The LLAWP.exe process is a child process of w3wp.exe (IIS). The LLAWP.exe process won't start until the first GET against a resource in the website where the web agent is configured (obviously, that is provided the web agent is enabled). So, I would not expect LLAWP.exe to start when IIS is started, but I would expect it to start after performing a GET against a resource in a web site in which the web agent is configured. So that part is working properly.
However, when you stop IIS, the w3wp.exe process will stop and any child processes tied to that parent e.g.. LLAWP.exe) will be stopped as well. If you stop IIS, and after a reasonable amount of time, the LLAWP process didn't stop, that would indicate that the LLAWP process was orphaned. In other words, the running w3wp.exe process was not the parent which invoked the currently running LLAWP.exe process. Therefore it is not one of its children. This means that at some point, IIS was started which spawned a w3wp.exe process. A GET was submitted to the resource and the w3wp process started LLAWP.exe. At some point w3wp was stopped, but the LLAWP child process tied to that w3wp PID was not.
You cannot run multiple LLAWP processes concurrently. The next time around, the w3wp process was started. Another GET was submitted. w3wp spawned LLAWP. However, the new LLAWP process found an existing LLAWP process already running, so it stopped. The orphaned llawp process remains running.
If you stop IIS, then kill the orphaned LLAWP process, then restart IIS and perform a GET, if the new LLAWP process is spawned, I'll assume things are working properly now.
If this is the case, then go into the Application Pool and set "DisallowOverlappingRotation = TRUE", then restart IIS. This shoudl prevent this issue from occurring in the future. In addition, is you are manually restarting IIS, then use (IISRESET /STOP), then wait for w3wp and LLAWP processes to stop. Then run (IISRESET /START). This will ensure a complete shutdown and restart.
This issue can occur under two conditions:
1) Application Pool recycles using a graceful restart. This means the process is instructed to complete its transaction prior to shutting down. On a busy web server, this can cause the LLAWP process to remain running while the new w3wp process is actually coming back online. If the new w3wp invokes a new LLAWP and the new LLAWP finds the old LLAWP the new LLAWP will stop and the old LLAWP becomes orphaned and runs perptually until it is killed or the server is restarted. Setting "DisallowOverlappingRotation = TRUE will prevent this from occurring.
2) If you run IISRESET, this executes a graceful restart as well. It is recommended that you run IISRESET /STOP, then wait for w3wp and LLAWP processes to stop, then stat IIS by running IISREST /START. I would do this even if you have 'DisallowOverlappingRotation = TRUE'
Set DisallowOverlappingRotation = TRUE in the Application Pool and perform a full stop and start of IIS and you should avoid this condition.