tag:blogger.com,1999:blog-62687483129304921.post1347814013754322863..comments2024-03-28T13:13:53.318+01:00Comments on ADdict: Active Directory: Lsass.exe High CPU UsageThomashttp://www.blogger.com/profile/12651864373303201993noreply@blogger.comBlogger14125tag:blogger.com,1999:blog-62687483129304921.post-34618535188458087822018-02-02T20:49:52.957+01:002018-02-02T20:49:52.957+01:00No problem! Again, I should have replied a few ye...No problem! Again, I should have replied a few years back as it is old news now. Another customer in my neighborhood sounds like they are having similar issues today (not sure if actually LSASS high cpu related, but none the less - slow/no login problems).... so my ears starting ringing and I developed a nervous twitch just thinking about all the hours of lost sleep spent troubleshooting this last time (even with the help of your post). I was reminded of your post today because of that - so thought it best I come and thank you before Karma comes to drop an anvil on my head for not passing on the thanks!Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-62687483129304921.post-12329706437535987322018-02-02T20:36:34.373+01:002018-02-02T20:36:34.373+01:00Awesome! Thanks for taking the time to post back a...Awesome! Thanks for taking the time to post back and share! It's really cool to see how you worked your way to a solution as well.Thomashttps://www.blogger.com/profile/12651864373303201993noreply@blogger.comtag:blogger.com,1999:blog-62687483129304921.post-7593561031595336082018-02-02T20:31:36.802+01:002018-02-02T20:31:36.802+01:00Awhile back, I had to assist an unnamed customer t...Awhile back, I had to assist an unnamed customer troubleshoot high cpu utilization for lsass that was causing a major, multi-day outage for them. I should have commented on this and thanked you back then, as this post ultimately helped us follow the bread-crumb trail to resolve their problems. While McAfee was the source of your problem here, this procedure can apply to anything that might be sending some expensive queries to AD. Bravo and kudos to you on capturing everything from end to end!<br /><br />In this customer's case it was the result of an accidental/naïve action from an admin using their systems management software (SCCM) to perform what is known as a 'baseline' against clients (https://docs.microsoft.com/en-us/sccm/compliance/deploy-use/deploy-configuration-baselines). Their aim via wmi script was to identify which users had local admin membership on their corporate issued PC. Unfortunately, they used code from the Internet not knowing what exactly it did. The code executed this against the Domain, rather than the Local Computer's SAM which was not their intention. Something to the tune of (can't recall exactly):<br /><br />select * from Win32_AccountSID where Element = "Win32_Group.Domain=\REMOVEDNAME\",Name=\"Administrators\"""<br /><br />So - "Give me all your users, and tell me which of them are Administrators", is ultimately what this did... but against the Domain rather than the Local Computer. Deployed to all PCs which essentialy caused an internal denial of service as you experienced herw ith McAfee. SCCM deploys this configuration baseline as PowerShell scripts (temporarily) to a local folder to execute the query (appear as GUID string values with .PS1 extension in the C:\WINDOWS\CCM\SYSTEMTEMP folder). <br /><br />It was quite the adventure to narrow in on - but without your post it would have taken much longer.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-62687483129304921.post-26759004880506400692018-01-16T16:31:39.788+01:002018-01-16T16:31:39.788+01:00I hope it helps you :) The idea of a post like thi...I hope it helps you :) The idea of a post like this is not only offer "the" answer but provide some insights and tricks how to find the actual issue and learn a thing or two in the process. As I can assure I learned a thing or two as well :) Good luck finding your problem!Thomashttps://www.blogger.com/profile/12651864373303201993noreply@blogger.comtag:blogger.com,1999:blog-62687483129304921.post-85350229787938445382018-01-16T15:08:04.602+01:002018-01-16T15:08:04.602+01:00@Thomas This is the most detailed investigation fo...@Thomas This is the most detailed investigation for the problem we have,especially because our environment is identical. I will try to investigate has good has you! Too bad we don't have McAffe! Alexnoreply@blogger.comtag:blogger.com,1999:blog-62687483129304921.post-16384791130607876122017-05-29T16:18:48.998+02:002017-05-29T16:18:48.998+02:00Damn...technical...You got everything here ..Damn...technical...You got everything here ..Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-62687483129304921.post-88157830466846762282016-04-14T07:19:01.888+02:002016-04-14T07:19:01.888+02:00Thomas, in my case, it's not Domain controller...Thomas, in my case, it's not Domain controller.<br />How to find this collector?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-62687483129304921.post-27335029957092290082016-02-07T20:48:05.055+01:002016-02-07T20:48:05.055+01:00Is the server your investigating a domain controll...Is the server your investigating a domain controller?Thomashttps://www.blogger.com/profile/12651864373303201993noreply@blogger.comtag:blogger.com,1999:blog-62687483129304921.post-53116103886552913922016-01-18T23:06:58.272+01:002016-01-18T23:06:58.272+01:00I can't find the Active Directory Diagnostics ...I can't find the Active Directory Diagnostics collector set. I am trying to investigate high lsass.exe cpu usage on an Azure server.Skylarhttps://www.blogger.com/profile/10484087983122195756noreply@blogger.comtag:blogger.com,1999:blog-62687483129304921.post-65283891513734966712015-09-18T19:48:09.936+02:002015-09-18T19:48:09.936+02:00McAfee was the problem in my environment also. Ti...McAfee was the problem in my environment also. Time to go shopping for a new endpoint security solution..Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-62687483129304921.post-31814689262732385142015-09-08T13:32:21.074+02:002015-09-08T13:32:21.074+02:00Nice Post, thank you very much for sharing.
Nice Post, thank you very much for sharing.<br />Monika Guptanoreply@blogger.comtag:blogger.com,1999:blog-62687483129304921.post-57923180969022586792014-12-04T15:59:50.578+01:002014-12-04T15:59:50.578+01:00Great work, Thomas. CPU activity on all of our DCs...Great work, Thomas. CPU activity on all of our DCs is significantly reduced now that I've disabled the product improvement program. <br />Nothing on the McAfee Knowledge Base that I can see.Keith Hardyhttps://www.blogger.com/profile/11894710944306610013noreply@blogger.comtag:blogger.com,1999:blog-62687483129304921.post-85414729297279061932014-10-08T23:27:36.601+02:002014-10-08T23:27:36.601+02:00Wow, good find and very nice write-up!Wow, good find and very nice write-up!Olivier Vhttps://www.blogger.com/profile/15624588690423041860noreply@blogger.comtag:blogger.com,1999:blog-62687483129304921.post-82689013450815455472014-09-26T09:54:20.862+02:002014-09-26T09:54:20.862+02:00Indeed good work and thanks for this outstanding a...Indeed good work and thanks for this outstanding analysis!<br />cheers, MauriceAnonymousnoreply@blogger.com