Live Mesh seems to be causing lsass.exe to use excessive CPU

All replies

• 

  

  0

  Sign in to vote

  I have two local systems, both Windows 7, one 32-bit and one 64-bit, connected to a mesh of four systems (the other two are XP SP3). Within the last couple of days I have noticed task manager showing a 40%-50% load most of the time (both systems are dual core). The culprit is lsass.exe, usually running at 30% to 40%. Shutting down Live Mesh causes the CPU usage of lsass.exe to drop to 0 immediately. Restarting Live Mesh causes lsass.exe to spring back into life again.
  
  Where can I find log files that may cast some light in what is going on?

  
  hi ,
  
  http://blogs.msdn.com/livemesh/
  
  http://dev.live.com/blogs/devlive/archive/2008/04/22/279.aspx
  
  http://support.microsoft.com/search/default.aspx?mode=r&query=live+mesh&spid=global&catalog=LCID%3D1033&1033comm=1&res=20
  
  
  have a nice day

  ---

  http://www.microsoft.com/security + http://www.microsoft-hohm.com/default.aspx + http://www.getpivot.com/ + http://photosynth.net/ + http://seadragon.com/ + http://blogs.technet.com/mmpc + http://windowsteamblog.com/blogs/genuinewindows/default.aspx + http://technet.microsoft.com/en-us/sysinternals/default.aspx + https://www.microsoft.com/security/portal/Shared/Resources.aspx#rss + http://www.microsoft.com/security_essentials/ + http://onecare.live.com/site/en-us/center/whatsnew.htm + Plagued by the Privacy Center? Learn how to remove it > http://blogs.msdn.com/securitytipstalk/ + http://blogs.technet.com/ecostrat/ + http://memory.dataram.com/products-and-services/software/ramdisk + 50 Windows Tips > http://windowsvj.com/wpblog/2009/12/windowsvj-xclusive-release-windows-7-tips-tricks-ebook/ + http://windowsteamblog.com/

  Monday, January 4, 2010 9:34 AM
• 

  

  0

  Sign in to vote

  Thanks for the links, but I cannot find any reference to lsass or Live Mesh event logging on any of them...

  Monday, January 4, 2010 12:54 PM
• 

  

  0

  Sign in to vote

  I've never heard of this relationship of high CPU for LSASS.EXE and Live Mesh. Usually, high CPU for Live Mesh can be attributed to moe.exe and happens when it is churning through loads of data. LSASS.exe is used for security, but I'm not sure how it interacts with Live Mesh.
  It *can* be a trojan, though, so it may be worth doing a full scan of your system.
  http://en.wikipedia.org/wiki/Local_Security_Authority_Subsystem_Service
  
  -steve
  
  

  ---

  ~ Microsoft MVP Windows Live ~ Windows Live OneCare| Live Mesh|MS Security Essentials Forums Moderator ~

  Monday, January 4, 2010 3:51 PM

  Moderator
• 

  

  0

  Sign in to vote

  Thanks for the links, but I cannot find any reference to lsass or Live Mesh event logging on any of them...

  
  hi ,
  
  post your Q in the live mesh blog by all means , ....
  
  the help if its of any use
  
  http://help.live.com/help.aspx?project=live_mesh&market=EN-US&querytype=keyword&query=qaf
  
  have a nice day
  
  going to check it myself in the morning also
  

  ---

  http://www.microsoft.com/security + http://www.microsoft-hohm.com/default.aspx + http://www.getpivot.com/ + http://photosynth.net/ + http://seadragon.com/ + http://blogs.technet.com/mmpc + http://windowsteamblog.com/blogs/genuinewindows/default.aspx + http://technet.microsoft.com/en-us/sysinternals/default.aspx + https://www.microsoft.com/security/portal/Shared/Resources.aspx#rss + http://www.microsoft.com/security_essentials/ + http://onecare.live.com/site/en-us/center/whatsnew.htm + Plagued by the Privacy Center? Learn how to remove it > http://blogs.msdn.com/securitytipstalk/ + http://blogs.technet.com/ecostrat/ + http://memory.dataram.com/products-and-services/software/ramdisk + 50 Windows Tips > http://windowsvj.com/wpblog/2009/12/windowsvj-xclusive-release-windows-7-tips-tricks-ebook/ + http://windowsteamblog.com/

  • Edited by Dabur972 Monday, January 4, 2010 7:28 PM ps

  Monday, January 4, 2010 7:27 PM
• 

  

  0

  Sign in to vote

  Hi Steve,
  
  MSE reports "No threats were detected..." on a full scan.
  
  The tie-in between Live Mesh and lsass CPU usage is rock solid.
  
  With Mesh shut down the total CPU load is about 0% to 1%.
  
  With Mesh running the total CPU load is about 50% to 60%, split about 80/20 between lsass.exe/moe.exe
  
  Same behaviour on two systems...
  
  All the best,
  
  Dave

  Monday, January 4, 2010 7:47 PM
• 

  

  0

  Sign in to vote

  Hi, Dave.
  As I noted, I've not seen this before. Since we're pretty sure there's no Trojan involved, then it would seem that some other external issue is casing moe.exe and lsass.exe to go into this ramped up state.
  Since you're seeing it on 2 systems, I'm inclined to look for something else that is common to these two systems.
  Has anything else changed on these 2 systems at about the time you noticed this increased activity?
  If you disable MSE real time protection - any difference? (Speculating that it may be a signature update or engine update...)
  If you uninstall/reinstall Live Mesh, any difference?
  
  You may want to go ahead an submit a bug report with logs from both affected machines:
   

  How to Submit Bugs and Live Mesh Logs

  Note that you may not receive a response to the bug report, though. It will be transferred to the internal system to be assigned to the appropriate development group.
  
  -steve

  ---

  ~ Microsoft MVP Windows Live ~ Windows Live OneCare| Live Mesh|MS Security Essentials Forums Moderator ~

  Tuesday, January 5, 2010 1:58 PM

  Moderator
• 

  

  0

  Sign in to vote

  Hi Steve,
  
  Looking through the event log I find "Session "WLCShell" failed to start with the following error: 0xC0000022" followed by "Session "Moe" failed to start with the following error: 0xC0000022" logged immediately after I restart Live Mesh from the start menu. These errors are logged, and moe.exe and lsass.exe continue to burn CPU, regardless of the real-time protection state of MSE. I'll try a reinstall later, and get back to you...
  
  Dave

  Thursday, January 7, 2010 1:09 AM
• 

  

  0

  Sign in to vote

  The logged errors do seem to add some decent clues...
  That error typically is an initialization error caused by a problem with permissions. Since we know that LSASS.exe handles security on the file system. Live Mesh needs to deal with "hashes" of the files in your Mesh folders in order to determine what has changed. WLCShell is the DLL for the Live Mesh shell extension - that is the part of Live Mesh that hooks into Windows Explorer and adds the functionality of the blue folder icons and right click add to Mesh stuff.
  I found one Connect bug for this error from last March on Windows 7 with another user validating that they also got the error on build 7100 of Win7. No mention of Lsass.exe, though. The bug is open with no feedback from Microsoft, though.
  
  Did you do anything with the permissions or system accounts on these Win7 machines perhaps?
  
  -steve

  ---

  ~ Microsoft MVP Windows Live ~ Windows Live OneCare| Live Mesh|MS Security Essentials Forums Moderator ~

  Thursday, January 7, 2010 5:32 PM

  Moderator
• 

  

  0

  Sign in to vote

  Found it. The target folder that MOE was trying to sync into was encrypted (EFS). There is a bug report on this on Connect from July, open, with no feedback. Interestingly, the Connect report makes no mention of LSASS.exe. It looks like Mesh can sync files from an EFS folder, but not into an EFS folder. Removing the encryption gets things back to normal - so there is a workaround, but not a very nice one!

  • Marked as answer by Dave Nuttall Saturday, January 9, 2010 12:55 AM

  Friday, January 8, 2010 1:42 AM
• 

  

  0

  Sign in to vote

  Hi Steve,
  
  Looking through the event log I find "Session "WLCShell" failed to start with the following error: 0xC0000022" followed by "Session "Moe" failed to start with the following error: 0xC0000022" logged immediately after I restart Live Mesh from the start menu. These errors are logged, and moe.exe and lsass.exe continue to burn CPU, regardless of the real-time protection state of MSE. I'll try a reinstall later, and get back to you...
  
  Dave

  
  hi ,
  
  dont know if this can help
  
  http://support.microsoft.com/search/default.aspx?query=0xC0000022
  
  by the way , some of the errors are fixed with the onecare scan, or an other reg fix utility
  
  have a nice day

  ---

  Scan with OneCare + 50 Windows 7even Tips + Plagued by the Privacy Center? Learn how to remove it + Threat Research & Response Blog + Sysinternals Live tools + PIVOT from Live Labs + See what Photosynth does best! + Microsoft Security + need help ? go to Microsoft Support + Microsoft Live Labs

  Friday, January 8, 2010 9:59 PM
• 

  

  0

  Sign in to vote

  Found it. The target folder that MOE was trying to sync into was encrypted (EFS). There is a bug report on this on Connect from July, open, with no feedback. Interestingly, the Connect report makes no mention of LSASS.exe. It looks like Mesh can sync files from an EFS folder, but not into an EFS folder. Removing the encryption gets things back to normal - so there is a workaround, but not a very nice one!

  
  Excellent detective work! Thanks for reporting your findings of the cause.
  -steve

  ---

  ~ Microsoft MVP Windows Live ~ Windows Live OneCare| Live Mesh|MS Security Essentials Forums Moderator ~

  Monday, January 11, 2010 4:12 PM

  Moderator