Windows Server 2025 DC — LSASS handle leak identified via WinDbg — authz!AuthzpDeQueueThreadWorker

Hello All!! Im having a problem, LSASS crashes on a Windows Server 2025 Domain Controller, I identified what appears to be the root cause using WinDbg memory dump analysis. Sharing this hoping someone else has seen it or Microsoft can confirm.

The Problem

LSASS handle count grows continuously over time and eventually crashes with a 0xC0000005 access violation (Event ID 1015). After a reboot the cycle repeats. The growth rate correlates with authentication load and faster during peak hours, slower overnight.

WinDbg Dump Analysis

Captured LSASS dump at high handle count and ran !handle 0 f:

Token handles: overwhelmingly dominant Everything else: negligible

Every leaked token shows:

GrantedAccess: 0x8 (TOKEN_QUERY only) PointerCount: overflowed to negative integer

Running !findstack authz 2 shows multiple worker threads all sitting in:

authz!AuthzpDeQueueThreadWorker

What Was Tested And Eliminated

Stopped or disabled each individually and measured handle growth rate — zero meaningful difference from any:

- Antivirus (all components) - Backup software - Application services - VSS snapshots - Hardware management agents etc..

Environment

OS: Windows Server 2025, fully patched with the latest updates including April LSASS update. Role: Domain Controller DNS PAM: Not active.

Conclusion

Token handles are opened with TOKEN_QUERY access inside authz!AuthzpDeQueueThreadWorker and never released. Reference counter overflows to negative integer. Growth rate scales directly with authentication load.

Current workaround: reboots during off hours.

Has anyone else seen this pattern on Windows Server 2025? Is there a known fix or Microsoft acknowledgment for this specific authz token handle leak?