Shulou(Shulou.com)06/02 Report--

Lsass process is a system process, when it is found that this process takes up a lot of memory (some occupy 3G memory), the memory directly reaches more than 90% on some servers where the memory is not very large.

The following is the main situation on the server where these memory problems are found:

1. The antivirus software scans out the same virus file. (look at the scanned virus file, suspected to be blackmail virus)

two。 The size of the system file lsass.exe becomes 30.5K (the original normal file size is 30.0K).

Handling method:

There are two processing methods found on the Internet, one is patching (Windows 7 SP1 and Windows Server 2008 R2 SP1 (KB3156417)). The other is to use PE to replace lsass program files.

I have tested both methods. First of all, I would like to talk about the PE method (be sure to back up the system or clone it). It is not easy to enter PE into the virtual machine. You can first prepare a PE image, and then switch the image to the PE image. After entering, it is found that the file manager with PE can not directly manipulate the lsass file, which seems to be insufficient permissions. Then I use the DiskGenius partitioning tool in PE, find the lsass file, and replace it. It was successful on the first server 2008 R2 machine, booted up normally, and the memory was normal. The same operation on the second server 2008 R2 turns on the blue screen! So when using PE, you must pay attention to backup or mirror image.

The second method is to patch. At that time, the machine patch was so old that there was only one patch on it.

Then I will directly update the system to open, update the patch to the latest

After reboot, the memory came down, and the lsass file was restored to 30.0K. But there are no patches for KB3156417. If you make a patch, it is recommended to update all the patches directly to the latest.

People who encounter the same problem are advised to check and kill the virus first, and then keep the patch up to date. It is recommended that you do not replace the file with PE, and there may be an irreversible blue screen (after testing, it will be a blue screen even if the abnormal lsass program is replaced back).

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.