LSA Process Slowing Down Multiple Computers by Excessively Accessing Disk

David Owens 0

I'm seeing this happen on 5 different Windows 11 computers on a small domain. All of the affected machines are the newest ones that came pre-installed with Windows 11. None of the older Windows 10 machines are affected and it looks like none of the machines that originally came installed with Windows 10 and then got the Windows 11 upgrade have the issue.

The Local Security Authority Process is using the SSD more and more after boot until it gets to the point the user has to restart to make the machine usable again after a few hours. I've seen the access get up to 40MB/s in Task Manager.

I've checked extensively for malware and ran SFC & DISM to fix any system file problems.

Looking at the Event Logs I see an LSA warning "Credential Guard is configured to run, but is not licensed. Credential Guard was not started." Event ID: 6147.

I also have "LSA package was not signed as expected. This can cause unexpected behavior with Credential Guard." Event ID: 6155. This is for several packages: negoexts, kerberos, etc.

The event logs also have a TPM-WMI error "The Secure Boot update failed to update a Secure Boot variable with error Secure Boot is not enabled on this machine." Event ID: 1796.

All of these events are on each machine with the slowdown problem.

3 answers

Vaidish 76 Reputation points

2024-09-12T05:26:59.3333333+00:00

Hello David,

Thanks for posting in the forum.

Please answer below questions:
What is the pattern of the issue?
What is the or Was the Baseline of CPU on the machine prior to the issue?
If the CPU Spike is Intermittent, Is there a Time or Sequence where the problem is more likely to occur?
How long does the CPU spike last?
Is just the LSASS.exe spiking or Other process also spiking together
Can you confirm if its Lsass high cpu or high memory. What is the total consumption of the Lsass process. Is there any pattern seen with the issue
Are the machines updated with latest windows ptach?

Also kindly share the complete detail of event 6155,1796

Regards,
Vaidish
Please sign in to rate this answer.
David Owens 0 Reputation points

2024-09-12T14:54:38.14+00:00

"What is the pattern of the issue?"

The LSA Process uses more and more disk after Win11 boots. I don't know if it's reading or writing to the SSD. It starts out less than 1MB/s and grows to over 40MB/s over a couple of hours. The CPU usage of the LSA Process is only about 0.5%-0.9%. The Memory usage is about 11.5MB. There also some network usage of 0.1Mbps. It's the excess Disk access that slows down the system.

"What is the or Was the Baseline of CPU on the machine prior to the issue?"

CPU usage was around 0%-1% idling before the issue, as far as I can remember.

"If the CPU Spike is Intermittent, Is there a Time or Sequence where the problem is more likely to occur?"

This happens any time Win11 is running and gets worse over time until the system is restarted.

"How long does the CPU spike last?"

This lasts as long as Win11 runs.

"Is just the LSASS.exe spiking or Other process also spiking together"

I'm not seeing anything other than LSASS.exe have any kind of CPU/Disk spike.

"Can you confirm if its Lsass high cpu or high memory. What is the total consumption of the Lsass process?"

The performance problem is high Disk. It seems to run around 15MB/s just idling on the desktop, which shouldn't be happening, and then spikes to 40MB/s when I run any application, such as just running Microsoft Word. Lsass CPU ~2.0% Memory ~17MB as I'm watching Task Manager right now.

"Is there any pattern seen with the issue?"

The only pattern I can see is that this issue only affects the newer Win11 machines that came pre-installed with Win11. None of the older Win10 machines have the issue, and it looks like the machines that came preinstalled with Win10 and then got upgraded to Win11 do not have the issue. I don't know if that's because of software or because the older machines have different hardware.

"Are the machines updated with latest windows ptach?"

Yes. The machines have 23H2 Build 22631.4169 with the latest release fixes installed.

"Also kindly share the complete detail of event 6155"

I have an event 6155 for several more packages.

Log Name: System

Source: LsaSrv

Date: 9/10/2024 9:23:52 AM

Event ID: 6155

Task Category: None

Level: Warning

Keywords:

User: SYSTEM

Computer: taxprep10.****

Description:

LSA package is not signed as expected. This can cause unexpected behavior with Credential Guard.

PackageName: negoexts

Event Xml:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

<System>

<Provider Name="LsaSrv" Guid="{199fe037-2b82-40a9-82ac-e1d46c792b99}" /> <EventID>6155</EventID> <Version>0</Version> <Level>3</Level> <Task>0</Task> <Opcode>0</Opcode> <Keywords>0x8000000000000000</Keywords> <TimeCreated SystemTime="2024-09-10T13:23:52.0983522Z" /> <EventRecordID>109918</EventRecordID> <Correlation /> <Execution ProcessID="1252" ThreadID="1256" /> <Channel>System</Channel> <Computer>taxprep10.**</Computer> <Security UserID="S-1-5-18" />

</System>

<EventData>

<Data Name="PackageName">negoexts</Data>

</EventData>

</Event>

"Also kindly share the complete detail of event 1796"

I've looked at this and noticed none of the machines have Secure Boot set to On. I've always just kept the BIOS defaults and then installed Windows. Having Secure Boot Off never caused a problem.

Log Name: System

Source: Microsoft-Windows-TPM-WMI

Date: 9/10/2024 9:28:33 AM

Event ID: 1796

Task Category: None

Level: Error

Keywords:

User: SYSTEM

Computer: taxprep10.**

Description:

The Secure Boot update failed to update a Secure Boot variable with error Secure Boot is not enabled on this machine.. For more information, please see https://go.microsoft.com/fwlink/?linkid=2169931

Event Xml:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

<System>

<Provider Name="Microsoft-Windows-TPM-WMI" Guid="{7d5387b0-cbe0-11da-a94d-0800200c9a66}" /> <EventID>1796</EventID> <Version>0</Version> <Level>2</Level> <Task>0</Task> <Opcode>0</Opcode> <Keywords>0x8000000000000000</Keywords> <TimeCreated SystemTime="2024-09-10T13:28:33.9400125Z" /> <EventRecordID>109998</EventRecordID> <Correlation /> <Execution ProcessID="4876" ThreadID="2276" /> <Channel>System</Channel> <Computer>taxprep10.**</Computer> <Security UserID="S-1-5-18" />

</System>

<EventData>

<Data Name="HResult">-2147020471</Data>

</EventData>

</Event>

David Owens 0 Reputation points

2024-09-12T15:17:43.0066667+00:00

In case you need it, here are the specs of two of the Win11 Pro workstations that have the Lsass issue.

i5-13500

32GB RAM

1TB SSD

David Owens 0 Reputation points

2024-09-12T15:42:48.0066667+00:00

"What is the pattern of the issue?"

The Local Security Authority Process is using the SSD more and more after boot until it gets to the point the user has to restart to make the machine usable again after a few hours. I've seen the access get up to 40MB/s in Task Manager.

"What is the or Was the Baseline of CPU on the machine prior to the issue?"

1%-2% idling on the desktop, if I remember correctly.

"If the CPU Spike is Intermittent, Is there a Time or Sequence where the problem is more likely to occur?"

Disk usage by Lsass increases over time until a Windows restart. It usually gets up to around 10MB/s and then usage spikes to 40MB/s whenever any application is run. Goes back down to 10MB/s after about 5 seconds.

"How long does the CPU spike last?"

The big 40MB/s Disk spikes last about 5 seconds but high 10MB/s Disk usage is constant. CPU spikes to about 4% when Disk goes to 40MB/s. This happens when an application is first run.

"Is just the LSASS.exe spiking or Other process also spiking together"

I'm not seeing any other process spike.

"Can you confirm if its Lsass high cpu or high memory. What is the total consumption of the Lsass process."

Mostly high Disk usage. I see a constant 1% CPU 14MB RAM 13MB/s Disk. Spikes go to 4% CPU 14MB RAM 40MB/s Disk.

"Is there any pattern seen with the issue"

The only pattern I've seen is that it seems to affect the newest computers that came pre-installed with Win11. None of the older Win10 workstations have this issue and it seems like none of the machines that came pre-installed with Win10 and then got upgraded to Win11 have the issue.

"Are the machines updated with latest windows ptach?"

Yes, they have 23H2 Build 22631.4169 with all of the release updates.

"Also kindly share the complete detail of event 6155,"

This event is happening for 9 other packages.

Log Name: System

Source: LsaSrv

Date: 9/10/2024 9:23:52 AM

Event ID: 6155

Task Category: None

Level: Warning

Keywords:

User: SYSTEM

Computer: taxprep10..

Description:

LSA package is not signed as expected. This can cause unexpected behavior with Credential Guard.

PackageName: negoexts

Event Xml:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

<System>

<Provider Name="LsaSrv" Guid="{199fe037-2b82-40a9-82ac-e1d46c792b99}" /> <EventID>6155</EventID> <Version>0</Version> <Level>3</Level> <Task>0</Task> <Opcode>0</Opcode> <Keywords>0x8000000000000000</Keywords> <TimeCreated SystemTime="2024-09-10T13:23:52.0983522Z" /> <EventRecordID>109918</EventRecordID> <Correlation /> <Execution ProcessID="1252" ThreadID="1256" /> <Channel>System</Channel> <Computer>taxprep10.*.*</Computer> <Security UserID="S-1-5-18" />

</System>

<EventData>

<Data Name="PackageName">negoexts</Data>

</EventData>

</Event>

"Also kindly share the complete detail of event 1796,"

I've looked at this and noticed none of the machines have Secure Boot turned On. I've always just kept the BIOS defaults and then installed Win10/11. Secure Boot being Off didn't seem to affect the other workstations.

Log Name: System

Source: Microsoft-Windows-TPM-WMI

Date: 9/10/2024 9:24:00 AM

Event ID: 1796

Task Category: None

Level: Error

Keywords:

User: SYSTEM

Computer: taxprep10..

Description:

The Secure Boot update failed to update a Secure Boot variable with error Secure Boot is not enabled on this machine.. For more information, please see https://go.microsoft.com/fwlink/?linkid=2169931

Event Xml:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

<System>

<Provider Name="Microsoft-Windows-TPM-WMI" Guid="{7d5387b0-cbe0-11da-a94d-0800200c9a66}" /> <EventID>1796</EventID> <Version>0</Version> <Level>2</Level> <Task>0</Task> <Opcode>0</Opcode> <Keywords>0x8000000000000000</Keywords> <TimeCreated SystemTime="2024-09-10T13:24:00.1175056Z" /> <EventRecordID>109974</EventRecordID> <Correlation /> <Execution ProcessID="3032" ThreadID="6324" /> <Channel>System</Channel> <Computer>taxprep10.*.*</Computer> <Security UserID="S-1-5-18" />

</System>

<EventData>

<Data Name="HResult">-2147020471</Data>

</EventData>

</Event>

David Owens 0 Reputation points

2024-09-12T15:45:52.42+00:00

"What is the pattern of the issue?"

The Local Security Authority Process is using the SSD more and more after boot until it gets to the point the user has to restart to make the machine usable again after a few hours. I've seen the access get up to 40MB/s in Task Manager.

"What is the or Was the Baseline of CPU on the machine prior to the issue?"

1%-2% idling on the desktop, if I remember correctly.

"If the CPU Spike is Intermittent, Is there a Time or Sequence where the problem is more likely to occur?"

Disk usage by Lsass increases over time until a Windows restart. It usually gets up to around 10MB/s and then usage spikes to 40MB/s whenever any application is run. Goes back down to 10MB/s after about 5 seconds.

"How long does the CPU spike last?"

The big 40MB/s Disk spikes last about 5 seconds but high 10MB/s Disk usage is constant. CPU spikes to about 4% when Disk goes to 40MB/s. This happens when an application is first run.

"Is just the LSASS.exe spiking or Other process also spiking together"

I'm not seeing any other process spike.

"Can you confirm if its Lsass high cpu or high memory. What is the total consumption of the Lsass process."

Mostly high Disk usage. I see a constant 1% CPU 14MB RAM 13MB/s Disk. Spikes go to 4% CPU 14MB RAM 40MB/s Disk.

"Is there any pattern seen with the issue"

The only pattern I've seen is that it seems to affect the newest computers that came pre-installed with Win11. None of the older Win10 workstations have this issue and it seems like none of the machines that came pre-installed with Win10 and then got upgraded to Win11 have the issue.

"Are the machines updated with latest windows ptach?"

Yes, they have 23H2 Build 22631.4169 with all of the release updates.

"Also kindly share the complete detail of event 6155,"

This event is happening for 9 other packages.

Log Name: System

Source: LsaSrv

Date: 9/10/2024 9:23:52 AM

Event ID: 6155

Task Category: None

Level: Warning

Keywords:

User: SYSTEM

Computer: taxprep10..

Description:

LSA package is not signed as expected. This can cause unexpected behavior with Credential Guard.

PackageName: negoexts

Event Xml:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

<System>

<Provider Name="LsaSrv" Guid="{199fe037-2b82-40a9-82ac-e1d46c792b99}" /> <EventID>6155</EventID> <Version>0</Version> <Level>3</Level> <Task>0</Task> <Opcode>0</Opcode> <Keywords>0x8000000000000000</Keywords> <TimeCreated SystemTime="2024-09-10T13:23:52.0983522Z" /> <EventRecordID>109918</EventRecordID> <Correlation /> <Execution ProcessID="1252" ThreadID="1256" /> <Channel>System</Channel> <Computer>taxprep10.*.*</Computer> <Security UserID="S-1-5-18" />

</System>

<EventData>

<Data Name="PackageName">negoexts</Data>

</EventData>

</Event>

"Also kindly share the complete detail of event 1796,"

I've looked at this and noticed none of the machines have Secure Boot turned On. I've always just kept the BIOS defaults and then installed Win10/11. Secure Boot being Off didn't seem to affect the other workstations.

Log Name: System

Source: Microsoft-Windows-TPM-WMI

Date: 9/10/2024 9:24:00 AM

Event ID: 1796

Task Category: None

Level: Error

Keywords:

User: SYSTEM

Computer: taxprep10..

Description:

The Secure Boot update failed to update a Secure Boot variable with error Secure Boot is not enabled on this machine.. For more information, please see https://go.microsoft.com/fwlink/?linkid=2169931

Event Xml:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

<System>

<Provider Name="Microsoft-Windows-TPM-WMI" Guid="{7d5387b0-cbe0-11da-a94d-0800200c9a66}" /> <EventID>1796</EventID> <Version>0</Version> <Level>2</Level> <Task>0</Task> <Opcode>0</Opcode> <Keywords>0x8000000000000000</Keywords> <TimeCreated SystemTime="2024-09-10T13:24:00.1175056Z" /> <EventRecordID>109974</EventRecordID> <Correlation /> <Execution ProcessID="3032" ThreadID="6324" /> <Channel>System</Channel> <Computer>taxprep10.*.*</Computer> <Security UserID="S-1-5-18" />

</System>

<EventData>

<Data Name="HResult">-2147020471</Data>

</EventData>

</Event>

David Owens 0 Reputation points

2024-09-12T15:48:23.4566667+00:00

"What is the pattern of the issue?"

The Local Security Authority Process is using the SSD more and more after boot until it gets to the point the user has to restart to make the machine usable again after a few hours. I've seen the access get up to 40MB/s in Task Manager.

"What is the or Was the Baseline of CPU on the machine prior to the issue?"

1%-2% idling on the desktop, if I remember correctly.

"If the CPU Spike is Intermittent, Is there a Time or Sequence where the problem is more likely to occur?"

Disk usage by Lsass increases over time until a Windows restart. It usually gets up to around 10MB/s and then usage spikes to 40MB/s whenever any application is run. Goes back down to 10MB/s after about 5 seconds.

"How long does the CPU spike last?"

The big 40MB/s Disk spikes last about 5 seconds but high 10MB/s Disk usage is constant. CPU spikes to about 4% when Disk goes to 40MB/s. This happens when an application is first run.

"Is just the LSASS.exe spiking or Other process also spiking together"

I'm not seeing any other process spike.

"Can you confirm if its Lsass high cpu or high memory. What is the total consumption of the Lsass process."

Mostly high Disk usage. I see a constant 1% CPU 14MB RAM 13MB/s Disk. Spikes go to 4% CPU 14MB RAM 40MB/s Disk.

"Is there any pattern seen with the issue"

The only pattern I've seen is that it seems to affect the newest computers that came pre-installed with Win11. None of the older Win10 workstations have this issue and it seems like none of the machines that came pre-installed with Win10 and then got upgraded to Win11 have the issue.

"Are the machines updated with latest windows ptach?"

Yes, they have 23H2 Build 22631.4169 with all of the release updates.

David Owens 0 Reputation points

2024-09-12T15:54:54.79+00:00

"Also kindly share the complete detail of event 6155"

Source: LsaSrv

LSA package is not signed as expected. This can cause unexpected behavior with Credential Guard.

PackageName: negoexts

This happens for 8 other packages: kerberos, msv1_0, tspkg, pku2u, cloudap, wdigest, schannel, and sfapm.

"Also kindly share the complete detail of event 1796"

Source: Microsoft-Windows-TPM-WMI

The Secure Boot update failed to update a Secure Boot variable with error Secure Boot is not enabled on this machine.. For more information, please see https://go.microsoft.com/fwlink/?linkid=2169931

I looked at this and noticed none of the workstations have Secure Boot set to On. I've always just used the BIOS defaults and then installed Windows.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.
Ian Xue 37,276 Reputation points Microsoft Vendor

2024-09-13T01:43:28.8133333+00:00

Hi David,

Thanks for your post. Based on my research, Isummarized the following fixes from the internet, and I hope they help. When the LSA issue has been resolved, you can see if the slow performance still exist.

Uninstall Recent Updates

Some users reported that they get rid of this error by uninstalling the recent update

Enable LSA Protection via Registry Editor

Here’s how to do it:

1. Press Win + S to evoke the search bar.

2. Type registry editor and hit Enter.

3. Go to the following location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

4. Set the value of the registry key to: "RunAsPPL"=dword:00000001 to configure the feature with a UEFI variable. "RunAsPPL"=dword:00000002 to configure the feature without a UEFI variable (only on Windows 11, 22H2). “RunAsPPLBoot value”= dword:00000002

5. Restart the computer. If the registry key RunAsPPL does not exist create it as a New DWORD (32-bit) Value and set the Hexadecimal value to 00000002.

Turn off Credential Guard

LSA package is not signed as expected indicates that Windows Defender Credential Guard might show unexpected behavior. Therefore, you can consider disabling this feature using the following method. Navigate to local computer policy >computer configuration >administrative templates>system

From this thread, one user commented that we can ignore those, because they are related to password-based SSO. To stop the Events, we can open Regedit Navigate to key

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System{199fe037-2b82-40a9-82ac-e1d46c792b99} And Set Enabled to 0 Clear all events and reboot. Reference: Configuring Additional LSA Protection

I hope this helps! Please let me know if you need any further assistance.

Best Regards,

Ian Xue

If the Answer is helpful, please click "Accept Answer" and upvote it.
Please sign in to rate this answer.
David Owens 0 Reputation points

2024-09-21T00:49:38.7266667+00:00

Here is some extra information I have on the issue. I added a new Windows 11 machine to the domain today. It did not have the lsass issue until I joined it to the domain. Lsass immediately started having the excessive Disk usage issue after the domain join.

None of the Windows 10 machines on the domain have the issue. All of the Windows 11 machines other than two have the issue. The two that do not might have originally had Windows 10 and then got an upgrade to 11.

From looking at the new workstation's event logs I can see that the "LSA package is not signed as expected. This can cause unexpected behavior with Credential Guard" warnings were happening before the machine was ever connected to the domain network. The same with the Secure Boot error.

Ian Xue 37,276 Reputation points Microsoft Vendor

2024-09-26T00:28:30.1266667+00:00

Hi David,

As mentioned before, LSA package is not signed as expected indicates that Windows Defender Credential Guard might show unexpected behavior. Therefore, you can consider disabling this feature using the following method. Navigate to local computer policy >computer configuration >administrative templates>system

From this thread, one user commented that we can ignore those, because they are related to password-based SSO. To stop the Events, we can open Regedit Navigate to key

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System{199fe037-2b82-40a9-82ac-e1d46c792b99} And Set Enabled to 0 Clear all events and reboot. Reference: Configuring Additional LSA Protection

Also, I totally understand your frustration on dealing with this issue. I will also help to do the feedback to the product team. Please don’t forget to open the Edge, press Shift+Alt+I to feedback the uservoice to the develop team. Thanks a lot for your understanding.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.
David Owens 0 Reputation points

2024-09-26T23:23:13.75+00:00

Disabling Windows Defender Credential Guard did not fix the issue. I was able to find a solution to the issue when I found this question asking how to fix high disk usage by the LSA process.

https://learn.microsoft.com/en-ie/answers/questions/2043716/how-to-fix-local-security-authority-process-high-d

The fix was a registry change that sets the ProtectionPolicy entry to enable local backup of the MasterKey for login credentials.
Please sign in to rate this answer.

0 comments No comments
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

LSA Process Slowing Down Multiple Computers by Excessively Accessing Disk

3 answers

Your answer