1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

[Resolved] High Processor Usage

Discussion in 'Windows XP' started by cuarch, Feb 18, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. cuarch

    cuarch Thread Starter

    Joined:
    Feb 18, 2003
    Messages:
    5
    After leaving my machine on for a day, I noticed it was running a bit sluggish. I checked the task manager, only to find the lsass.exe service was using up to 128,235k of RAM and increases 4k a second, and appears to have my processor usage up to 99-100%. I have been checking around, but haven't had similiar problems with error messages or the machine rebooting on its own due to lsass.exe. When I reboot my machine, the service starts back at around 4,450k, but then starts it's increase of 4k a second. Anyone have any suggestions?
     
  2. AbvAvgUser

    AbvAvgUser

    Joined:
    Oct 3, 2002
    Messages:
    2,281
    Which applications are running in the background? And what is this lsass.exe? I tried a search on my machine and couldn't find anything like that.

    If you don't know about it, try to find this file and it will you its path.

    Have you scanned your syatem for viruses with latest Anti-Virus definitions?
     
  3. The_Egg

    The_Egg

    Joined:
    Sep 16, 2002
    Messages:
    1,157
    Lsass.exe = LSA Shell = Local Security Authentication Sub-System Service

    This is an essential WinNT/2k/XP service.
    Windows won't load without it.


    What is your Windows OS ?
    There was a known memory leak problem with lsass.exe in Win 2000, but this was addressed in one of the service packs.


    Apart from this, please download, unzip and run StartUpList.
    This will generate a list of all running processes, startup programs, and more.
    Please copy and paste the result file here.
    We will then examine this list to determine whether you've been hit by any spyware, parasiteware, trojans, or viruses . . . or, at the very least, it will help us to eliminate this as the cause of the problem.
     
  4. cuarch

    cuarch Thread Starter

    Joined:
    Feb 18, 2003
    Messages:
    5
    I am running XP Pro. I have seen issues regarding the lsass.exe with people running Win 2K machines, but none with XP or anything similiar to what I am experiencing. I have SP1 installed for XP as well. I will download the linked program you provided when I get home from work, and post it on here as you requested. Thanks
     
  5. cuarch

    cuarch Thread Starter

    Joined:
    Feb 18, 2003
    Messages:
    5
    Here you go: Thanks in advance..

    StartupList report, 2/18/2003, 9:16:12 PM
    StartupList version: 1.51
    Started from : C:\hold\StartupList.EXE
    Detected: Windows XP SP1 (WinNT 5.01.2600)
    Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    * Using default options
    ==================================================

    Running processes:

    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Gigabyte\EasyTune4\et4Tray.exe
    C:\WINDOWS\System32\WF2K.EXE
    C:\Program Files\WinFast\WFTVFM\WFSCH.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Gigabyte\Gigabyte Windows Utility Manager\gwum.exe
    C:\WINDOWS\System32\GMTService.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\ni_nic.exe
    C:\WINDOWS\System32\NMSSvc.exe
    C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\hold\StartupList.exe

    --------------------------------------------------

    Listing of startup folders:

    Shell folders Common Startup:
    [C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
    gwum.lnk = C:\Program Files\Gigabyte\Gigabyte Windows Utility Manager\gwum.exe

    --------------------------------------------------

    Checking Windows NT UserInit:

    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = C:\WINDOWS\system32\userinit.exe,

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    SoundMan = SOUNDMAN.EXE
    EasyTuneIV = C:\Program Files\Gigabyte\EasyTune4\et4Tray.exe
    NvCplDaemon = RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    WinFast_2K = C:\WINDOWS\System32\WF2K.EXE
    WinFast2KLoadDefault = rundll32.exe wf2kcpl.dll,DllLoadDefaultSettings
    WinFast Schedule = C:\Program Files\WinFast\WFTVFM\WFSCH.exe
    nwiz = nwiz.exe /install
    ccApp = C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    ccRegVfy = C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
    Advanced Tools Check = C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
    QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    CTFMON.EXE = C:\WINDOWS\System32\ctfmon.exe

    --------------------------------------------------


    Enumerating Browser Helper Objects:

    NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}

    --------------------------------------------------

    Enumerating Task Scheduler jobs:

    Symantec NetDetect.job

    --------------------------------------------------

    Enumerating Download Program Files:

    [QuickTime Object]
    InProcServer32 = C:\Program Files\QuickTime\QTPlugin.ocx
    CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

    [Shockwave ActiveX Control]
    InProcServer32 = C:\WINDOWS\system32\Macromed\Director\SwDir.dll
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

    [Symantec AntiVirus scanner]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\avsniff.dll
    CODEBASE = http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab

    [{41F17733-B041-4099-A042-B518BB6A408C}]
    CODEBASE = http://apple.speedera.net/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe

    [Update Class]
    InProcServer32 = C:\WINDOWS\System32\iuctl.dll
    CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37669.7073958333

    [Symantec RuFSI Registry Information Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\rufsi.dll
    CODEBASE = http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab

    [Shockwave Flash Object]
    InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    --------------------------------------------------
    End of report, 4,945 bytes
    Report generated in 0.078 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /full - to include several rarely-important sections
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only
     
  6. The_Egg

    The_Egg

    Joined:
    Sep 16, 2002
    Messages:
    1,157
    Well, I can't see any noticeable spyware, trojans or viruses listed there,
    so that's a good start :)

    There are a few entries I'm not familiar with, but these all seem related to hardware utilities, and most (if not all) of them are non-essential startup items.

    Here's where knowing your full system specs could be useful.

    You've got a few Gigabyte motherboard system utilities/monitors running.
    These will take up a lot of resources, especially if any auto cooling features are enabled.

    I'm also a bit confused by what graphics card/chip you've got.
    I see entries for both Leadtek Winfast and NVidia
    I'm assuming it's a Leadtek card/chip using NVidia drivers ?!?!

    Also, there's a lot of cpu-intensive Norton apps running.

    What I suggest is that you disable all startup programs for troubleshooting purposes.

    start -> run -> msconfig
    Startup tab:
    Uncheck everything except for Systray

    Now, it's up to you how you do this.
    You can either disable them all,
    reboot
    see if the problem persists

    If it does then this will prove that something else is to blame
    If it doesn't, then re-enable each item one at a time, rebooting inbetween.
    At the first sign of the problem, you'll know what's causing it.

    You could also do the process in reverse,
    ie. uncheck them one at time, rebooting inbetween.

    Process by elimination is usually the most effective method :)


    Here's a useful page which lists most startup programs,
    and says whether they are essential or not.
    http://www.pacs-portal.co.uk/startup_pages/startup_full.htm


    I don't think there's any need to run Spybot, but it won't do any harm.
    Usage instructions (re: updates etc) are here and here
     
  7. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
  8. cuarch

    cuarch Thread Starter

    Joined:
    Feb 18, 2003
    Messages:
    5
    Well, I did what you suggested, and went into msconfig, and disabled everything, and then started it up one by one. Painful task, but it turns out is was the SSDP Discovery Service that was causing the lsass.exe to increase in size. Guess my question is now, since the SSDP handles Plug 'n Play, how bad do I need it and is there a quick fix for the SSDP service that I can do?
     
  9. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
  10. The_Egg

    The_Egg

    Joined:
    Sep 16, 2002
    Messages:
    1,157
    Well, I'm glad you found the culprit.
    SSDP Discovery Service is related to Univeral Plug and Play, which is totally different to standard Plug & Play. Unless you're on a network which specifically requires UPnP, it's very unlikely you'll ever need it, but it is one of those sneaky background WinXP services which are enabled by default (ie. set to Automatic in: Admin Tools -> Services).

    I'm also a bit confused as to what was triggering it . . .

    There's more information about UPnP on the site Rog linked to:
    http://www.uksecurityonline.com/husdg/windowsxp/

    Check out these articles:
    http://grc.com/unpnp/unpnp.htm
    http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms01-059.asp

    Interesting stuff indeed! :eek:
     
  11. cuarch

    cuarch Thread Starter

    Joined:
    Feb 18, 2003
    Messages:
    5
    Thanks for everyone's help and the links to the articles. Since I have disabled that service, my machine has been running at peak performance again!
     
  12. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/119503

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice