appears is usually in this format:
The system is shutting down. Please save all work in progress and log off. Any unsaved changes will be lost. This shutdown was initiated by NT AUTHORITY\SYSTEM. Shutdown will begin in 60 seconds. Shutdown message: The system process “C:\WINDOWS\system32\lsass.exe” terminated unexpectedly with status code – 999. The system will now shut down and restart.
If lsass.exe terminated unexpectedly causing the system to restart there is a high likelyhood that your computer is infected. You need to run a full scan with your security software.
Additionally you could perform Clean Boot and manually troubleshoot and find out which 3rd-party process or code may be causing this issue.
All the best!
Other posts about processes using high resources: