Article ID: 842382 - Last Review: October 26, 2006 - Revision: 1.8

You experience high CPU usage in the Lsass.exe process, and event 1168 is logged with an error code 8 and Internal ID 302022c on your Windows 2000-based domain controller

Hotfix download is availableHotfix Download Available
View and request hotfix downloads
View products that this article applies to.
Notice
This article applies to Windows 2000. Support for Windows 2000 ends on July 13, 2010. The Windows 2000 End-of-Support Solution Center (http://support.microsoft.com/?scid=http%3a%2f%2fsupport.microsoft.com%2fwin2000) is a starting point for planning your migration strategy from Windows 2000. For more information see the Microsoft Support Lifecycle Policy (http://support.microsoft.com/lifecycle/) .

On This Page

Expand all | Collapse all

SYMPTOMS

You experience the following symptoms on your Microsoft Windows 2000-based domain controller:
  • You notice unexpectedly high CPU usage in the Lsass.exe process.
  • An event that is similar to the following is logged to the Directory Services event log:

    Type: Error
    Source: NTDS
    Category: Internal Processing
    Event ID: 1168
    Description:

    Additional Data
    Error value (decimal):
    8
    Error value (hex):
    8
    Internal ID 302022c

  • Your domain controller does not respond to logon requests or to user authentication requests. You have to restart your domain controller.
Back to the top

CAUSE

This problem occurs if the virtual memory address space of the Lsass.exe process is fragmented. This condition may occur if the domain controller processes heavier loads than the typical load. Specifically, you may experience this problem in one or more of the following scenarios:
  • There is no load balancing between domain controllers in your environment.
  • Microsoft System Management Server (SMS) jobs are run on many clients at the same time.
  • One of the SMS accounts is locked, and there are SMS jobs that require many authentication operations.
Note Error code 8 in event ID 1168 indicates that insufficient memory is available. Internal ID 302022c in event ID 1168 indicates that one thread that is generated by the Lsass.exe process tries to create a new heap cache, but the operation fails.
Back to the top

RESOLUTION

Hotfix information

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756  (http://support.microsoft.com/kb/322756/ ) How to back up and restore the registry in Windows
A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem.

If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, submit a request to Microsoft Customer Service and Support to obtain the hotfix.

Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft Web site:
http://support.microsoft.com/contactus/?ws=support (http://support.microsoft.com/contactus/?ws=support)
Note The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.

Prerequisites

This hotfix requires the following hotfixes:
  • The hotfix that is documented in the following article in the Microsoft Knowledge Base:
    816542  (http://support.microsoft.com/kb/816542/ ) The Windows XP Low Fragmentation Heap algorithm feature is available for Windows 2000
  • The hotfix that is documented in the following article in the Microsoft Knowledge Base:
    835561  (http://support.microsoft.com/kb/835561/ ) An access violation occurs in Lsass.exe in Windows 2000 Server

Restart requirement

You must restart your computer after you apply this hotfix.

Hotfix replacement information

This hotfix does not replace any other hotfixes.

File information

The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.
Date         Time   Version             Size   File name
-----------------------------------------------------------
24-Mar-2004  04:17  5.0.2195.6876    388,368  Advapi32.dll
24-Mar-2004  04:17  5.0.2195.6866     69,904  Browser.dll
24-Mar-2004  04:17  5.0.2195.6824    134,928  Dnsapi.dll
24-Mar-2004  04:17  5.0.2195.6876     92,432  Dnsrslvr.dll
24-Mar-2004  04:17  5.0.2195.6883     47,888  Eventlog.dll
24-Mar-2004  04:17  5.0.2195.6890    143,632  Kdcsvc.dll
11-Mar-2004  04:37  5.0.2195.6903    210,192  Kerberos.dll
21-Sep-2003  02:32  5.0.2195.6824     71,888  Ksecdd.sys
12-May-2004  21:21  5.0.2195.6924    512,784  Lsasrv.dll
26-Feb-2004  01:59  5.0.2195.6902     33,552  Lsass.exe
11-Mar-2004  04:37  5.0.2195.6897    123,152  Msv1_0.dll
24-Mar-2004  04:17  5.0.2195.6897    312,592  Netapi32.dll
24-Mar-2004  04:17  5.0.2195.6891    371,472  Netlogon.dll
13-May-2004  00:12  5.0.2195.6924    933,136  Ntdsa.dll
24-Mar-2004  04:17  5.0.2195.6897    388,368  Samsrv.dll
24-Mar-2004  04:17  5.0.2195.6893    111,376  Scecli.dll
24-Mar-2004  04:17  5.0.2195.6903    253,200  Scesrv.dll
05-Feb-2004  22:18  5.0.2195.6896  5,869,056  Sp3res.dll
05-Apr-2004  19:26  5.4.15.0           6,656  Spmsg.dll
05-Apr-2004  19:27  5.4.15.0         158,208  Spuninst.exe
24-Mar-2004  04:17  5.0.2195.6824     50,960  W32time.dll
21-Sep-2003  02:32  5.0.2195.6824     57,104  W32tm.exe
20-Sep-2003  00:09                    4,092  Eula.txt
13-May-2004  00:26                     13,004  Kb842382.cat
05-Apr-2004  19:27  5.4.15.0          22,016  Spcustom.dll
05-Apr-2004  19:26  5.4.15.0         616,960  Update.exe
13-May-2004  00:06                    40,668  Update.inf
13-May-2004  00:22                     1,403  Update.ver

Enable the hotfix

This hotfix includes functionality that lets you perform the following operations:
  • Reduce the virtual memory fragmentation that is generated by the Lsass.exe process.
  • Reduce the amount of virtual memory that the Lsass.exe process consumes when it processes Lightweight Directory Access Protocol (LDAP) requests.
To enable the functionality that is included in this hotfix, you must add two registry entries.
Add the UseLowFragHeap registry entry to reduce the virtual memory fragmentation that is generated by the Lsass.exe process

To reduce the virtual memory fragmentation that is generated by the Lsass.exe process, add the UseLowFragHeap registry entry to the following registry subkey, and then set the registry entry to 1. When you do this, the Lsass.exe processes uses the Low Fragmentation Heap algorithm. This algorithm minimizes heap fragmentation and improves heap-allocation performance.

To add the UseLowFragHeap registry entry and then set this registry entry to 1, follow these steps:
  1. Click Start, click Run, type regedit in the Open box, and then click OK.
  2. Locate and then click the following registry subkey:
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
  3. On the Edit menu, point to New, and then click DWORD Value.
  4. Type UseLowFragHeap, and then press ENTER.
  5. On the Edit menu, click Modify.
  6. In the Value data box, type 1, and then click OK.
  7. On the Registry menu, click Exit to quit Registry Editor.
Notes
  • If you set the UseLowFragHeap registry entry to 0 (zero), or if the UseLowFragHeap registry entry does not exist, the Lsass.exe process does not use the Low Fragmentation Heap algorithm.
  • The core Low Fragmentation Heap algorithm is included in the hotfix that is described in article 816542 in the Microsoft Knowledge Base. You do not have to add a registry entry to enable the functionality of the core Low Fragmentation Heap algorithm.
Add the ThreadStateHeapSize registry entry to reduce the amount of virtual memory that the Lsass.exe process consumes when it processes LDAP requests

The Ntdsa.dll component that is included in this hotfix has been modified to create smaller thread state heaps. Instead of the default heap size of 8 megabytes (MB), you can now specify the heap size that you want.

To add the ThreadStateHeapSize registry entry, follow these steps:
  1. Click Start, click Run, type regedit in the Open box, and then click OK.
  2. Locate and then click the following registry subkey:
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters
  3. On the Edit menu, point to New, and then click DWORD Value.
  4. Type ThreadStateHeapSize, and then press ENTER.
  5. On the Edit menu, click Modify.
  6. In the Value data box, type the value that you want in bytes, and then click OK.
  7. On the Registry menu, click Exit to quit Registry Editor.
Back to the top

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
Back to the top

MORE INFORMATION

For additional information about how hotfix packages are named, click the following article number to view the article in the Microsoft Knowledge Base:
816915  (http://support.microsoft.com/kb/816915/ ) New file naming schema for Microsoft Windows software update packages
For additional information about terminology that is used to describe Microsoft software updates, click the following article number to view the article in the Microsoft Knowledge Base:
824684  (http://support.microsoft.com/kb/824684/ ) Description of the standard terminology that is used to describe Microsoft software updates
Back to the top
APPLIES TO
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
Back to the top
Keywords: 
kbautohotfix kbqfe kbhotfixserver kbbug kbfix kbwin2000presp5fix KB842382
Back to the top
 

Get Help Now

Contact a support professional by E-mail, Online, or Phone

Article Translations