lsass.exe crashes leading to system restart
Hi, I have an application that triggers when password of an Active Directory user is changed. This Password Sync takes the new password and changes it for the same user in our application. The medium it uses is SPML. But, when the password change is triggered, the following error message is shown: The system is shutting down. Please save all work in progress and log off. Any unsaved changes will be lost. This shutdown was initiated by NT AUTHORITY\SYSTEM. Shutdown will begin in 59 seconds. Shutdown message: The system process “C:\WINDOWS\system32\lsass.exe” terminated unexpectedly with status code -1073741819. The system will now shut down and restart.. I need to know what are the possible causes which can corrupt the process lsass.exe. Its highly urgent. Please help. Thanks in advance4 people need an answerI do too
April 13th, 2010 8:20am

lsass.exe is crashing because of an access violation. Most likely, this is due to buggy third-party code running in the address space of lsass.exe. The application you refer to sounds suspect in this case. Check the event logs for noteworthy events; check the Dr. Watson dump folder for a user.dmp with a timestamp that matches the last shutdown, and consider checking the dump file for more details about the problem.
Free Windows Admin Tool Kit Click here and download it now
April 13th, 2010 2:07pm

Thanks a lot for the reply. I can locate Dr Watson Debugger in Process Explorer, but I dont have any idea as to where to locate the dump folder. Could you please let me know that too. Regards.
April 13th, 2010 2:32pm

Event Logs: 1. Faulting application lsass.exe, version 5.2.3790.0, faulting module ntdll.dll, version 5.2.3790.0, fault address 0x0000744e. 2. A critical system process, C:\WINDOWS\system32\lsass.exe, failed with status code c0000354. The machine must now be restarted. 3. A critical system process, C:\WINDOWS\system32\lsass.exe, failed with status code 80000003. The machine must now be restarted.
Free Windows Admin Tool Kit Click here and download it now
April 13th, 2010 2:40pm

-1073741819 = 0xc0000005 = access violation. 0xc0000354 = STATUS_DEBUGGER_INACTIVE = " An attempt to do an operation on a debug port failed because the port is in the process of being deleted." 0x80000003 = STATUS_BREAKPOINT = "A breakpoint has been reached." To determine the dump location, run drwtsn32.exe. Note the value in the Crash Dump box. Usually something like C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp
April 13th, 2010 4:06pm

I just started experiencing a similar problem. System is Win 7 Ultimate x64, not part of domain. Start VPN to connect to office, no problem. Start Outlook, Outlook tries to authenticate against domain account, lsass crashes, system reboots. Crash dump shows the problem is in kerberos DLL. Before crash eventlog reports Kerberos problem. This started after the recent windows updates. P.
Free Windows Admin Tool Kit Click here and download it now
May 14th, 2010 10:41am

What is the exception code? Since you're running a different OS, you probably want to start a new thread in the appropriate forums...
May 14th, 2010 1:20pm

Sorry, didn't want to hijack the thread. All the crashes look like this: FAULTING_IP: ntdll!RtlEnterCriticalSection+6 00000000`773ad256 f00fba710800 lock btr dword ptr [rcx+8],0 PRIMARY_PROBLEM_CLASS: INVALID_POINTER_READ BUGCHECK_STR: APPLICATION_FAULT_INVALID_POINTER_READ LAST_CONTROL_TRANSFER: from 000007fefcb76f36 to 00000000773ad256 STACK_TEXT: 00000000`0149d510 000007fe`fcb76f36 : 00000000`0030e400 00000000`01b244a0 00000000`01b24400 00000000`00000000 : ntdll!RtlEnterCriticalSection+0x6 00000000`0149d540 000007fe`fcb7f08e : 00000000`01b244a0 00000000`00000000 00000000`0030e4b0 00000000`01b584f0 : kerberos!KerbLocateTicketCacheEntryEx+0x62 00000000`0149d590 000007fe`fcb7bf12 : 00000000`00000000 00000000`01b24430 00000000`00000000 00000000`01b5a960 : kerberos!KerbCreateTicketCacheEntry+0x2b3 00000000`0149d5f0 000007fe`fcb75cda : 00000000`004e004c 00000000`0149d6d8 00000000`01b79230 00000000`00000000 : kerberos!KerbGetServiceTicketInternal+0x1692 00000000`0149d7d0 000007fe`fcb72be6 : 00000000`00073d23 000007fe`fcc10848 00000000`00000002 00000000`00073d23 : kerberos!KerbGetServiceTicket+0xca 00000000`0149d890 000007fe`fced34df : 00000000`01c17090 00000000`00000000 00000000`0149de58 00000000`00110002 : kerberos!SpInitLsaModeContext+0x2b30 00000000`0149dc50 000007fe`fcee17ef : 00000000`0149de68 00000000`0149dea0 00000000`0149de58 00000000`00010003 : lsasrv!WLsaInitContext+0x34f 00000000`0149dd30 000007fe`fcef0496 : 00000000`00000000 00000000`0149e3f0 00000000`0032f700 00000000`01bba820 : lsasrv!NegBuildRequestToken+0x929 00000000`0149e130 000007fe`fcef0422 : 00000000`0032f700 00000000`00000000 00000000`01bba820 00000000`00000000 : lsasrv!NegGenerateInitialToken+0x56 00000000`0149e190 000007fe`fced34df : 00000000`0032f700 00000000`00000000 00000000`0149e800 00000000`01c17090 : lsasrv!NegInitLsaModeContext+0x32f 00000000`0149e270 000007fe`fced2c66 : 00000000`0149e800 00000000`0149e7f0 00000000`01bba820 00000000`00000003 : lsasrv!WLsaInitContext+0x34f 00000000`0149e350 000007fe`fd04133f : 00000000`00000000 00000001`00000000 00000000`00000000 00000000`002c75ac : lsasrv!SspiExProcessSecurityContext+0x616 00000000`0149e750 000007fe`ff38c7f5 : 00000000`00000012 00000000`0149e8d0 00000000`0149ed70 00000000`0149e8d0 : sspisrv!SspirProcessSecurityContext+0x1df 00000000`0149e840 000007fe`ff38b0b2 : 00000000`0149ece0 000007fe`fd043402 00000000`000000a0 000007fe`fd0441dc : rpcrt4!Invoke+0x65 SYMBOL_NAME: kerberos!KerbLocateTicketCacheEntryEx+62 FOLLOWUP_NAME: MachineOwner MODULE_NAME: kerberos IMAGE_NAME: kerberos.dll DEBUG_FLR_IMAGE_TIMESTAMP: 4a5bdfde FAILURE_BUCKET_ID: INVALID_POINTER_READ_c0000005_kerberos.dll!KerbLocateTicketCacheEntryEx BUCKET_ID: X64_APPLICATION_FAULT_INVALID_POINTER_READ_kerberos!KerbLocateTicketCacheEntryEx+62 WATSON_STAGEONE_URL: http://watson.microsoft.com/StageOne/lsass_exe/6_1_7600_16385/4a5bc155/ntdll_dll/6_1_7600_16385/4a5be02b/c0000005/0004d256.htm?Retriage=1
Free Windows Admin Tool Kit Click here and download it now
May 14th, 2010 8:11pm

That's probably some form of memory corruption. Check the third party modules as indicated by the dump (generally, the first suspects).
May 14th, 2010 8:23pm

There are no third party modules, only Microsoft modules: I tried posting the output from "lm v" showing only Microsoft modules, but the output is too bit to post.
Free Windows Admin Tool Kit Click here and download it now
May 15th, 2010 7:01am

You have all of the latest updates installed? Can you try restoring the system (system restore) to a point in time prior to when the problem started? Other suggestions would include using application verifier to try to get more details about the problem, or debugging lsass.exe (requires a kernel debugger, though, it seems). These can be quite involved and you wouldn't want to attempt them without a good backup of the system.
May 15th, 2010 4:27pm

Hi,I'm experiencing the problem described by Rads21 for years, actually since I installed the SP2 of WIN2k3. The two involved modules are lsass.ese and ntdll.dll. The crash, sorry, reboot, occurs every time a user changes his password. I use to send the problem reports to Microsoft, but so far, no solution has been offered to fix this very annoying situation... Furthermore, it seems that this problem occurs only when passwords are changed from the user's pc, not when they are changed from the server itself (but this is just a feeling)...
Free Windows Admin Tool Kit Click here and download it now
July 30th, 2010 11:35am

Hi,I'm experiencing the problem described by Rads21 for years, actually since I installed the SP2 of WIN2k3. The two involved modules are lsass.ese and ntdll.dll. The crash, sorry, reboot, occurs every time a user changes his password. I use to send the problem reports to Microsoft, but so far, no solution has been offered to fix this very annoying situation... Furthermore, it seems that this problem occurs only when passwords are changed from the user's pc, not when they are changed from the server itself (but this is just a feeling)...What happen if you update your service pack to SP3? nass -- http://www.nasstec.co.uk
July 31st, 2010 12:38am

Thank you for answering. As far as I know, there's no SP3 for windows 2k3. Besides, this is a server in action and I cannot test options on it... So I would really prefer a safe solution since damaging this server is not an option... Any how, thank you for your help.
Free Windows Admin Tool Kit Click here and download it now
August 2nd, 2010 3:47pm

I am seeing the exact same scenario as ptrsmntc. This has started recently (within the last two weeks). Occasionally, I can start the VPN and launch Outlook successfully. But 80% of the time lsass crashes and forces a reboot.
December 20th, 2010 1:30pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics