lsass.exe, failed with status code 255 at random times!
It seems to happen at random times, I am running Windows 7 Ultimate on a Dual Core AMD Machine (Gateway GT5056),with 732 MB RAM. I saw a similar situation in another thread, but I am not running any antivirus or Forefront product. Here is the event logged.Faulting application name: lsass.exe, version: 6.1.7600.16385, time stamp: 0x4a5bbf3e Faulting module name: ntdll.dll, version: 6.1.7600.16385, time stamp: 0x4a5bdadb Exception code: 0xc000000d Fault offset: 0x00093219 Faulting process id: 0x200 Faulting application start time: 0x01ca3ba64dfcbf20 Faulting application path: C:\Windows\system32\lsass.exe Faulting module path: C:\Windows\SYSTEM32\ntdll.dll Report Id: c897f237-a7d6-11de-96b2-00155823cc8eThanks for all the help!Leowise Windows 7 is SOLID!
September 23rd, 2009 3:42am

Hi, According to my research, the issue occurs when the computer is in an AD domain. So, I would like to confirm if your computer is also in a Domain. The following forum discusses this issue, one user resolved it by disabling the Screen lock GPO: http://social.technet.microsoft.com/Forums/en/w7itprogeneral/thread/c71c56cf-f07c-458b-bcbf-76383bc4e64b So, the issue should be related to AD domain settings. Please contact your Domain administrator to check it. From the Windows 7 system stand point, you can try the following steps: First, you may test it in Clean Boot mode. If it does not work, try the following steps: Create a new user account ==================== 1. Click the Start Button, and then click Control Panel. 2. Double-click User Accounts. 3. Click Manage another use account. 4. Click Create a new account, and type the name. 5. Choose account type as Computer administrator. 6. Click Create Account. 7. Log off and log on with the new account.Vivian Xing - MSFT
Free Windows Admin Tool Kit Click here and download it now
September 24th, 2009 9:08am

I've been running RC 7100 on my home PC since it was available in April and I've just had this problem for the first time. There's no AD domain in my house - just my own PC.It uses a home network with two others both of which were switched off at the time.These are the diagnosotics: looks like the failure was at a different location to the one above: Faulting application name: lsass.exe, version: 6.1.7100.0, time stamp: 0x49ee8a5dFaulting module name: lsasrv.dll, version: 6.1.7100.0, time stamp: 0x49eea587Exception code: 0xc0000005Fault offset: 0x000176cbFaulting process id: 0x234Faulting application start time: 0x01ca3cf310525592Faulting application path: C:\Windows\system32\lsass.exeFaulting module path: C:\Windows\system32\lsasrv.dllReport Id: a88eadd3-a8f1-11de-8ec4-0011119c748fAppeared to have happened as the screen came back on after 10 minutes - my value for switching it off. Only the screen was off - I don't use sleep or hibernate etc.Any ideas?
September 24th, 2009 1:26pm

Hi, Did you try my suggestions above? If it does not work, I suggest updating your device driver from manufacturer's website. In addition, try the followings steps:Use the System File Checker (SFC) ===========================1. Click Start, type cmd in the Start Search bar, right-click cmd.exe and click run as administrator. 2. Input the following command and press Enter. sfc /scannow Also type REGSVR32 LSASRV.DLL in the Command Prompt window.Vivian Xing - MSFT
Free Windows Admin Tool Kit Click here and download it now
September 25th, 2009 6:04am

I've tried the suggestions however, I have to report that they don't seem particularly relevant or effective. I've three different systems that are experiencing this problem. Two of which are running Win7 x64 (different motherboards and chipsets) and one running Win7 x86 (Fujitsu laptop). As best as I can determine, they are all running the latest drivers available for the various hardware. None of the systems experienced this problem while running Vista. Note: 2 of the systems were upgrades, one was a clean install. All systems are on a domain (Win Server 2008) and though there is a GPO, power saving and screen options are not specified in the GPO.As others have said - any ideas? Is there a clear explanation of what lsass.exe does and why we need it and why it can't fault and restart gracefully?
September 26th, 2009 8:38am

Th issue above is a windows 7 issue when connected to domain. Only fix is that you can't lock your computer. If you have GPO that locks the screen after few minutes, that will cause the crash when you unlock it. Even if you don't have the GPO, the user locks his screen, then unlocks it after, you will get the same crash. It's not all the time. For me, I can recreate this problem in about 1 - 3 tries of locking and unlocking the screen. Hopefully, Microsoft acknowledges this issue and issue a patch.
Free Windows Admin Tool Kit Click here and download it now
September 28th, 2009 4:58pm

Thank you for your feedback, I will forward this information to the appropriate department through our internal channel. Both the Microsoft Product Team and Development Team take into consideration all suggestions and feedback for future releases.Hi Leowise, did my suggestions work on your non-domain computer?Vivian Xing - MSFT
September 30th, 2009 5:23am

I wish this workaround (though not very workable) was the answer but even after removing any locks (I assume timeout locks for screen savers and such) the lsass error reoccured with the corresponding reboot. I've looked but I don't find any entry for a relevant GPO. This has become very annoying - especially since it wasn't seen in most systems during the beta but is now being seen on all the systems run RTM. Note: this is on a domain.
Free Windows Admin Tool Kit Click here and download it now
September 30th, 2009 5:32am

HI, Vivian;Thanks for your help! Sorry for the delay, I had some other issues to take care of, so I am now trying to see if the issue is resolved by using your suggested workaround. I will post as as I find out!Windows 7 is SOLID!
October 1st, 2009 12:24am

To all;This must be a widespread issue! We just installed Win7 x64 on a AMD machine (clean install), it worked well for 3-4 days (no LSAAS issues) then after loading several packages (mostly microsoft stuff: Office 2007, Visual Studio 2008, Windowos SDK, etc) and patching it, it started failing with the LSAAS issue! As the other system I reported on, it is on a Windows 2003 AD domain, so the symptoms agree with Vivian's research. In the latest case, I did verify that the issue happens when you unlock the system, this time the system just shutdown (forced) no error feedback at all! When reviewing the error log, found " A critical system process, C:\Windows\system32\lsass.exe, failed with status code 255. The machine must now be restarted." error. According to Microsoft LSAAS is charged with: This is the local security authentication server, and it generates the process responsible for authenticating users for the Winlogon service. This process is performed by using authentication packages such as the default Msgina.dll. If authentication is successful, Lsass generates the user's access token, which is used to launch the initial shell. Other processes that the user initiates inherit this token.So, my take is that the system is unable to authenticate the user / or processes and it defaults to shutdown. I am still researching this, but I am a bit surprised that this issue is not being agressively researched / troubleshooted since it can be a show stopper for Win 7!Hopefully we can find a better solution than disabling the system lock after sleep, it is a security feature that is more relevant in the current environment!Keep posting on this thread until this is resolved!LeowiseWindows 7 is SOLID!
Free Windows Admin Tool Kit Click here and download it now
October 5th, 2009 7:09pm

More (and promising) information. I had a system that this problem was being exhibited on. Other threads have mentioned an interaction with various anti-virus applications. So, I have uninstalled and installed multiple different ones. This did NOT affect the behavior. I submit that anti-virus interaction is NOT the issue. But, here's the good news. Because sleep and wake interactions are indicated, I intentionally modified the power settings to first, disable all sleep and power down scenarios - no screen saver, no sleep mode, no monitor off, no harddrive sleep - nothing. Didn't change - still would (though less often) get the lsass error. Since I was still getting the error, I tried the opposite tactic - I enabled a screen saver at 15 minutes, and changed the power settings to display off in 20 and computer to sleep at 30. Since then I haven't had a reoccurence of the problem. I'm going to try on some other systems that are experiencing the problem. Note: this system is on a 2008 Server based AD Domain - no GPO re: power set.--ET--
October 6th, 2009 9:40am

I've had two Windows 7 Pro RTM computers begin experiencing this issue in the last two days. I've tried the steps mentioned in Vivian's post to no avail. These are both clean installs of Windows 7 Pro and all have the latest drivers for the hardware installed. These computers were running fine for the past several weeks and this started becoming a problem in the last day. Is there any additional information that we might be able to send that may assist in resolving this issue?-Dennis
Free Windows Admin Tool Kit Click here and download it now
October 7th, 2009 8:02pm

I'm having the same issue with Win 7 Ultimate RTM x64 with newest Win 7 drivers for a brand new Dell 760.The answer to this issue cannot be disable the screen lock GPO! I'm hoping that there is a patch to this or some fix so that I can deploy some machines into our environment while abiding by security policies. Thanks
October 8th, 2009 12:53am

ET3, thanks for your info, it certainly adds to our effort to get a grip on this issue. Now, I have bad news! As I stated on my last post, I was doing some more research on the AMD X64 installation (my main system) and had the LSASS issue occur AFTER I disabled all power setting related to wake up and station lock, my take on this is that there is not A DIRECT RELATION between the lock, wake up settings and the LSASS problem. The proof: The LSASS failure happened to me while I was working on the system (this eliminates the lock, unlock and power settings possibilities). This just widens the situations in which this bug will happen, because if LSASS is involved in " (If authentication is successful,) Lsass generates the user's access token, which is used to launch the initial shell. Other processes that the user initiates inherit this token." Then the issue is internal to the system's processes, there may be a breakdown in the process' authentication process that causes the system to end up in a "unsafe" state. The system may then invoke a process of "last resort" which is to shutdown the system! Info, here is the error report on the last crash (the one that happened when I was working on the system)Faulting application name: lsass.exe, version: 6.1.7600.16385, time stamp: 0x4a5bc155Faulting module name: ntdll.dll, version: 6.1.7600.16385, time stamp: 0x4a5be02bException code: 0xc0000374Fault offset: 0x00000000000c6cd2Faulting process id: 0x1fcFaulting application start time: 0x01ca45e4178a5162Faulting application path: C:\Windows\system32\lsass.exeFaulting module path: C:\Windows\SYSTEM32\ntdll.dllReport Id: e814294a-b20a-11de-8ff2-00112fa45631The Exception code is different from the one that happens when unlocking the system, I am not sure what that means yet.I will be interested in knowing if Vivian has found out anything more about this issue!-LeowiseWindows 7 is SOLID!
Free Windows Admin Tool Kit Click here and download it now
October 8th, 2009 2:22am

Dennis, can you include the error log report from the crashes, I am trying to find a patern (if there is one) in the Exception code that is involved.-LeowiseWindows 7 is SOLID!
October 8th, 2009 2:25am

Brenda, can you include the error log report from the crashes, I am trying to find a patern (if there is one) in the Exception code that is involved.Windows 7 is SOLID!
Free Windows Admin Tool Kit Click here and download it now
October 8th, 2009 2:25am

Hi, I'm having the exactly same problem with Windows 7 RTM x64 (Enterprise Edition). The error message is following:Faulting application name: lsass.exe, version: 6.1.7600.16385, time stamp: 0x4a5bc155Faulting module name: ntdll.dll, version: 6.1.7600.16385, time stamp: 0x4a5be02bException code: 0xc0000374Fault offset: 0x00000000000c6cd2Faulting process id: 0x238Faulting application start time: 0x01ca47d499498872Faulting application path: C:\Windows\system32\lsass.exeFaulting module path: C:\Windows\SYSTEM32\ntdll.dllReport Id: 2fd32d25-b3c9-11de-b227-001f161a58d6 There seems to be following conditions that cause this behaviour: * Boot with network connection on and sign to AD * Lock / unlock your computer several times => system "hangs" in a peculiar way (the GUI seems to work, but new programs cannot be started) or a system restart is initiatedSFC-scan shows no errors.F-Secure virus scan shows no errors.Currently I tried to boot without a network cable and plugging it after the logon process was complete. This seems to have stopped the error from happening... for now :)-LordDragon
October 8th, 2009 8:43am

Here is the entry from the System Event Log. This computer is joined to a Domain, but we do not have a GPO that forces the screen lock. It occurs after a user manually locks the screen when they walk away from their computer (yeah, we trained them pretty well). + System - Provider [ Name] USER32 - EventID 1074 [ Qualifiers] 32768 Level 4 Task 0 Keywords 0x80000000000000 - TimeCreated [ SystemTime] 2009-10-07T19:40:00.000000000Z EventRecordID 12963 Channel System Computer LT-CNU716048F - Security [ UserID] S-1-5-18 - EventData wininit.exe LT-CNU716048F No title for this reason could be found 0x50006 restart The system process 'C:\Windows\system32\lsass.exe' terminated unexpectedly with status code 255. The system will now shut down and restart. 0600050000000000000000000000000000000000000000000000000000000000 Binary data: In Words 0000: 00050006 00000000 00000000 00000000 0008: 00000000 00000000 00000000 00000000 In Bytes 0000: 06 00 05 00 00 00 00 00 ........0008: 00 00 00 00 00 00 00 00 ........0010: 00 00 00 00 00 00 00 00 ........0018: 00 00 00 00 00 00 00 00 ........
Free Windows Admin Tool Kit Click here and download it now
October 8th, 2009 4:57pm

Hi, ET3,In an effort to narrow the focus of this research, can you please tell us what kind of processor do yuo have in the systems involved, I am, so far, having the issues in two machines that happen to be AMD based systems. If this is a "deep into the kernel" bug, it will be helpful to see if occurs in both AMD and Intel MOBOs. Thanks!-LeowiseWindows 7 is SOLID!
October 8th, 2009 5:21pm

Leowise,The two machines we are currently experiencing the problem with are Intel Centrino Based Laptops.-Dennis
Free Windows Admin Tool Kit Click here and download it now
October 8th, 2009 5:46pm

Hi, Ok. lets sumarize what we know so far:a. The problem is across plataforms (AMD, Intel), installed software is not relevant.b. It affects systems that belong to a Windows domain, and specially when they are logged on to such domain.c. The issue is not related to a particular GPO setting as someone suggested earlier, rather, when the system is unlocked or waken from sleeping state, the LSASS.EXE attempts to authentica the user / process and that authentication fails, since processes use the result of that authentication to obtain and then use an authentication token against the kernels security subsystem to operate, but since the lsass process failed, the system detects a "unsafe" state and calls for a orderly shutdow process to start.So, where do we go from here? I suspect that Microsoft is working on patch for this issue, I also think that this problems involves both the server and the workstation, since the issue happens when the affected systems are part of the AD domain. So, I will keep investigating this issue, if someone comes across some info about this issue, let us know!!-Leowise Windows 7 is SOLID!
October 8th, 2009 11:06pm

Let me tell you what I have observed so far. The GPO is set to screen lock at 20 mins. If I boot the computer, then lock the screen and walk away for 19 minutes, I will be able to log back in. However, if I wait 21 minutes I get "The remote procedure call failed" and "The RPC server cannot be found". Then within a couple minutes the machine will reboot. I find entries on the lsass.exe failing.I also agree that there are other triggers for causing this service to crash. I have had this happen a couple time right after I RDP into the machine.BTW, I have an Intel Core2 Duo Machine. - System - Provider [ Name] Microsoft-Windows-Wininit [ Guid] {206f6dea-d3c5-4d10-bc72-989f03c8b84b} [ EventSourceName] Wininit - EventID 1015 [ Qualifiers] 49152 Version 0 Level 2 Task 0 Opcode 0 Keywords 0x80000000000000 - TimeCreated [ SystemTime] 2009-10-08T21:54:34.000000000Z EventRecordID 6227 Correlation - Execution [ ProcessID] 0 [ ThreadID] 0 Channel Application Computer Bhamilton02.xxxx.net Security - EventData C:\Windows\system32\lsass.exe 255
Free Windows Admin Tool Kit Click here and download it now
October 9th, 2009 1:20am

So, what happens after the lock after time expires may be a clue. I think that the Windows security system, lsass.exe IS part of such system, must perform an authentication release procedure. At this point the user object (and possibly other processes objects) are not longer "authorized" or are not cosidered "authenticated" by the security system (now I am going on a limb here!) at which point, if you unlock the system, OR, perform any other action for which lsass.exe must re-authenticate the user... BOOOM!! the system goes into a "unsafe" state and the "save your work" Windows 7 feature takes over and executes a preventive measure that shuts down the system.What do you guys and girls think? If this is the situation, then I am not sure if WE can do anything. This may be beyond our powers, I am starting to think that the issue is "deep" inside the beast (Kernel). I know that they (Microsoft) has worked hard to harden the Kernel and restrict "roge" apps from messing with the Kernel, this may be the reason why this failure is very criptic and not much info is given. I mean, what can we learn from "A critical system process, C:\Windows\system32\lsass.exe, failed with status code c0000374. The machine must now be restarted." Not very helpful, is it? What is the status code c0000374 means?? So, I am not sure what else to here other than WAIT for MS to come up with a patch (that I will suspect will involve both a server part and a client part)Any more ideas?-Leowise Windows 7 is SOLID!
October 9th, 2009 2:18am

I agree this is something beyond our reach. Hopefully a MSFT person can add some insight into the issue or what might be done about it. I wish I had posted earlier, this has been bothering me since the day RTM was released. Thought it was just me. Thanks for your help. -B
Free Windows Admin Tool Kit Click here and download it now
October 9th, 2009 2:38am

One system is an Intel T2400 based Fujitsu laptop w/ 4 GB RAM installed running Win7 RTM x32. The other two are homebuilt desktop systems based on GigaByte motherboards with Intel Q6600 CPUs both running Win7 RTM x64. Note: the one Q6600 system (my main desktop) has NOT experienced the LSASS error since I manually set the power settings to never sleep and then later reset them back to the above mentioned sleep and power off values.--ET--
October 9th, 2009 4:25am

I concur that this is probably outside our ability to fix (unless this was something that was included in a security update that we can roll back). Has anyone compared version information for their instances against the original RTM image? The file on my system (lsass.exe) has a build version of 6.1.7600.16385 which indicates to me that it is the release version.However, is there ANY indication that someone at MS has actually been made aware of this problem?--ET--
Free Windows Admin Tool Kit Click here and download it now
October 9th, 2009 4:34am

Yep, this one is going to be one of those issues that's either a really bad bug, or just a typical Windows "feature" that someone forgot to document!I have my share of expiriences with MS on this area. My guess is that right now ALL foot soldiers at MS are busy with the release "last moment issues" So we are a bit out of luck because of that!Now, ET the file version on my system is: 6.1.7600.16385, same as yours. I checked for previous versions, so we know that it has not been update as part of a patch or something like that. I think I am done for the day on this issue! Maybe tomorrow we'll wake up to a new update that will solve this! FAT CHANCE, I think!Lastly, I gotta tell you that this thread has been picked up by other forums, so this issue may be coming up more and more, and that my friends will push someone at MS to tackle this one, its a numbers game, it always is.Later,-LeowiseWindows 7 is SOLID!
October 9th, 2009 5:03am

This worked for me. Go to device manager and select your Nic card. Select properties, then power management. De-select allow computer to turn off this device to save power.
Free Windows Admin Tool Kit Click here and download it now
October 14th, 2009 8:59pm

Thank you Gotenba! This seems to work right away. I have only tested once after waiting 20 minutes for the screen lock to kick in but it appears to work. I will try a few more things such as unplugging the network cable (after screen lock applied) and then trying to log in and see if that also causes it to crash. If not, great job on the workaround...much better than removing the GPO. So this a driver/hardware/OS issue when the sleeping LAN card is not being processed correctly?
October 14th, 2009 9:45pm

Gotenba, you will save us a lot of headaches if this workaround works (I just tried on a system that has had the issue almost every night).Now, let me ask you, how did you arrive at this? Did you just sat there and started disabling and enableing stuff until one worked? :>)Now, I am not sure if you saw one of my earlier posts, it did (the crash) happen to me when I was working on the system, it could had been that the NICs power saving feature is very "agressive" and it detected enough idle time and shut down the NIC...But, let me give it a try and see what happens!Also, if anyone else has had the issue occur at other times other than when unlocking the syste, let us know, that will help us gather more data points!I will let you all know what happens after using Gotenba's workaround.Thanks Getenba!!Leowise Windows 7 is SOLID!
Free Windows Admin Tool Kit Click here and download it now
October 15th, 2009 5:23am

Hi, I tried Gotenba's workaround and it work for a couple of screen lock tries. I'm guess about 8th try, lsass.exe failed. So far, the only guarantee for me so that this does not crash is that before I unlock, I have to unplugged the network cable if I'm on the corporate network. This definitely has to do with the re-authentication when you unlock (as Leowise suggested I think). It does not crash either for me when I'm at my home network with network plugged in. It only crashes when the laptop is able to contact the domain controller.
October 15th, 2009 2:56pm

Yes, I agree with your remarks Lemuel, this is a complex issue, it appears to happen at different times and under different circumstances. I am also running Windows 7 Ultimate as a virtual machine (VM) on a Windows Server 2008 and yesterday I logged on and the failure happened when the machince was unlocked, VM's use virtualized NICs so the workaround that Getenba suggested does not apply to that instance!So, it seems that this bug is veryunpredictable. As an update to my last post to Getenba, I did change the power settings to stop the system from shutting down the NIC and the computer DID NOT FAILED overnite as it usually did! So, the workaround may work for me ON THIS SYSTEM. So, thanks again to Getemba for the workaround. I am planning to use it in at leas other machine that has had the same issue. I lwill report here what the result is.Keep this thread alive until we have this bug nailed!BTW, other that this issue Windows 7 is great, I am really impressed with the performance so far!!LeowiseWindows 7 is SOLID!
Free Windows Admin Tool Kit Click here and download it now
October 15th, 2009 6:04pm

Hi: My fix seems to have fixed the unlock problem for me as I no longer seem to have the problem when I unlock. However yesterday while just working on the PC I got the message windows has experienced a critical error and will shut down in 1 minute. So while I have made the problem happen less often it still occurs. The reason I took this path was a couple of times after the error on the reboot I noticed that I had lost network access and had to shut down the PC and reboot to get it back as though the Nic had hung up. I was running Vista Ultimate on this laptop before and had never experienced this LSASS issue before switching to Windows 7 RTM. Gotenba
October 15th, 2009 8:35pm

Hi,Yepm that is the MO of this bug, it seems to surface at differnt times and under different circumstances, very bothersome becuase it keeps you wondering when is it going to strike!As I mentioned above, I tried the NIC power workaround on a different machine and it did not work, as soon as I locked then unlocked the machine, the bug resurfaced! So, sorry to say that this workaround is not a fix for all systems.I am not sure what else to try other than to keep gathering data AND WAITING for MS to come up with a solution for this. This bug could be really bad since it affects several type of systems, as it appears to do, can you imagine the headaches that this will cause to a company with hundreds of systems? Also, you have to consider the potential loss of data! Not good at all!Ok, we'll keep researching this and see what we can find!Leowise Windows 7 is SOLID!
Free Windows Admin Tool Kit Click here and download it now
October 15th, 2009 11:39pm

Hi,After suffering from this problem too much time both on my desktop and laptop, Ive decided to find the real workaround to this problem. All the other workarounds suggested on forums discussing this issue are not working or just partial solutions. As far as I can understand the core of the issue is some re-authentication with the domain controller that occurs when the computer is unlocked. At this point some modules that are called by lsass.exe are failing and make the service crash and you know what happens.Analyzing the crash dumps using windows debugger Ive found out that the failure related to kerberos.dll. See Exception Analysis below.So then I started to search settings related to Kerberos authentications and found 2 possible entries that can affect the Kerberos authentication process:1.Registry entry HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters\DefaultEncryptionType2.Policy setting located at Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network security: Configure encryption types allowed for Kerberos, which after all sets the following registry key:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters\SupportedEncryptionTypesSearching the net about this parameter reveals more information and details explanations.What solved the problem for me is setting the following registry key and values to make Windows 7 behave like Windows Server2003 regarding to Kerberos Encryption Type (KERB_ETYPE_RC4_HMAC_NT)KeyHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\ParametersTypeREG_DWORDNameDefaultEncryptionTypeData 23 (decimal) or 0x17 (hexadecimal)Now its also possible to disable the problematic encryption type with a GPO applied the Windows 7 machines or to find a way (which I didnt search for yet) to change the DefaultEncryptionType using GPO. Example Exception Analysis: FAULTING_IP: ntdll!RtlUnhandledExceptionFilter+2d200000000`776d6cd2 eb00 jmp ntdll!RtlUnhandledExceptionFilter+0x2d4 (00000000`776d6cd4) EXCEPTION_RECORD: ffffffffffffffff -- (.exr 0xffffffffffffffff)ExceptionAddress: 00000000776d6cd2 (ntdll!RtlUnhandledExceptionFilter+0x00000000000002d2) ExceptionCode: c0000374 ExceptionFlags: 00000001NumberParameters: 1 Parameter[0]: 000000007774c3f0 DEFAULT_BUCKET_ID: WRONG_SYMBOLS PROCESS_NAME: lsass.exe ADDITIONAL_DEBUG_TEXT: Use '!findthebuild' command to search for the target build information.If the build information is available, run '!findthebuild -s ; .reload' to set symbol path and load symbols. FAULTING_MODULE: 0000000077610000 ntdll DEBUG_FLR_IMAGE_TIMESTAMP: 4a5bdfde ERROR_CODE: (NTSTATUS) 0xc0000374 - A heap has been corrupted. EXCEPTION_CODE: (NTSTATUS) 0xc0000374 - A heap has been corrupted. EXCEPTION_PARAMETER1: 000000007774c3f0 FAULTING_THREAD: 0000000000001538 PRIMARY_PROBLEM_CLASS: WRONG_SYMBOLS BUGCHECK_STR: APPLICATION_FAULT_WRONG_SYMBOLS LAST_CONTROL_TRANSFER: from 00000000776d7396 to 00000000776d6cd2 STACK_TEXT: 00000000`01f8e220 00000000`776d7396 : 00000000`00000002 00000000`00000023 00000000`00001028 00000000`00000003 : ntdll!RtlUnhandledExceptionFilter+0x2d200000000`01f8e2f0 00000000`776d86c2 : fffffa80`06ac2010 00000000`00000001 00000000`01f8eff8 00000000`7765a39e : ntdll!EtwEnumerateProcessRegGuids+0x21600000000`01f8e320 00000000`776da0c4 : 00000000`00180000 00000000`00000000 00000000`00000000 00000000`00180000 : ntdll!RtlQueryProcessLockInformation+0x95200000000`01f8e350 00000000`7767d1cd : 00000000`01b65140 00000000`00180000 00000000`01b65150 00000000`01b83010 : ntdll!RtlLogStackBackTrace+0x44400000000`01f8e380 000007fe`fce61120 : 00000000`023ed6f0 00000000`01b82f30 00000000`01b82e80 00000000`00000000 : ntdll!LdrGetProcedureAddress+0x14e0d00000000`01f8e400 000007fe`fce8bba2 : 00000000`01b82e80 00000000`00000000 00000000`023ed6f0 00000000`023a7550 : kerberos!Ordinal26+0x112000000000`01f8e430 000007fe`fce82f9c : 00000000`01b82e80 00000000`01ab3a80 00000000`00000000 00000000`01ab3af8 : kerberos!SpInitialize+0x38da00000000`01f8e460 000007fe`fce8bb82 : 00000000`01ab3b98 00000000`00000000 00000000`023a7550 00000000`023a7550 : kerberos!SpInstanceInit+0xa0800000000`01f8e490 000007fe`fce8b71f : 00000000`00000001 00000000`01ab3a80 00000000`00000000 00000000`00000000 : kerberos!SpInitialize+0x38ba00000000`01f8e4c0 000007fe`fce91c75 : 00000000`00000001 00000000`00000000 00000000`00000000 000007fe`fd29120a : kerberos!SpInitialize+0x345700000000`01f8e4f0 000007fe`fce91b67 : 00000000`00000000 00000000`00000000 00000000`023ed6f0 000007fe`fd340830 : kerberos!SpInitialize+0x99ad00000000`01f8e5c0 000007fe`fce91d0a : 00000000`00000000 00000000`01f8e700 00000000`00000000 00000000`001d4260 : kerberos!SpInitialize+0x989f00000000`01f8e660 000007fe`fd2d48c6 : 00000000`02476ac8 00000000`000000e8 00000000`023dead0 00000000`02476ac8 : kerberos!SpInitialize+0x9a4200000000`01f8ebb0 000007fe`fd29be80 : 00000000`02476ac8 00000000`00000002 00000000`000000e8 00000000`00180000 : lsasrv!LsaIAllocateHeap+0x1b77600000000`01f8ed20 000007fe`fd29b880 : 00000000`01f8f230 000007fe`fd291f61 00000000`00000002 00000000`00000002 : lsasrv!LsaIAuditLogonUsingExplicitCreds+0x2ab000000000`01f8ee60 000007fe`fd29a7d3 : 00000000`01f8f2a0 00000000`001d9578 00000000`00000000 00000000`01f8f370 : lsasrv!LsaIAuditLogonUsingExplicitCreds+0x24b000000000`01f8ef00 000007fe`fd29a30e : 00000000`0026b010 00000000`02476ac8 00000000`01f8f308 00000000`00000000 : lsasrv!LsaIAuditLogonUsingExplicitCreds+0x140300000000`01f8f1d0 000007fe`fd4018c8 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`01f8f6c8 : lsasrv!LsaIAuditLogonUsingExplicitCreds+0xf3e00000000`01f8f4e0 000007fe`fd417c5a : 00000000`00000000 00000000`01f8f6b8 00000000`00000000 00000000`00000007 : sspisrv+0x18c800000000`01f8f600 000007fe`fd41808b : 00000000`00000001 00000000`00000000 00000000`00000000 000007fe`fd417a97 : sspicli!SeciAllocateAndSetIPAddress+0x10600000000`01f8f770 000007fe`fd346813 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : sspicli!LsaLogonUser+0x8300000000`01f8f7f0 00000000`7740f56d : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000001 : lsasrv!LsaIUpdateLogonSession+0x170300000000`01f8f940 00000000`77643281 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : kernel32!BaseThreadInitThunk+0xd00000000`01f8f970 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21 FOLLOWUP_IP: kerberos!Ordinal26+1120000007fe`fce61120 eb00 jmp kerberos!Ordinal26+0x1122 (000007fe`fce61122) SYMBOL_STACK_INDEX: 5 SYMBOL_NAME: kerberos!Ordinal26+1120 FOLLOWUP_NAME: MachineOwner MODULE_NAME: kerberos IMAGE_NAME: kerberos.dll STACK_COMMAND: ~12s; .ecxr ; kb BUCKET_ID: WRONG_SYMBOLS FAILURE_BUCKET_ID: WRONG_SYMBOLS_c0000374_kerberos.dll!Ordinal26 WATSON_STAGEONE_URL: http://watson.microsoft.com/StageOne/lsass_exe/6_1_7600_16385/4a5bc155/ntdll_dll/6_1_7600_16385/4a5be02b/c0000374/000c6cd2.htm?Retriage=1wdavid
October 19th, 2009 2:08pm

Try setting an exclusion in your Antivirus software for: c:\windows\system32\lsass.exe
Free Windows Admin Tool Kit Click here and download it now
October 19th, 2009 7:17pm

Hi: I believe what you found regarding Kerberos authentication is related to what I found out this weekend. I too had this problem with 2 machines, a laptop and a desktop. The desktop was running 32 bit ultimate while the laptop is running 64 bit ultimate. I found I could make the problem occur almost every time simply by logging off and logging back in. Most of the time the machine would reboot at the login screen with no error message at all. I then decided to login using a different userid. When I did that the failure no longer occured. I then went to the server and deleted the userid that was failing and re-added the same userid, with the same password and attributes. After doing this the failure no longer occured. Of course doing this causes the PC's to build a new default profile for this userid on each PC and it is necessary to rebuild the new profile using the old profile info. Is it possible some Userid's have been corrupted over time or perhaps a change was introduced to server 2003 after the failing userid was added. This problem never occurred under Vista Ultimate. Gotenba
October 19th, 2009 7:41pm

Hi Gotenba, I am a bit confused as to you suggested fix, are you suggesting that the user account that was used to add the computer to the domain got corruped? So, you logged on to the affected system using a different user account and that stopped the crashes? Thanks!LeowiseWindows 7 is SOLID!
Free Windows Admin Tool Kit Click here and download it now
October 19th, 2009 11:00pm

Hi Leowise: Sorry if my details were confusing. I had been using my own normal userid to logon and I was having the problem. I then logged on using another userid on the same 2 computers and did not have the problem. This led me to believe that the problem originated with something coming from the Windows 2003 server. I then deleted my userid that was showing the problem on the 2003 server and and then added it back exactly as it was before. After doing this I was able to log on off over and over without having the problem. My PC's have been running for 2.5 days without rebooting. They have never gone this long without having the problem. Hope this is clearer Gotenba
October 20th, 2009 12:33am

Thanks, so it looks like you hit onto something that may work!!I am going to give this a try! I can think of how your workaround might have a effect on this bug, since the issue seems to derive from an attempt to re-authenticaticate (as noted by me and others above).This couldbe an issue with the way the initial domain account is created on the domain (by the Windows 7 client)? And this issue then is not repeated if the account is then re-created.I will be very curiuos to know if someone else has implemented your solution and has the same results as you. I am going to try it and post my results here.Well, thanks again for posting!LeowiseWindows 7 is SOLID!
Free Windows Admin Tool Kit Click here and download it now
October 20th, 2009 2:40am

I tired Gotenba's suggestion and it works. I recreated my AD account and it works. Of course, this is not a real solution since what do you do when you have thousands of users. :) I even tried to clear my SSID history before I attempted with new account and that didnt help. You can try the solution first, but just logging into your machine with the new account and see that it does crash anymore.
October 21st, 2009 3:35pm

Hi Lemuel: You're right this is not a real solution. I never thought we would come up with a real fix, but I was hoping we could come up with enough information to help Microsoft come up with a real fix. I have a feeling this has something to do with when the userid was created. My userid was created about 4 years prior to the second userid I tried that didn't have the problem. Gotenba
Free Windows Admin Tool Kit Click here and download it now
October 21st, 2009 8:09pm

It seems to happen at random times, I am running Windows 7 Ultimate on a Dual Core AMD Machine (Gateway GT5056), with 732 MB RAM. I saw a similar situation in another thread, but I am not running any antivirus or Forefront product. Here is the event logged. Faulting application name: lsass.exe, version: 6.1.7600.16385, time stamp: 0x4a5bbf3e Faulting module name: ntdll.dll, version: 6.1.7600.16385, time stamp: 0x4a5bdadb Exception code: 0xc000000d Fault offset: 0x00093219 Faulting process id: 0x200 Faulting application start time: 0x01ca3ba64dfcbf20 Faulting application path: C:\Windows\system32\lsass.exe Faulting module path: C:\Windows\SYSTEM32\ntdll.dll Report Id: c897f237-a7d6-11de-96b2-00155823cc8e Thanks for all the help! Leowise Windows 7 is SOLID! You might want to get more RAM, you should have 1GB for the 32-bit ed and 2GB for the 64-bit minimum. The errors suggest that some software you are using is not suitable for Windows 7's network stack. Vote if answered or helpful, I am running for Office (joke)! IT/Developer, Windows/Linux/Mainframe Server: IBM PC 300GL, Pentium III 667, Linux Server, has a 137GB disk limit, making it useless for upgrading my chess site Workstation: Asus M2NBP-VM CSM motherboard, AMD 4200+ 65W CPU, 2GB RAM, ATI x600, 320GB storage with 160GB for backups, Windows 7 Ultimate x64 Signature Edition.
October 22nd, 2009 5:03am

Well, After one week of stability. It's problem is back. So my new domain user account was only good for 1 week. Oh well, I really hope Microsoft is working on this.
Free Windows Admin Tool Kit Click here and download it now
October 29th, 2009 10:13pm

Did you change the registry key like Gotenba proposed above?
October 30th, 2009 12:42am

Hi all!Well, just as Lemuel noted above, I got the same error again after just about a week without seeing it! So, now I am going to give a try to a suggestion I saw in another thread on this site. Namely this one:So then I started to search settings related to Kerberos authentications and found 2 possible entries that can affect the Kerberos authentication process:1. Registry entry HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters\DefaultEncryptionType2. Policy setting located at Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network security: Configure encryption types allowed for Kerberos, which after all sets the following registry key:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters\SupportedEncryptionTypes Searching the net about this parameter reveals more information and details explanations. What solved the problem for me is setting the following registry key and values to make Windows 7 behave like Windows Server2003 regarding to Kerberos Encryption Type (KERB_ETYPE_RC4_HMAC_NT)Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\ParametersType: REG_DWORDName: DefaultEncryptionTypeData: 23 (decimal) or 0x17 (hexadecimal)Sorry for not giving credit here, but I forgot where i lifted this from!I will report if this makes a difference.Windows 7 is SOLID!
Free Windows Admin Tool Kit Click here and download it now
November 4th, 2009 9:50pm

Hi, Just informing that Leowise suggestion work.
November 10th, 2009 6:39pm

Just a quick note about the workaround: As I mentioned above, I got this info from another thread, so I take no credit for it! Also, this workaround does lowers the encryption used to communicate with the server (64 bit vs 128 bit) since Windows 7 "wants" to always use 128 bit encryption when talking to the security subsystem (not a complete description, just whatI remember) so keep that in mind when using this workaround!We still need a solution that does not involve reducing the encryption level, so keep us posted if there is a REAL solution to this bug. I suspect that the solutions will involve a Windows Server 2003 patch, so until then, I will not mark the workaround as an answer!Later!Leowise Windows 7 is SOLID!
Free Windows Admin Tool Kit Click here and download it now
November 11th, 2009 6:57pm

I just got back from cleaning up from several problems with my client's machine. I saw a problem similar to this one. I found some malware on the machine, so I suggest checking to be sure. Then I checked the system and many Windows files were damaged so I have to fix them. I suggest checking Windows files: open a command prompt with administrator then... sfc /scannow and have your disk ready in case there is a problem that needs files from the disk.Vote if answered or helpful, I am running for Office (joke)! IT/Developer, Windows/Linux/Mainframe Server: P4-2GHz, Linux Server, need IDE/SATA disks for my chess site Workstation: Asus M2NBP-VM CSM, Athlon64 X2 4200+ 65W CPU, 2GB RAM, NVIDIA 8600GT, 320GB + 160G backup, Windows 7 Ultimate x64.
November 12th, 2009 6:44am

This seemed to to Help me, I hope it works for others.It has something to do with Kerberos.[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters]"DefaultEncryptionType"=dword:00000017 Decimal = 23 or Hexadecimal = 0x17Set the registry, reboot and test the locking the screen manually (CRTL-ALT-DEL)Platform=Windows 7 Ultimate
Free Windows Admin Tool Kit Click here and download it now
December 14th, 2009 11:01pm

Hi, all;I am happy to report that the workaround mentioned in one of myposts (which I found in a different thread!) works, after extensive testing, I am glad to tell you that it does work, the workaround is:What solved the problem for me is setting the following registry key and values to make Windows 7 behave like Windows Server2003 regarding to Kerberos Encryption Type (KERB_ETYPE_RC4_HMAC_NT)Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters(Add the this value to the "parameters" key)Type: REG_DWORDName: DefaultEncryptionTypeData: 23 (decimal) or 0x17 (hexadecimal)NOTE: Remember, you are modifying the system'sregistry! SO MAKE SURE you make a backup of it BEFORE you make any changes just in case something goes wrong!! Also, any suggestion you find here is USE AT YOUR OWN RISK! This workaround worked for me in at least two different systems for more that a couple of months, so I suspect that it will work for many of you that have this issue. Thanks to all you you that pitched in to find a solutions to this anoying bug. Thanks and happy Windows 7 computing!Windows 7 is SOLID!
December 15th, 2009 7:43pm

This seems to be the official fix. http://support.microsoft.com/default.aspx?scid=kb;en-us;976586&sd=rss&spid=14481Mark Morowczynski|MCT| MCSE 2003:Messaging, Security|MCITP:EMA 2K7,EDA Win 7,ES,SA,EA|MCTS:Windows Mobile Admin|Security+|http://almostdailytech.com
Free Windows Admin Tool Kit Click here and download it now
February 9th, 2010 5:56pm

Mark, thanks for the info! Interesting, I will review the solutions and post back!Mark, thanks for taking the time to post!LeowiseWindows 7 is SOLID!
February 12th, 2010 6:38am

I am getting this exact same error, however, it's preventing me from logging on in normal mode and I can only login using safe mode. Problem is that safe mode does not allow me to install the fix. How can I install the fix from safe mode?
Free Windows Admin Tool Kit Click here and download it now
March 18th, 2010 5:25pm

I am running into the same problem. The lsass crash happens after I log in and do some stuff for a couple mins. I tried the registry hack and I also got the patch from MS and installed it. Nothing seems to fix the problem. Its very frustrating. Can I assume everyone here was able resolve this issue since there were no posts after Feb 12 except coldstar?
April 8th, 2010 12:59am

I wonder if there is some program that is installed that is causing problems. I need detailed information to be able to see. in the start menu, in the search box msinfo and save the result, and upload it to skydrive.live.com Vote if answered or helpful, I am running for Office (joke)! IT/Developer, Windows/Linux/Mainframe RaidMax Smilodon, 680W, Asus M2NBP-VM CSM, AMD X2 4200+, 2GB DDR2-800, HD2400 Pro, more details on my site, need a new boot disk, existing one is 5 years old
Free Windows Admin Tool Kit Click here and download it now
April 8th, 2010 3:52am

Hi everyone! Sorry to revive this old thread, but I am curious to see if anyone has uncovered a good solution to this issue yet. I finally made the move to format and install a fresh Windows 7 and have been experiencing this same issue. I am having the same error and reboots. Since I have a fresh install, it cannot be any programs or viruses, etc. My lsass.exe failure does not appear to be linked to the user switching mentioned in these posts. Mine appears to be at random. Even if my computer is unattended and idle, I check the event viewer to discover that rebooting is still going on. I did notice this in my event viewer as well: "The security package NegoExtender generated an exception. The exception information is the data." The source says "LsaSrv" So I am assuming there is some connection. If you have any ideas or solutions, I would appreciate the input! As a note: I did download the Microsoft Hotfix, still having the same issue :(
June 13th, 2010 10:32pm

There is an hotfix by Microsoft available here: The hotfix is for scenarios with Active Directory. You can instead disable the Do not require Kerberos preauthentication option of the user account that is expiriencing the problem, as described in the link above http://support.microsoft.com/default.aspx?scid=kb;en-us;976586&sd=rss&spid=14481
Free Windows Admin Tool Kit Click here and download it now
July 14th, 2010 4:54pm

I have had success by removing the machine from the domain, deleting the computer account and re-adding to the domain. This has worked on several PCs at work.
October 21st, 2010 10:04am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics