After installing the November Updates for Windows Server, a memory leak may occur in the LSASS service, which can eventually cause domain controllers to hang and reboot. The LSASS service (short for Local Security Authority Subsystem Service) is responsible for enforcing security policies, handling token creation, password changes, and user authorization in the system.
After installing KB5019966 or later updates on Domain Controllers (DCs), you might experience a memory leak with Local Security Authority Subsystem Service (LSASS,exe). Depending on the workload of your DCs and the amount of time since the last restart of the server, LSASS might continually increase memory usage with the up time of your server and the server might become unresponsive or automatically restart. Note: The out-of-band updates for DCs released November 17, 2022 and November 18, 2022 might be affected by this issue.
The issue affects Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2 SP1, and Windows Server 2008 SP2. Installing out-of-band updates that were released to resolve authorization issues on domain controllers does not fix the memory leak. Microsoft is still working on a solution.
As a workaround, you can set the KrbtgtFullPacSignature Registry value to 0 with the following command:
reg add "HKLM\System\CurrentControlSet\services\KDC" -v "KrbtgtFullPacSignature" -d 0 -t REG_DWORD
Issue it as Administrator.
After the release of the hotfix, you need to set a higher value for the key KrbtgtFullPacSignature, following the reference table below.
- 0 – Disabled
- 1 – New signatures are added, but not verified. (Default setting)
- 2 - Audit mode. New signatures are added, and verified if present. If the signature is either missing or invalid, authentication is allowed and audit logs are created.
- 3 - Enforcement mode. New signatures are added, and verified if present. If the signature is either missing or invalid, authentication is denied and audit logs are created.
Winaero greatly relies on your support. You can help the site keep bringing you interesting and useful content and software by using these options: