Understanding and Troubleshooting High CPU/Memory Usage by LSASS.exe in Windows Server Active Directory Environments


2 views

LSASS.exe (Local Security Authority Subsystem Service) is a critical Windows process responsible for enforcing security policies on the system. In Active Directory (AD) environments, it handles:

  • Domain authentication (NTLM/Kerberos)
  • Security token generation
  • Active Directory database management
  • Password change processing
  • Audit policy enforcement

The following architectural factors make LSASS particularly resource-intensive: 

// Simplified pseudocode of LSASS core operations
while (running) {
    ProcessSecurityRequests();
    MaintainTokenCache();
    ValidateKerberosTickets();
    if (IsDomainController) {
        ReplicateADChanges();
        HandleGCQueries();
    }
}

Specific scenarios causing spikes:

  • Token bloat: Accumulation of excessive security tokens when users belong to many AD groups
  • Credential leakage: Malicious processes injecting credentials into LSASS
  • GC overload: Global Catalog queries during object searches
  • Replication storms: Frequent AD replication in large environments

Use this PowerShell script to analyze LSASS memory composition: 

# Get LSASS memory details
$lsass = Get-Process lsass
$modules = $lsass.Modules | Sort-Object -Property WorkingSet -Descending
$modules | Select-Object ModuleName, FileName, WorkingSet | Format-Table -AutoSize

# Check token count
$tokenStats = & whoami /all
Write-Output "Token Information:"
$tokenStats | Select-String "GROUP "

For Domain Controllers:

# Recommended registry tweaks
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "LsaHeapSize" -Value 0 -Type DWord
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "DisableLoopbackCheck" -Value 1 -Type DWord

For Member Servers:

  • Implement Credential Guard to prevent credential theft attacks
  • Configure Group Policy to limit cached tokens: 
    Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
"Network access: Restrict clients allowed to make remote calls to SAM"

Consider these advanced troubleshooting steps: 

# Use Windows Performance Recorder for deep analysis
wpr -start GeneralProfile -start LsaProfile -fileMode
# (Reproduce issue)
wpr -stop lsass_trace.etl

For persistent issues, examine the LSA heap with DebugDiag or analyze minidumps using WinDbg: 

.symfix
.reload
!handle -p 
!heap -s
!analyze -v

LSASS.exe (Local Security Authority Subsystem Service) is a critical Windows process responsible for enforcing security policies on the system. As an AD administrator, you'll find it handles:

  • Domain authentication (NTLM/Kerberos)
  • Active Directory certificate services
  • Security policy enforcement
  • Password change operations

In Active Directory environments, LSASS commonly spikes due to:

// Typical memory-consuming operations:
1. Excessive Kerberos ticket renewal requests
2. High-frequency security policy evaluations
3. LDAP query storms from domain controllers
4. Certificate validation chains

Use these PowerShell commands to investigate:

# Check LSASS memory usage
Get-Process lsass | Select-Object WS,PM,CPU

# Monitor authentication events
Get-WinEvent -FilterHashtable @{
    LogName='Security'
    ID=@(4624,4768,4769)
    StartTime=(Get-Date).AddHours(-1)
} | Measure-Object | Select-Object -ExpandProperty Count

# Check for NTLM usage (should be minimal)
Get-WinEvent -FilterHashtable @{
    LogName='Security'
    ID=@(4624)
    StartTime=(Get-Date).AddHours(-1)
} | Where-Object {$_.Message -like "*NTLM*"} | Measure-Object

When patches don't resolve the issue:

# Registry tweaks to limit LSASS memory (Windows Server 2016+)
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "LsaCfgFlags" -Value 1

# Enable LSASS protection (Prevents credential theft too)
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "RunAsPPL" -Value 1

# Adjust Kerberos ticket lifetime (Group Policy)
Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options
"Network security: Kerberos ticket lifetime" → Set to 600 minutes (10 hours)

For deep diagnostics:

# Start LSASS ETW tracing
logman start LSASS_Trace -p {6A49261D-8215-46C3-B000-93B9B96B1265} 0xFFFFFF -o lsass.etl -ets

# After reproducing the issue:
logman stop LSASS_Trace -ets

# Analyze with Windows Performance Analyzer
wpa.exe lsass.etl

For persistent issues:

  • Deploy read-only domain controllers for authentication-heavy locations
  • Implement authentication silos for high-privilege accounts
  • Consider moving to Azure AD hybrid for cloud-based auth