lsass.exe and w3wp.exe: Analyzing SSL performance in IIS 6.0

In several of the performance tuning projects I have done, the web pages with security settings such as SSL or Windows authentication are generally slow compared to other pages. In this post, I analyze how SSL performance can be monitored in IIS 6.0

As per the architecture of IIS 6.0, security related operations such as SSL, Windows Authentication, Kerberos, etc are executed by lsass.exe process, whereas all other operations are executed under a process called w3wp.exe. Whenever, a web page with SSL is requested, IIS transfers the control to lsass.exe process to encode or decode.


Architecture of IIS 6.0

Analyzing SSL performance:

For the web applications having SSL enabled, the performance of the SSL can be isolated from the performance of the normal web pages by monitoring lsass.exe process. One of the simple techniques to monitor the SSL performance is logging the Perfmon lsass.exe % processor time counter which is available under process counters. Below is the sample graph that shows the Overall CPU utilization observed on the web server and %CPU utilization contributed by the SSL.


In the above graph, the green curve represents the overall CPU obtained on the Web server and red curve represents the %CPU utilization of lsass.exe process. One can clearly see in the above graph that lsass.exe process is one of the major contributors for CPU. Monitor w3wp.exe process for pages with SSL disabled.

Note: Lsass.exe process is not used in the IIS 7.0. The architecture of IIS 7.0 is different and doesn’t utilize lsass.exe process for SSL authentication.