[Vista] lsass.exe and explorer.exe eating my CPU

[InlineFive]

Hello everone,

Recently I've been having problems with lsass.exe (LSASRV.dll!sarLookupSidsX+XxcXX) and explorer.exe (SHLWAPI.dll!Ordinal629+XxXXX) eating up my CPU. They both start competing for 100% clock cycles at around the same time for minutes.

1. I've tried four different antivirus scanners on the system with no reduction in CPU usage. In addition, none of them detected any viruses (McAfee, Kaspersky, Trend Micro and CA).
2. I've tried running the computer with the Diagnostic Startup but no effet.

I'm confused as to what could be causing this problem.

Any ideas?

Thanks!

I5

 

[stash]

Are you using process explorer? If so, can you copy and paste the stack traces for the threads that are using up the CPU?

 

[InlineFive]

#explorer.exe thread SHLWAPI.dll!Ordinal629+0x161
ntdll.dll!KiFastSystemCallRet
SHELL32.dll!Ordinal241+0xa03
SHELL32.dll!SHGetAttributesFromDataObject+0xb1f
SHELL32.dll!IsLFNDrive+0x13e5
SHELL32.dll!IsLFNDrive+0x1421
SHELL32.dll!AssocGetDetailsOfPropKey+0x7861
SHELL32.dll!StrStrIW+0x24f8
PROPSYS.dll!PSGetPropertyKeyFromName+0x162
PROPSYS.dll!Ordinal400+0x688
PROPSYS.dll!Ordinal400+0x6a3
PROPSYS.dll!Ordinal400+0x1c9
PROPSYS.dll!Ordinal400+0x148
SHELL32.dll!SHGetPropertyStoreFromIDList+0x6a12
SHELL32.dll!SHGetPropertyStoreFromIDList+0x69e7
SHELL32.dll!SHGetPropertyStoreFromIDList+0x6c90
SHELL32.dll!SHGetPropertyStoreFromIDList+0x6c27
SHELL32.dll!Ordinal838+0x3868
SHELL32.dll!SHPropStgReadMultiple+0x15cd
SHELL32.dll!SHPropStgReadMultiple+0x1538
SHELL32.dll!SHGetPropertyStoreFromIDList+0x6bd2
SHELL32.dll!SHGetPropertyStoreFromIDList+0x6881
SHELL32.dll!Ordinal873+0x83e
SHELL32.dll!Ordinal838+0x1814
SHELL32.dll!Ordinal838+0x1612
SHLWAPI.dll!Ordinal629+0x1f9
kernel32.dll!BaseThreadInitThunk+0x12
ntdll.dll!LdrInitializeThunk+0x4d

# explorer.exe thread SHLWAPI.dll!Ordinal629+0x161
ntdll.dll!KiFastSystemCallRet
kernel32.dll!GetExitCodeProcess+0x797
kernel32.dll!GetExitCodeProcess+0x105
kernel32.dll!GetVolumePathNameW+0x156
feclient.dll!FeClientInitialize+0x278
feclient.dll!FeClientInitialize+0xbff
SHELL32.dll!SHLoadInProc+0x5bf0
SHELL32.dll!SHChangeNotifyDeregister+0x166b2
SHELL32.dll!AssocGetDetailsOfPropKey+0x77fa
SHELL32.dll!StrStrIW+0x24f8
PROPSYS.dll!PSGetPropertyKeyFromName+0x162
PROPSYS.dll!Ordinal400+0x688
PROPSYS.dll!Ordinal400+0x6a3
PROPSYS.dll!Ordinal400+0x1c9
PROPSYS.dll!Ordinal400+0x148
SHELL32.dll!SHGetPropertyStoreFromIDList+0x6a12
SHELL32.dll!SHGetPropertyStoreFromIDList+0x69e7
SHELL32.dll!SHGetPropertyStoreFromIDList+0x6c90
SHELL32.dll!SHGetPropertyStoreFromIDList+0x6c27
SHELL32.dll!Ordinal838+0x3868
SHELL32.dll!SHPropStgReadMultiple+0x15cd
SHELL32.dll!SHPropStgReadMultiple+0x1538
SHELL32.dll!SHGetPropertyStoreFromIDList+0x6bd2
SHELL32.dll!SHGetPropertyStoreFromIDList+0x6881
SHELL32.dll!Ordinal873+0x83e
SHELL32.dll!Ordinal838+0x1814
SHELL32.dll!Ordinal838+0x1612
SHLWAPI.dll!Ordinal629+0x1f9
kernel32.dll!BaseThreadInitThunk+0x12
ntdll.dll!LdrInitializeThunk+0x4d

# lsass.exe thread LSASRV.dll!LsarLookupSids2+0cx27
ntdll.dll!KiFastSystemCallRet
kernel32.dll!WaitForSingleObject+0x12
LSASRV.dll!LsarClose+0x1252
LSASRV.dll!LsarClose+0x11df
LSASRV.dll!LsarLookupSids2+0xc7b
kernel32.dll!BaseThreadInitThunk+0x12
ntdll.dll!LdrInitializeThunk+0x4d

 

[stash]

It looks like lsass is trying to do a SID to username lookup on an object. Are you doing anything in particular when you have this problem?

 

[VirtualLarry]

This sounds similar to the issue that I saw mentioned some time in the past, about Explorer.exe doing a lookup for a full username, for the "crumbs" bar, and there being a slowdown of about 30 seconds, if the machine had been part of a domain but was not currently connected to such.

 

[stash]

^^Yeah, I was thinking that too. Mark Russinovitch is the one who blogged about that bug. But I've experienced that myself, and I haven't had the issue of lsass and explorer hogging the CPU.

 

[InlineFive]

This computer has never been connected to a domain. I've been watching the patterns for this problem and I can't find anything to put me on the right track.

I'll probably reinstall Vista as soon as I can since this is random and frusterating.

Thanks for your help all!

 

[oog]

do you have any mapped drives to locations that are not available?

 

[InlineFive]

Originally posted by: oog
do you have any mapped drives to locations that are not available?

No. I've checked netstat /a occasionally but there usually isn't much going on. Next time it happens I'll post the output from that command.

 

[magreen]

Oh my gosh, this lsass.exe is killing me on my Vista machine!
It just started happening about a week ago. Whenever I open an internet explorer window, lsass.exe jumps to 100% usage, and I have a dual core machine. (It has about 13 threads acc. to Windows Task Manager). Also, whenever I click Reply or Quote or Edit in the forums here to pop up a window, the computer freezes for about 10-20 seconds as lsass.exe uses 100% cpu usage!

This is driving me absolutely nuts. I have Vista Home Premium SP1 and IE 7.0.6001.18000.

Help! I searched on Google and found tons of people with this problem and zero solutions.