I typed the process name in all CAPS to let you know it is the correct one I'm entering and not isass.exe.

This is a "vital" system process, though for the 2 ppl's computer's I've looked at I've found there's using 0% CPU Cycles and around 1056K system memory.

Mine's constantly running between 4000-8000K and 50-85% of my CPU cycles. I don't understand why it's all of a sudden running at such a massive load but I see no signs of my system being hacked and no dupe copies of LSASS.exe anywhere else on my system. The date created for the file is March 23, 2003 whilst others is somehwere in 2002. I dunno.

I'm continuing to look into this as you are reading but I am running out of roads to travel and am hoping for suggestions from others.

-Jeff

The lsass.exe file is properly located in the c:\windows\System32 folder: if you find it anywhere else on your system, it's actually a virus, trojan, worm or even spyware, and should be deleted!
There are three viruses I found evidence of that use either this exact filename or a darn similar one:
W32.Nimos.Worm
W32.Sasser.E.Worm (Lsasss.exe)
W32.HLLW.Lovgate.C@mmMore...
http://www.enterasys.com/support/security/incidents/2004/05/10860.html
Are you running Windows 2000 or XP? Domain controller? Anything else special?
Any error messages in the logfiles?

WinXP Pro.

In Windows\system32 12KB in size service pack 1


Win2000Pro

winnt\system32 33kb service pack 4



Thats what I find so far....

Running WinXP Pro (good call Merlin, also, did my Linspire ever show up there?).

It's only on my system 3 times (as it should be compared to other PCs).

I dunno wtf is going on. I ran Symantec Anti-Virus last night b4 going 2 bed and when I woke up it was done and nothing was found.

So I CTRL+ALT+DELed and LSASS.exe was down to 1546KB in size and using 0% of my CPU.

So for some reason my LSASS.exe isn't backing off the first 30 mins or so my computer is on but sometime after that (not sure how long) it finally does settle down.

Don't think I have any Domain Controllers or whatnot on here (dunno really what they are). It did all start after I put VMware on here though. Found out that program loads a few processes at startup and that's gonna b put to a stop.

If you are experiencing this process occupying higher than normal amounts of system memory following boot, it may be worth checking your security log. As Lsass.exe is responsible for processing system authentication if it is working hard it will be logging a lot...

I found a really good (and free) program called Process Explorer.

In it you can actually see the threads of processes. I found a thread process in LSASS.exe that started out with ntdll.dll

At first I thought "NT...Norton...my anti-virus has a memory leak", but I was wrong. NTDLL.DLL is part of Windows and whatnot. There was a known exploit back for Win2K but nothing about it being exploited in WinXP Pro.

Now everytime I restart I load up Process Explorer and kill that thread and my LSASS.exe drops down to "normal" conditions using what all of you say yours uses.

http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
Under Technical Details

Vulnerability Identifiers Impact of Vulnerability Windows 2000 Windows XP Windows Server 2003
LSASS Vulnerability Remote Code Execution Critical Critical Low

Well this is kinda odd.

Win XP Pro SP2 isn't supposed to be affected.

Apparently it still is. Though my system detects no problems, every online port scanner says I'm pretty much locked up tight.

Dual firewalls, one physical in the router, and ZoneAlarm Pro.

I highly doubt my system is compromised because there's really no zombie activity going on and that thread never reactivates afterwards.

Though it's not impossible I find it highly unlikely.

This has me so confused. :bang: :bang: