-1073741819 = C0000005 # for hex 0xc0000005 / decimal -1073741819 : STATUS_ACCESS_VIOLATION ntstatus.h # The instruction at "0x%08lx" referenced memory at # "0x%08lx". The memory could not be "%s". This indicates that there is a user mode memory corruption with lsass.exe. Since the lsass process is critical to the system, it's termination resulted in reboot that is similar to a blue screen with value 0xF4 CRITICAL_OBJECT_TERMINATION, http://mikemstech.blogspot.com/2011/12/troubleshooting-0xf4.html The next steps here are to verify the system integrity, either online or offline, http://mikemstech.blogspot.com/2011/12/how-to-perform-offline-system-integrity.html and determine what all of the processes are that are running on the system. It might be worth looking at what processes are starting and exiting on the system, http://technet.microsoft.com/en-us/library/cc775520%28v=ws.10%29.aspx -- Mike Burr Enterprise High Availability, Disaster Recovery, and Business Continuity Planning Learn to Troubleshoot Windows BSODs

One of our file servers that is shared out to most of the users in our company unexpectedly restartedt his morning. The only log I can find that indicates what might have happened is this one: Event Type: Information Event Source: USER32 Event Category: None Event ID: 1074 Date: 04/05/12 Time: 8:20:08 AM User: NT AUTHORITY\SYSTEM Computer: SERVER1 Description: The process winlogon.exe has initiated the restart of computer SERVER1 on behalf of user for the following reason: No title for this reason could be found Reason Code: 0x50006 Shutdown Type: restart Comment: The system process 'C:\WINDOWS\system32\lsass.exe' terminated unexpectedly with status code -1073741819. The system will now shut down and restart. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Data: 0000: 06 00 05 00 43 00 3a 00 ....C.:. 0008: 5c 00 57 00 49 00 4e 00 \.W.I.N. 0010: 44 00 4f 00 57 00 53 00 D.O.W.S. 0018: 5c 00 73 00 79 00 73 00 \.s.y.s. 0020: 74 00 65 00 6d 00 33 00 t.e.m.3. 0028: 32 00 5c 00 4c 00 6f 00 2.\.L.o. 0030: 67 00 46 00 69 00 6c 00 g.F.i.l. 0038: 65 00 73 00 5c 00 53 00 e.s.\.S. 0040: 68 00 75 00 74 00 44 00 h.u.t.D. 0048: 6f 00 77 00 6e 00 5c 00 o.w.n.\. 0050: 53 00 68 00 75 00 74 00 S.h.u.t. 0058: 44 00 6f 00 77 00 6e 00 D.o.w.n. 0060: 5f 00 32 00 30 00 31 00 _.2.0.1. 0068: 32 00 30 00 34 00 30 00 2.0.4.0. 0070: 35 00 30 00 38 00 32 00 5.0.8.2. 0078: 30 00 30 00 34 00 2e 00 0.0.4... 0080: 78 00 6d 00 6c 00 00 00 x.m.l... But I'm not sure what this means, of if it's telling me anything useful. A user with a consulting firm we use was on this server almost immediately after it came back on line, which I find suspicious but I would like to know what this is before I go pointing fingers.

Is this also a domain controller? Run virus scan? Do you have third party file sharing software installed this system? Check memory dump file? Look app event log during same time and try to relate it to this one? Also this event was logged with this user's account because he logged in first after reboot, so you can't really predict if he did something to cause this and plus this is system error so we can't be sure. Sachin Gadhave

Hello, Start by that: http://support.microsoft.com/kb/2489383 http://support.microsoft.com/kb/838501 http://support.microsoft.com/kb/321024 Since this is a file server, you can consider asking them here: http://social.technet.microsoft.com/Forums/en-US/winserverfiles/threads This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. Microsoft Student Partner 2010 / 2011 Microsoft Certified Professional Microsoft Certified Systems Administrator: Security Microsoft Certified Systems Engineer: Security Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration Microsoft Certified Technology Specialist: Windows 7, Configuring Microsoft Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations Microsoft Certified IT Professional: Enterprise Administrator Microsoft Certified IT Professional: Server Administrator Microsoft Certified Trainer

-1073741819 = C0000005 # for hex 0xc0000005 / decimal -1073741819 : STATUS_ACCESS_VIOLATION ntstatus.h # The instruction at "0x%08lx" referenced memory at # "0x%08lx". The memory could not be "%s". This indicates that there is a user mode memory corruption with lsass.exe. Since the lsass process is critical to the system, it's termination resulted in reboot that is similar to a blue screen with value 0xF4 CRITICAL_OBJECT_TERMINATION, http://mikemstech.blogspot.com/2011/12/troubleshooting-0xf4.html The next steps here are to verify the system integrity, either online or offline, http://mikemstech.blogspot.com/2011/12/how-to-perform-offline-system-integrity.html and determine what all of the processes are that are running on the system. It might be worth looking at what processes are starting and exiting on the system, http://technet.microsoft.com/en-us/library/cc775520%28v=ws.10%29.aspx -- Mike Burr Enterprise High Availability, Disaster Recovery, and Business Continuity Planning Learn to Troubleshoot Windows BSODs

You can use system File Checker tool (SFC.exe) to troubleshoot missing or corrupted system files, it may be because you have installed some Service pack or patches. Repair your file system and scan it, your server may be the infected one. How to use the System File Checker tool: http://support.microsoft.com/kb/929833 Thanks |Ashok