Windows Server

Windows Server

Celia Catalán



On March 12, Microsoft released an update for its Windows Server 2022 service that is causing problems that affect its domain controllers.

Many users were warning on Reedit since that day, the servers freeze and restart unexpectedly due to a memory leak in the LSASS (Local Security Authority Subsystem Service) process.

The specific problem according to users who have reported it is: “Since installing the March updates (Exchange and regular Windows Server updates), most of our DCs show constantly increasing LSASS memory usage (until they die) .”

The LSASS service is the process responsible for enforcing security policy on Windows systems: it verifies that users log in, manages password changes, and creates access tokens. Forced use of the service may be caused by the conditions:

  • You have many external trusts and many simultaneous login requests.
  • These login requests do not specify the domain name.

This can lead to delays or crashes when authenticating the system or even reboots when the system's memory usage limit is reached.

This issue alarms users so much because being a crucial system file, it is often forged by malware. This service runs from the Windows\System32 directory, so if it runs from another directory, it is most likely a virus.

The related updates are KB5035855 (Windows Server 2016) and KB5035857 (Windows Server 2022), however, on March 20, Microsoft acknowledged that the issue affects all domain controller servers with the latest updates: Windows Server 2022, 2019, 2016 and 2012 R2.
According to Microsoft: “This is observed when on-premises and cloud-based Active Directory domain controllers service Kerberos authentication requests. Extreme memory leaks can cause LSASS to fail, triggering an unscheduled reboot of the underlying domain controllers (DCs).

Temporary remedy

As of the writing of this article, Microsoft has not yet published a solution for this serious memory leak problem and at the moment the temporary solution is not to update the services or return to a previous update in case they have already been updated .

To do this, you must use the terminal with administrator permissions and depending on which update has been installed on the affected domain controllers, you must execute one of these commands:
  • so /uninstall /kb:5035855
  • so /uninstall /kb:5035849
  • so /uninstall /kb:5035857

Conclusion

This problem with the LSASS process is not new, it has occurred on several occasions such as:
  • In November 2022, Microsoft released an update that affected the servers, causing them to freeze and restart.
  • In March 2022, Microsoft fixed another LSASS bug that caused reboots on Windows Server DCs.
Analyzing how Microsoft works with its patch solutions, everything indicates that this problem will be solved in the next April update.

Javier Muñoz , Cybersecurity Analyst at Zerolynx .
return to blog

Leave a comment

Please note that comments must be approved before they are published.