High memory usage even after the ‘readlog’ registry key is set to 0

Account Lockout Examiner
Copy Article URL Copied

Registry changes have been applied per KB600  but the memory usage is still very high.

Account Lockout Examiner tracks events from the security log and then processes them to get information, such as account name, workstation name, ip address, etc.

These types of issues are related to very high activity in the environment – number of events to track is more than the Account Lockout Examiner service can handle and a queue builds up in memory.

In most cases such activity is related to having several accounts (one or two “problem” accounts) that generate too many invalid logons per second.

First, try to perform additional tuning of the product via the registry. On the Account Lockout Examiner host machine:

  1. Run Registry Editor (regedit)
  2. Go to HKEY_LOCAL_MACHINE\SOFTWARE\[Wow6432Node]\NetWrix\Account Lockout Examiner (Wow6432Node only for x64 OS)
  3. Make sure “LockoutStatusRefreshPeriod” is 0.
  4. Set “InvLogonCleaningPeriod” value to 10 or lower decimal
  5. Set “invLogonKeepTime” value to 10 or lower decimal
  6. *Create DWORD called “PF_Enabled” and set its value to 0 (do this if you are not interested in name of the process causing invalid logons)
  7. Restart NetWrix Account Lockout Examiner service via Services.msc

User-added image

Second step is to check the product logs to find out if there are any issues in your environment

NOTE. If you have a valid support contract, feel free to contact Netwrix Technical support.

  1. Go to the Account Lockout Examiner installation directory – Tracing subfolder.
  2. Open ALEService.log with text editor (Notepad++ for example)
  3. Count the number of invalid logons

Every tracked invalid logon event is logged with the following string:

ALEService.exe Information: 0 : [TID, <timestamp>] EVENT WATCHING INFO: Logon failure event: <EventRecordID> from <servername>. NTAccount: <accountname>. Time generated: <event timestamp>

This means that the service tracked an invalid logon event for the <accountname> from the security log of <servername>. The event was generated on <event timestamp> and has the record ID <EventRecordID>.

User-added image

Verify that there are no accounts generating several invalid logons per second, otherwise find such accounts and check the DC security logs for details of invalid logons to determine the root cause of the excessive number of invalid logons generated by that account.

NOTE. The most common reason for this is failed domain relationships – a machine account tries to authenticate to the domain but is not able to.

Go Up