So, you say your DC’s memory is getting all used up after installing November 2022 security update

Hello, Chris here from Directory Services support team with part 2 of the series.

After installing the November 2022/Out of Band update on your domain controllers you might experience a memory leak happening within LSASS.exe (Local Security Authority Subsystem Service).  This could affect performance, cause operational failures, and/or reliability issues. 

If you have already patched your domain controllers, the December 13, 2022 security update should resolve the known memory leak that is happening within LSASS.exe at this time.  See table below, however if you do not currently feel comfortable with doing this please read the below:  

OSResolving Rollup KBResolving Security Only Update
Windows 5021237N/A
Windows 5021235N/A
2012 R250212945021296
Windows Server 201250212855021303
Windows Server 2008 R250212915021288
Windows Server 200850212895021293

To briefly summarize the below, there is currently a registry key workaround for the memory leak.  If you haven't installed the December update or newer yet, you can use the registry key to avoid this problem.  Run the following commands in an elevated command prompt on all of your domain controllers:

reg add “HKLMSystemCurrentControlSetservicesKDC” -v “KrbtgtFullPacSignature” -d 0 -t REG_DWORD

The above registry change will stop the memory leak without stopping and starting the KDC Service.  It WILL NOT free up memory that has already been leaked within LSASS.  So, it is recommended that a reboot be done of the when it is feasible to do so.

Note: Once you have installed the patch that resolves this known issue, you should either remove this value or set KrbtgtFullPacSignature to a higher setting depending on what your environment will allow. It is recommended to enable Enforcement mode as soon as your environment is ready. See: KB5020805: How to manage Kerberos protocol changes related to CVE-2022-37967

If you want to see if you're affected by this specific memory issue, check for constant increases of this performance counter within Perfmon.exe to see if it is constantly rising: 

Process(lsass)Private Bytes

You will want to monitor “Private Bytes” for LSASS over a period of time.  If this value just keeps increasing after installation of the November 2022/OOB update, then you are more than likely affected by this issue.  Normal behavior should be that this value should go up during higher loads on the DC and then go down when the DC is not being utilized overtime. Please be aware that domain controllers will, by default, attempt to cache as much of the database in memory as possible. See the linked section of Memory usage considerations in AD DS performance tuning | Microsoft Learn.

Information about the changes made to Privilege Attribute (PAC) with the November 2022 security update:
KB5020805: How to manage Kerberos protocol changes related to CVE-2022-37967

Links to operating system versions affected by this issue:

Introduction to this blog series: 

Part 3 of this blog series: 


This article was originally published by Microsoft's Directory Services Team. You can find the original article here.