LSASS & RDC Issue after update
Running Server 2003 X64 Std & Exchange 2007. I installed the following updates:
956844961371967723968816970653971557971657971961973507973540973815973869956744960859968389971032
After install the server would log the following error every 8 30mins:Event Type:ErrorEvent Source:Application ErrorEvent Category:(100)Event ID:1000Date:9/16/2009Time:9:38:28 AMUser:N/AComputer:###Description:Faulting application lsass.exe, version 5.2.3790.1830, faulting module msv1_0.dll, version 5.2.3790.4530, fault address 0x0000000000016df1.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.Data:0000: 41 70 70 6c 69 63 61 74 Applicat0008: 69 6f 6e 20 46 61 69 6c ion Fail0010: 75 72 65 20 20 6c 73 61 ure lsa0018: 73 73 2e 65 78 65 20 35 ss.exe 50020: 2e 32 2e 33 37 39 30 2e .2.3790.0028: 31 38 33 30 20 69 6e 20 1830 in 0030: 6d 73 76 31 5f 30 2e 64 msv1_0.d0038: 6c 6c 20 35 2e 32 2e 33 ll 5.2.30040: 37 39 30 2e 34 35 33 30 790.45300048: 20 61 74 20 6f 66 66 73 at offs0050: 65 74 20 30 30 30 30 30 et 000000058: 30 30 30 30 30 30 31 36 000000160060: 64 66 31 df1 Event Type:ErrorEvent Source:WinlogonEvent Category:NoneEvent ID:1015Date:9/16/2009Time:9:38:59 AMUser:N/AComputer:###Description:A critical system process, C:\WINDOWS\system32\lsass.exe, failed with status code c0000005. The machine must now be restarted.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
I believe these three updates from the list above are the most likely culprits:956744960859968389
Unfortunately Ive been unable to find much documentation or help on the LSASS error. I managed to resolve the issue by uinstalling all the above updates. After uninstall LSASS error went away but RDC logs the following error when attempting to connect from any client (XP/7/2k3/2k8):
Event Type: ErrorEvent Source: TermDDEvent Category: NoneEvent ID: 50Date: 9/17/2009Time: 4:09:14 PMUser: N/AComputer: ###Description:
The RDP protocol component "DATA ENCRYPTION" detected an error in the protocol stream and has disconnected the client.For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:0000: 00 02 04 00 02 00 52 00 ......R.0008: 00 00 00 00 32 00 0a c0 ....2..0010: 00 00 00 00 32 00 0a c0 ....2..0018: 00 00 00 00 00 00 00 00 ........0020: 00 00 00 00 00 00 00 00 ........0028: 92 01 00 00 ...
Any and all help is greatly appreciated as I am at a complete loss.
September 21st, 2009 6:02pm
Event Type:ErrorEvent Source:LsaSrvEvent Category:Security Package Manager Event ID:5000Date:9/16/2009Time:9:38:25 AMUser:N/AComputer:###Description:The security package NTLM generated an exception. The exception information is the data.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.Data:0000: 05 00 00 c0 00 00 00 00 .......0008: 00 00 00 00 00 00 00 00 ........0010: f1 6d 51 7e ff 07 00 00 mQ~...0018: 02 00 00 00 00 00 00 00 ........0020: 00 00 00 00 00 00 00 00 ........0028: 55 c1 6f 03 00 00 00 00 Uo.....0030: 10 22 9e 9a df fa ff ff ."0038: 00 00 00 00 00 00 00 00 ........0040: 00 00 00 00 00 00 00 00 ........0048: 00 00 00 00 00 00 00 00 ........0050: 00 00 00 00 00 00 00 00 ........0058: 00 00 00 00 00 00 00 00 ........0060: 80 80 b3 00 00 00 00 00 .....0068: c0 5d 9c 00 00 00 00 00 ].....0070: 04 62 6f 03 00 00 00 00 .bo.....0078: d8 61 6f 03 00 00 00 00 ao.....0080: 00 00 00 00 00 00 00 00 ........0088: 21 d5 02 01 00 f8 ff ff !...0090: 30 04 95 99 df fa ff ff 0.
Free Windows Admin Tool Kit Click here and download it now
September 21st, 2009 6:13pm
http://support.microsoft.com/kb/323497
That article will tell you how to fix the issue. I also had the issue you reported above and have removed968389and seem to be stable so far.
September 22nd, 2009 5:10pm