RE: lsass.exe terminated - restart of computer
- From: oz.ozugurlu <ozozugurlu@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 7 Jul 2008 11:00:02 -0700
Every research I have done leading me the conclusion of some type of virus
infection forcing/LSAS to shutdown and resulting your DC to reboot. If none
if these remedies to current problem, I would get PS support on this
Did you install this hot-fix below?
http://support.microsoft.com/?id=818080
http://support.microsoft.com/?kbid=826955
Try this if you have not done it so -----W32.Blaster.Worm Removal Tool
http://www.symantec.com/security_response/writeup.jsp?docid=2003-081119-5051-99
http://www.symantec.com/security_response/writeup.jsp?docid=2004-050315-1907-99
Good luck
--oz
--
Oz Ozugurlu
MVP (Exchange)
MCITP (EMA), MCITP (SA)
MCSE 2003, M+, S+, MCDST
Security+, Project +, Server +
oz@xxxxxxxxxx
http://smtp25.blogspot.com (Blog)
"e1" wrote:
I've got several Server 2003 Std SP2 systems running AD that reboot.
arbitrarily maybe once or twice a week. It seems to be getting more frequent
now too. I get the same event IDs every single time in the System and
Application event logs. I've run virus scans, used MBSA, ran the Malicious
Software Removal Tool, and installed hotfix 927342. Yet, despite everything
I've tried, searched endlessly on google for a solution, I cannot seem to
figure this problem out.
Here's some other info about my environment:
* 8 total DCs
* 6 sites
* 3 GCs (all of the GCs are in the same site - central datacenter) - the
other 5 DCs are have Universal group membership cacheing enabled
* 2 Exchange Servers - backend cluster and frontend OWA
Here's the events I'm seeing and it seems to be related to a problem with
lsass.exe:
Event Type: Error
Event Source: LsaSrv
Event Category: Security Package Manager
Event ID: 5000
Date: 7/7/2008
Time: 10:10:43 AM
User: N/A
Computer:
Description:
The security package Negotiate generated an exception. The exception
information is the data.
Event Type: Information
Event Source: USER32
Event Category: None
Event ID: 1074
Date: 7/7/2008
Time: 10:11:31 AM
User: NT AUTHORITY\SYSTEM
Computer:
Description:
The process winlogon.exe has initiated the restart of computer on behalf of
user for the following reason: No title for this reason could be found
Reason Code: 0x50006
Shutdown Type: restart
Comment: The system process 'C:\WINDOWS\system32\lsass.exe' terminated
unexpectedly with status code -1073741819. The system will now shut down and
restart.
Event Type: Error
Event Source: Winlogon
Event Category: None
Event ID: 1015
Date: 7/7/2008
Time: 10:11:25 AM
User: N/A
Computer:
Description:
A critical system process, C:\WINDOWS\system32\lsass.exe, failed with status
code c0000005. The machine must now be restarted.
Event Type: Error
Event Source: Application Error
Event Category: (100)
Event ID: 1000
Date: 7/7/2008
Time: 10:10:53 AM
User: N/A
Computer:
Description:
Faulting application lsass.exe, version 5.2.3790.0, faulting module
ntdll.dll, version 5.2.3790.3959, fault address 0x0001950e.
Has anyone else seen or experienced this problem? I'd appreciate your help.
- Follow-Ups:
- References:
- Prev by Date: Re: Authenticating Web user and domain User with ADAM
- Next by Date: Re: Server 2003 sp3 error - Domain controller cannot be found ?
- Previous by thread: lsass.exe terminated - restart of computer
- Next by thread: RE: lsass.exe terminated - restart of computer
- Index(es):
Relevant Pages
|
