Local Security Authority Process (lsass) heavy CPU load through HTTPS RRS feed

  • Question

  • User1040187954 posted

    I ran into an issue with my API generating a huge CPU load of lsass.exe. The environment :

    • Windows Server 2016
    • .NET Core 2.2 (aslo tested with .NET Core 3.0)

    In order to investigate it, I created a new ASP.NET Core website using the default template (`dotnet new web`). I updated Kestrel configuration to look like this :

    public static IHostBuilder CreateHostBuilder(string[] args) =>
            .ConfigureWebHostDefaults(webBuilder =>
                webBuilder.ConfigureKestrel((context, options) =>
                    options.AddServerHeader = false;
                    options.Listen(IPAddress.Any, 5001, listenOptions =>
                        listenOptions.UseHttps(StoreName.My, "*.mycertificate.domain", false, StoreLocation.LocalMachine);

    Alongisde this website, i created a load test using JMeter in order to hit the website with this load :

    Users load

    When running the test browsing the homepage of the website, the result is having the lsass.exe process to heavily use the CPU close the 100%.

    I ran others tests using those configurations and the result is still the same

    - Kestrel using different ways to load the certificate
    - IIS using InProcess website with a https binding on the certificate
    - HTTP.sys

    Any ideas on how to configure properly https on aspnet-core to create a heavy load API ?
    Thanks for your help

    Wednesday, October 16, 2019 12:14 PM

All replies

  • User1634355159 posted

    Hi mathieu.lutun,

    High LSASS.exe CPU utilization can be caused by many different single or combined issues.You could use the Active Directory Data Collector tool which assists in determining what the problem cause is in Windows Server 2008 and late.


    Best Regards,


    Thursday, October 17, 2019 3:21 AM
  • User1040187954 posted

    Hi Lewis,

    Unfortunately, our server is standalone wihtout any connection to an AD. Only local accounts are used when launching the app using kestrel in a console or IIS using the default app pool identity

    Here is the list of roles and features enabled on the server :

    • Roles:
      • Hyper-V
      • Web Server
    • Features
      • .NET Framework 3.5 Features
      • .NET Framework 4.6 Features
      • Containers
      • SMB
      • Telnet Client
      • Windows Defender Features
      • Windows Identity Foundation 3.5
      • Windows Powershell
      • WoW64 Support

    Thursday, October 17, 2019 8:11 AM
  • User-782232518 posted

    As lsass.exe works on several part of HTTPS sessions, it is not trivial to tell what exactly happens without things like dump analysis. Possible causes can be related to the certificate you use (some certificates require more processing than others), but that's only one of the many possibilities.

    Friday, October 18, 2019 1:41 AM