My company recently experienced a problem in which administrators and Help desk technicians had trouble opening User Manager and Server Manager. The tools typically wouldn't open and generated a timeout error; if the tools did open, the process took 30­60 seconds.

We checked our Windows NT PDC and noticed that lsass.exe was using 90 percent to 99 percent of the CPU. Lsass authenticates logon credentials that the Winlogon process passes against the SAM or other authentication packages. We rebooted the PDC, and the problem appeared to be resolved. However, the problem resurfaced a few days later.

We then used a previously created Performance Monitor baseline to check the Process object. We used the Working Set, Page File Bytes, Pool Nonpaged Bytes, Pool Paged Bytes, and Thread Count counters to check Lsass's usage. Comparing our baseline with real-time performance showed that we had a memory leak.

We found the Microsoft article "Windows NT Primary Domain Controller May Leak Memory in Lsass.exe" (http://support.microsoft.com/?kbid=303874), which discusses this problem and the related hotfix. We installed the hotfix and rebooted the PDC, and we've since had no problems with Lsass on the PDC.