Discussion:
lsass.exe terminated - restart of computer
(too old to reply)
e1
2008-07-07 16:21:00 UTC
Permalink
I've got several Server 2003 Std SP2 systems running AD that reboot
arbitrarily maybe once or twice a week. It seems to be getting more frequent
now too. I get the same event IDs every single time in the System and
Application event logs. I've run virus scans, used MBSA, ran the Malicious
Software Removal Tool, and installed hotfix 927342. Yet, despite everything
I've tried, searched endlessly on google for a solution, I cannot seem to
figure this problem out.

Here's some other info about my environment:

* 8 total DCs
* 6 sites
* 3 GCs (all of the GCs are in the same site - central datacenter) - the
other 5 DCs are have Universal group membership cacheing enabled
* 2 Exchange Servers - backend cluster and frontend OWA

Here's the events I'm seeing and it seems to be related to a problem with
lsass.exe:

Event Type: Error
Event Source: LsaSrv
Event Category: Security Package Manager
Event ID: 5000
Date: 7/7/2008
Time: 10:10:43 AM
User: N/A
Computer:
Description:
The security package Negotiate generated an exception. The exception
information is the data.


Event Type: Information
Event Source: USER32
Event Category: None
Event ID: 1074
Date: 7/7/2008
Time: 10:11:31 AM
User: NT AUTHORITY\SYSTEM
Computer:
Description:
The process winlogon.exe has initiated the restart of computer on behalf of
user for the following reason: No title for this reason could be found
Reason Code: 0x50006
Shutdown Type: restart
Comment: The system process 'C:\WINDOWS\system32\lsass.exe' terminated
unexpectedly with status code -1073741819. The system will now shut down and
restart.

Event Type: Error
Event Source: Winlogon
Event Category: None
Event ID: 1015
Date: 7/7/2008
Time: 10:11:25 AM
User: N/A
Computer:
Description:
A critical system process, C:\WINDOWS\system32\lsass.exe, failed with status
code c0000005. The machine must now be restarted.


Event Type: Error
Event Source: Application Error
Event Category: (100)
Event ID: 1000
Date: 7/7/2008
Time: 10:10:53 AM
User: N/A
Computer:
Description:
Faulting application lsass.exe, version 5.2.3790.0, faulting module
ntdll.dll, version 5.2.3790.3959, fault address 0x0001950e.

Has anyone else seen or experienced this problem? I'd appreciate your help.
oz.ozugurlu
2008-07-07 18:00:02 UTC
Permalink
Every research I have done leading me the conclusion of some type of virus
infection forcing/LSAS to shutdown and resulting your DC to reboot. If none
if these remedies to current problem, I would get PS support on this
Did you install this hot-fix below?
http://support.microsoft.com/?id=818080
http://support.microsoft.com/?kbid=826955
Try this if you have not done it so -----W32.Blaster.Worm Removal Too
http://www.symantec.com/security_response/writeup.jsp?docid=2003-081119-5051-9
http://www.symantec.com/security_response/writeup.jsp?docid=2004-050315-1907-99
Good luck
--oz
--
Oz Ozugurlu
MVP (Exchange)
MCITP (EMA), MCITP (SA)
MCSE 2003, M+, S+, MCDST
Security+, Project +, Server +


***@SMTp25.org
http://smtp25.blogspot.com (Blog)
Post by e1
I've got several Server 2003 Std SP2 systems running AD that reboot
arbitrarily maybe once or twice a week. It seems to be getting more frequent
now too. I get the same event IDs every single time in the System and
Application event logs. I've run virus scans, used MBSA, ran the Malicious
Software Removal Tool, and installed hotfix 927342. Yet, despite everything
I've tried, searched endlessly on google for a solution, I cannot seem to
figure this problem out.
* 8 total DCs
* 6 sites
* 3 GCs (all of the GCs are in the same site - central datacenter) - the
other 5 DCs are have Universal group membership cacheing enabled
* 2 Exchange Servers - backend cluster and frontend OWA
Here's the events I'm seeing and it seems to be related to a problem with
Event Type: Error
Event Source: LsaSrv
Event Category: Security Package Manager
Event ID: 5000
Date: 7/7/2008
Time: 10:10:43 AM
User: N/A
The security package Negotiate generated an exception. The exception
information is the data.
Event Type: Information
Event Source: USER32
Event Category: None
Event ID: 1074
Date: 7/7/2008
Time: 10:11:31 AM
User: NT AUTHORITY\SYSTEM
The process winlogon.exe has initiated the restart of computer on behalf of
user for the following reason: No title for this reason could be found
Reason Code: 0x50006
Shutdown Type: restart
Comment: The system process 'C:\WINDOWS\system32\lsass.exe' terminated
unexpectedly with status code -1073741819. The system will now shut down and
restart.
Event Type: Error
Event Source: Winlogon
Event Category: None
Event ID: 1015
Date: 7/7/2008
Time: 10:11:25 AM
User: N/A
A critical system process, C:\WINDOWS\system32\lsass.exe, failed with status
code c0000005. The machine must now be restarted.
Event Type: Error
Event Source: Application Error
Event Category: (100)
Event ID: 1000
Date: 7/7/2008
Time: 10:10:53 AM
User: N/A
Faulting application lsass.exe, version 5.2.3790.0, faulting module
ntdll.dll, version 5.2.3790.3959, fault address 0x0001950e.
Has anyone else seen or experienced this problem? I'd appreciate your help.
ez1
2008-07-07 18:49:01 UTC
Permalink
Post by oz.ozugurlu
Every research I have done leading me the conclusion of some type of virus
infection forcing/LSAS to shutdown and resulting your DC to reboot. If none
if these remedies to current problem, I would get PS support on this
Did you install this hot-fix below?
http://support.microsoft.com/?id=818080
http://support.microsoft.com/?kbid=826955
Try this if you have not done it so -----W32.Blaster.Worm Removal Tool
http://www.symantec.com/security_response/writeup.jsp?docid=2003-081119-5051-99
http://www.symantec.com/security_response/writeup.jsp?docid=2004-050315-1907-99
Good luck
--oz
--
Oz Ozugurlu
MVP (Exchange)
MCITP (EMA), MCITP (SA)
MCSE 2003, M+, S+, MCDST
Security+, Project +, Server +
http://smtp25.blogspot.com (Blog)
Post by e1
I've got several Server 2003 Std SP2 systems running AD that reboot
arbitrarily maybe once or twice a week. It seems to be getting more frequent
now too. I get the same event IDs every single time in the System and
Application event logs. I've run virus scans, used MBSA, ran the Malicious
Software Removal Tool, and installed hotfix 927342. Yet, despite everything
I've tried, searched endlessly on google for a solution, I cannot seem to
figure this problem out.
* 8 total DCs
* 6 sites
* 3 GCs (all of the GCs are in the same site - central datacenter) - the
other 5 DCs are have Universal group membership cacheing enabled
* 2 Exchange Servers - backend cluster and frontend OWA
Here's the events I'm seeing and it seems to be related to a problem with
Event Type: Error
Event Source: LsaSrv
Event Category: Security Package Manager
Event ID: 5000
Date: 7/7/2008
Time: 10:10:43 AM
User: N/A
The security package Negotiate generated an exception. The exception
information is the data.
Event Type: Information
Event Source: USER32
Event Category: None
Event ID: 1074
Date: 7/7/2008
Time: 10:11:31 AM
User: NT AUTHORITY\SYSTEM
The process winlogon.exe has initiated the restart of computer on behalf of
user for the following reason: No title for this reason could be found
Reason Code: 0x50006
Shutdown Type: restart
Comment: The system process 'C:\WINDOWS\system32\lsass.exe' terminated
unexpectedly with status code -1073741819. The system will now shut down and
restart.
Event Type: Error
Event Source: Winlogon
Event Category: None
Event ID: 1015
Date: 7/7/2008
Time: 10:11:25 AM
User: N/A
A critical system process, C:\WINDOWS\system32\lsass.exe, failed with status
code c0000005. The machine must now be restarted.
Event Type: Error
Event Source: Application Error
Event Category: (100)
Event ID: 1000
Date: 7/7/2008
Time: 10:10:53 AM
User: N/A
Faulting application lsass.exe, version 5.2.3790.0, faulting module
ntdll.dll, version 5.2.3790.3959, fault address 0x0001950e.
Has anyone else seen or experienced this problem? I'd appreciate your help.
ez1
2008-07-07 18:52:01 UTC
Permalink
Hi, thanks for your reply. I will check the things you listed below. I'm
also running a network trace to see if there's anything connecting to the
server that would cause this. Do you think an infected PC on our network
could be causing this? I'm wondering if we have a PC that's infected,
connecting to the DC, and forcing it to reboot.
Post by oz.ozugurlu
Every research I have done leading me the conclusion of some type of virus
infection forcing/LSAS to shutdown and resulting your DC to reboot. If none
if these remedies to current problem, I would get PS support on this
Did you install this hot-fix below?
http://support.microsoft.com/?id=818080
http://support.microsoft.com/?kbid=826955
Try this if you have not done it so -----W32.Blaster.Worm Removal Tool
http://www.symantec.com/security_response/writeup.jsp?docid=2003-081119-5051-99
http://www.symantec.com/security_response/writeup.jsp?docid=2004-050315-1907-99
Good luck
--oz
--
Oz Ozugurlu
MVP (Exchange)
MCITP (EMA), MCITP (SA)
MCSE 2003, M+, S+, MCDST
Security+, Project +, Server +
http://smtp25.blogspot.com (Blog)
Post by e1
I've got several Server 2003 Std SP2 systems running AD that reboot
arbitrarily maybe once or twice a week. It seems to be getting more frequent
now too. I get the same event IDs every single time in the System and
Application event logs. I've run virus scans, used MBSA, ran the Malicious
Software Removal Tool, and installed hotfix 927342. Yet, despite everything
I've tried, searched endlessly on google for a solution, I cannot seem to
figure this problem out.
* 8 total DCs
* 6 sites
* 3 GCs (all of the GCs are in the same site - central datacenter) - the
other 5 DCs are have Universal group membership cacheing enabled
* 2 Exchange Servers - backend cluster and frontend OWA
Here's the events I'm seeing and it seems to be related to a problem with
Event Type: Error
Event Source: LsaSrv
Event Category: Security Package Manager
Event ID: 5000
Date: 7/7/2008
Time: 10:10:43 AM
User: N/A
The security package Negotiate generated an exception. The exception
information is the data.
Event Type: Information
Event Source: USER32
Event Category: None
Event ID: 1074
Date: 7/7/2008
Time: 10:11:31 AM
User: NT AUTHORITY\SYSTEM
The process winlogon.exe has initiated the restart of computer on behalf of
user for the following reason: No title for this reason could be found
Reason Code: 0x50006
Shutdown Type: restart
Comment: The system process 'C:\WINDOWS\system32\lsass.exe' terminated
unexpectedly with status code -1073741819. The system will now shut down and
restart.
Event Type: Error
Event Source: Winlogon
Event Category: None
Event ID: 1015
Date: 7/7/2008
Time: 10:11:25 AM
User: N/A
A critical system process, C:\WINDOWS\system32\lsass.exe, failed with status
code c0000005. The machine must now be restarted.
Event Type: Error
Event Source: Application Error
Event Category: (100)
Event ID: 1000
Date: 7/7/2008
Time: 10:10:53 AM
User: N/A
Faulting application lsass.exe, version 5.2.3790.0, faulting module
ntdll.dll, version 5.2.3790.3959, fault address 0x0001950e.
Has anyone else seen or experienced this problem? I'd appreciate your help.
Brandon McCombs
2008-07-08 02:32:41 UTC
Permalink
Post by e1
I've got several Server 2003 Std SP2 systems running AD that reboot
arbitrarily maybe once or twice a week. It seems to be getting more frequent
now too. I get the same event IDs every single time in the System and
Application event logs. I've run virus scans, used MBSA, ran the Malicious
Software Removal Tool, and installed hotfix 927342. Yet, despite everything
I've tried, searched endlessly on google for a solution, I cannot seem to
figure this problem out.
* 8 total DCs
* 6 sites
* 3 GCs (all of the GCs are in the same site - central datacenter) - the
other 5 DCs are have Universal group membership cacheing enabled
* 2 Exchange Servers - backend cluster and frontend OWA
Here's the events I'm seeing and it seems to be related to a problem with
Event Type: Error
Event Source: LsaSrv
Event Category: Security Package Manager
Event ID: 5000
Date: 7/7/2008
Time: 10:10:43 AM
User: N/A
The security package Negotiate generated an exception. The exception
information is the data.
Event Type: Information
Event Source: USER32
Event Category: None
Event ID: 1074
Date: 7/7/2008
Time: 10:11:31 AM
User: NT AUTHORITY\SYSTEM
The process winlogon.exe has initiated the restart of computer on behalf of
user for the following reason: No title for this reason could be found
Reason Code: 0x50006
Shutdown Type: restart
Comment: The system process 'C:\WINDOWS\system32\lsass.exe' terminated
unexpectedly with status code -1073741819. The system will now shut down and
restart.
Event Type: Error
Event Source: Winlogon
Event Category: None
Event ID: 1015
Date: 7/7/2008
Time: 10:11:25 AM
User: N/A
A critical system process, C:\WINDOWS\system32\lsass.exe, failed with status
code c0000005. The machine must now be restarted.
Event Type: Error
Event Source: Application Error
Event Category: (100)
Event ID: 1000
Date: 7/7/2008
Time: 10:10:53 AM
User: N/A
Faulting application lsass.exe, version 5.2.3790.0, faulting module
ntdll.dll, version 5.2.3790.3959, fault address 0x0001950e.
Has anyone else seen or experienced this problem? I'd appreciate your help.
I believe we had symptoms like this at work a few years back with a Dell
PowerEdge. Turned out the problem was a bad power supply I believe. Once
we fixed that the errors and auto reboots went away so we assumed the
power supply was at fault.

Loading...