1

I ran into an issue with my API generating a huge CPU load of lsass.exe The environment :

  • Windows Server 2016
  • .NET Core 2.2 (aslo tested with .NET Core 3.0)

In order to investigate it, I created a new ASP.NET Core website using the default template (dotnet new web). I updated Kestrel configuration to look like this :

public static IHostBuilder CreateHostBuilder(string[] args) =>
            Host.CreateDefaultBuilder(args)
                .ConfigureWebHostDefaults(webBuilder =>
                {
                    webBuilder.ConfigureKestrel((context, options) =>
                    {
                        options.AddServerHeader = false;
                        options.Listen(IPAddress.Any, 5001, listenOptions =>
                        {
                            listenOptions.UseHttps(StoreName.My, "*.mycertificate.domain", false, StoreLocation.LocalMachine);
                        });
                    })
                    .UseStartup<Startup>();
                });

Alongisde this website, i created a load test using JMeter in order to hit the website with this load :

Users load

When running the test browsing the homepage of the website, the result is having the lsass.exe process to heavily use the CPU close the 100%.

I ran others tests using those configurations and the result is still the same

  • Kestrel using different ways to load the certificate
  • IIS using InProcess website with a https binding on the certificate
  • HTTP.sys

Any ideas on how to configure properly https on aspnet-core to create a heavy load API ? Thanks for your help

magicandre1981
  • 27,895
  • 5
  • 86
  • 127
Mathieu Lutun
  • 11
  • 1
  • 5
  • 1
    LSASS is the local authentication service for *Windows* in general. It has nothing to do wtih ASP.NET Core. Unless you put the web site on the DC itself, it shouldn't use a lot of CPU. High CPU is typically caused by domain problems, slow domain controllers, misconfigured server clocks etc. Typically, it's able to authenticate and validate tokens against its cache. If it can't, it has to contact the DC, perhaps try alternative strategies until it can decide whether to allow access or not. That's why DC problems and bad clocks can cause high CPU and RAM usage – Panagiotis Kanavos Oct 16 '19 at 13:18
  • 1
    Check [What is LSASS.exe? And why does it take a lot of memory and CPU time?](https://serverfault.com/questions/19331/what-is-lsass-exe-and-why-does-it-take-a-lot-of-memory-and-cpu-time) in Serverfault and [How to Troubleshoot High LSASS.EXE CPU Utilization on an Active Directory Domain Controllers](https://support.microsoft.com/en-us/help/2550044/how-to-troubleshoot-high-lsass-exe-cpu-utilization-on-an-active-direct) in Microsoft Support – Panagiotis Kanavos Oct 16 '19 at 13:18
  • analyze [CPU usage with Windows Performance Recorder/Analyzer](https://stackoverflow.com/a/42349119/1466046) – magicandre1981 Oct 16 '19 at 14:57
  • have you analyzed the CPU usage? which module/function cause the cpu usage in lsass? – magicandre1981 Oct 23 '19 at 15:04
  • @PanagiotisKanavos that conclusion was incorrect, as LSASS plays key roles in HTTPS request processing. So when certain kinds of certificates are used and LSASS needs a lot of resources to process the keys, then high CPU usage can be observed. There are many discussions over the internet about similar scenarios, such as https://techhelpnotes.com/windows-server-2012-r2-lsass-exe-https-iis-and-high-concurrent-connections/ where reducing RSA key size reduced CPU usage. – Lex Li Sep 08 '22 at 07:56
  • @LexLi and as the answer shows, the problem had nothing to do with HTTPS. The question wasn't about a web server with high concurrency. LSASS is used by a *lot* of other processes, not just networking. – Panagiotis Kanavos Sep 08 '22 at 08:00
  • @PanagiotisKanavos but that's not even the same user, so I won't consider it "the answer". – Lex Li Sep 08 '22 at 08:01
  • Neither is the link you posted. LSASS is used indirectly by almost every other service on Windows. I posted link to `many discussions over the internet about similar scenarios` that have nothing to do with HTTPS – Panagiotis Kanavos Sep 08 '22 at 08:02
  • It matters a lot on the certificate used in your testing (which you didn't include in the question body). So when high CPU usage is observed on LSASS process, try to generate a different certificate and test again. – Lex Li Sep 08 '22 at 08:04
  • @PanagiotisKanavos then what do you say about https://stackoverflow.com/questions/73234817/lsass-exe-consuming-high-cpu-usage-in-web-server-with-asp-net-applications and https://social.msdn.microsoft.com/Forums/en-US/5d589c8a-792c-47ed-a8e2-a4d541f338ca/local-security-authority-process-lsass-heavy-cpu-load-through-https? I can paste more threads if needed. All question authors did enough testing to reveal the relationship between high CPU usage and HTTPS. – Lex Li Sep 08 '22 at 08:05

1 Answers1

0

Thanks for the reply, but i tried the below process and it worked. Now my idle CPU usage is always less than 5%.

  1. Go to Settings > System > Notifications & actions

  2. Turn off 'Show me tips about Windows'

  3. Restart

user15762585
  • 41
  • 2