On a Microsoft Windows 2000-based domain controller, memory
usage may continue to increase, and you may have to periodically restart the
server. If you use System Monitor to view the Local Security Authority Service
process (Lsass.exe), you may see that memory usage for the Lsass.exe process
continues to increase. The following Error event may also be logged in the
Event Source: NTDS General
Event Category: None
Error 8(8) has occurred (Internal ID 3020239). Please
contact Microsoft Product Support Services for assistance.
To monitor the Lsass.exe process, see the Process\Private Bytes
and the Process\Virtual Bytes performance counters in System
This problem may occur when event tracing for Security
Accounts Manager (SAM) events is enabled. When event tracing for SAM events is
enabled, the remote procedure call (RPC) binding is not released. Therefore, a
memory leak occurs in the Lsass.exe process.
A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem.
If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, submit a request to Microsoft Customer Service and Support to obtain the hotfix. Note
If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft Web site: Note
The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.
No prerequisites are required.
You must restart your computer after you apply this hotfix.
Hotfix replacement information
This hotfix does not replace any other hotfixes.
The English version of this hotfix has the file
attributes (or later file attributes) that are listed in the following table.
The dates and times for these files are listed in coordinated universal time
(UTC). When you view the file information, it is converted to local time. To
find the difference between UTC and local time, use the Time
tab in the Date and Time tool in Control Panel.
Date Time Version Size File name
24-Mar-2004 02:17 5.0.2195.6876 388,368 Advapi32.dll
24-Mar-2004 02:17 5.0.2195.6866 69,904 Browser.dll
24-Mar-2004 02:17 5.0.2195.6824 134,928 Dnsapi.dll
24-Mar-2004 02:17 5.0.2195.6876 92,432 Dnsrslvr.dll
24-Mar-2004 02:17 5.0.2195.6883 47,888 Eventlog.dll
24-Mar-2004 02:17 5.0.2195.6890 143,632 Kdcsvc.dll
11-Mar-2004 02:37 5.0.2195.6903 210,192 Kerberos.dll
21-Sep-2003 00:32 5.0.2195.6824 71,888 Ksecdd.sys
11-Mar-2004 02:37 5.0.2195.6902 520,976 Lsasrv.dll
25-Feb-2004 23:59 5.0.2195.6902 33,552 Lsass.exe
19-Jun-2003 20:05 5.0.2195.6680 117,520 Msv1_0.dll
24-Mar-2004 02:17 5.0.2195.6897 312,592 Netapi32.dll
19-Jun-2003 20:05 5.0.2195.6695 371,984 Netlogon.dll
24-Mar-2004 02:17 5.0.2195.6896 1,028,880 Ntdsa.dll
25-Aug-2004 09:48 5.0.2195.6970 392,976 Samsrv.dll
24-Mar-2004 02:17 5.0.2195.6893 111,376 Scecli.dll
24-Mar-2004 02:17 5.0.2195.6903 253,200 Scesrv.dll
04-Jun-2004 23:13 5.0.2195.6935 5,887,488 Sp3res.dll
24-Mar-2004 02:17 5.0.2195.6824 50,960 W32time.dll
21-Sep-2003 00:32 5.0.2195.6824 57,104 W32tm.exe
To work around this problem, disable event tracing for SAM
has confirmed that this is a problem in the Microsoft products that are listed
in the "Applies to" section.
To determine whether event tracing is turned on for SAM
events, run the tracelog.exe -l
command. This command lists all the trace sessions that are
active. The output that this command produces does not identify the events
where event tracing is enabled. However, you can use the information that is
contained in the Logger Name
field to determine the
application that turned tracing on. You can also stop all tracing sessions by
running the tracelog.exe -x
The Tracelog.exe utility is provided with the Windows 2000
Resource Kit. For more information about the Windows 2000 Resource Kit, visit
the following Microsoft Web site:
For additional information about the
standard terminology that is used to describe Microsoft software updates, click
the following article number to view the article in the Microsoft Knowledge
Description of the standard terminology that is used to describe Microsoft software updates