Microsoft is investigating LSASS memory leaks
Microsoft has reported that latest Windows Server update cause problem. Memory leaks occurred after Latest Windows Server updates. Microsoft is investigating LSASS memory leaks (caused by Windows Server updates released during the November Patch Tuesday) that might lead to freezes and restarts on some domain controllers after Latest Windows Server updates.
New LSASS memory leak bug caused by the latest Windows updates
The company has recently confirmed that it’s investigating a new LSASS memory leak bug caused by the latest Windows updates that may trigger freezes and reboots on some domain controllers (DCs).
LSASS (short for Local Security Authority Subsystem Service) is responsible for enforcing security policies on Windows systems, and it handles access token creation, password changes, and user logins. If this service crashes, logged-in users immediately lose access to Windows accounts on the machine, and they’re shown a system restart error followed by a system reboot.
The whole thing is being caused by update KB5019966, which was released on November 8 as part of this month’s Patch Tuesday update. After installing KB5019966 or later updates on Domain Controllers (DCs), you might experience a memory leak with Local Security Authority Subsystem Service (LSASS,exe). Depending on the workload of your DCs and the amount of time since the last restart of the server, “LSASS might use more memory over time and the DC might become unresponsive or automatically restart,” Microsoft explains on the Windows Health dashboard.
The out-of-band updates for DCs released November 17, 2022 and November 18, 2022 might be affected by this issue,” Microsoft explains. Software giant says it’s already working on a fix, and it will be included in an upcoming update. No information on its ETA has been shared though.
Windows Server systems are affected, including the following:
- Windows Server 2019
- Windows Server 2016
- Windows Server 2012 R2
- Windows Server 2012
- Windows Server 2008 R2 SP1
- Windows Server 2008 SP2
The client versions of Windows are not impacted due to this. Microsoft is working on a resolution and says it will provide an update with an upcoming release.
Available Workaround
How to fix LSASS memory leak issues on domain controllers:
Until a fix is available to address this LSASS memory leak issue, the company also provides a temporary solution. However, IT admins can turn to a simple workaround to resolve the glitch and to allow them to handle domain controller instability.
The company recommends everyone to launch a Command Prompt window with administrator privileges and run the following command to set the registry key called KrbtgtFullPacSignature and therefore stop the memory leak. This workaround requires admins to set the said registry key to 0 using the following command:
reg add “HKLM\System\CurrentControlSet\services\KDC” -v “KrbtgtFullPacSignature” -d 0 -t REG_DWORD
“Once this known issue is resolved, you should set KrbtgtFullPacSignature to a higher setting depending on what your environment will allow,” Microsoft added.
“It is recommended to enable Enforcement mode as soon as your environment is ready. For more information on this registry key, please see KB5020805: How to manage Kerberos protocol changes related to CVE-2022-37967.”