Re: LSA Shell failure

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

From: "Dave Nickason [SBS MVP]" <gwdibble@xxxxxxxxxxxxxxxxxxxxxx>
Date: Wed, 17 May 2006 18:03:42 -0400

Are you getting any errors logged in the System or Application logs? I'm
searching google and Technet based on the info you've provided, and I'm not
coming up with anything that seems even remotely applicable. In fact,
pretty much nothing for LSA Shell that's not related to a virus or security
patch. If you had a source and event ID from the logs, searching
eventid.net would probably produce some results.

Is this happening when a user is logged in? If so, are there any common
actions or other circumstances when the error occurs?

"Michael J. Clarkson, Jr." <MichaelJClarksonJr@xxxxxxxxxxxxxxxxxxxxxxxxx>
wrote in message news:884EB6E1-3CE2-4F77-A6D5-25A1C2E6533B@xxxxxxxxxxxxxxxx

.mdmp files are what Microsoft uses to send error reports. When you click
send it sends a .txt file contailing an XML parse of the error and an
.mdmp
file in which a basic RAM dump of the crashed program is saved to disk. I
am
a virus expert. This is definately not a virus. It is also not a rootkit
or
any other form of malware infection. I have scoured over that with fellow
malware experts. The question is, what other than malware can cause this
issue?

"Dave Nickason [SBS MVP]" wrote:

I googled lsass.exe.mdmp and every result refers to a virus. Not that I
think it would be common for a legitimate file to have two extensions
anyway, but I also searched my SBS without finding a file with that name.
MS has a phone number for free support for virus and security issues. I
recommend calling it despite the fact that virus scans don't appear to be
finding anything. It's 1-866-PCSAFETY.

"Michael J. Clarkson, Jr." <MichaelJClarksonJr@xxxxxxxxxxxxxxxxxxxxxxxxx>
wrote in message
news:4E5EB69B-DC13-4AF3-ABED-DAA92B26F1EE@xxxxxxxxxxxxxxxx

The official text reads "The LSA Shell has encountered an error and
needs
to
close" in a standard "tell microsoft about this problem" box. This
then
points you to two files (if you dig down to the technical details of
the
error report)
C:\DOCUME~1\(User)\LOCALS~1\Temp\1\WER3.tmp.dir00\lsass.exe.mdmp
C:\DOCUME~1\(User)\LOCALS~1\Temp\1\WER3.tmp.dir00\appcompat.txt
These files contain either XML or binary dumps of nothing but control
characters.

"Dave Nickason [SBS MVP]" wrote:

Please post the exact text of any errors that are logged when this
happens,
including the Source and Event IDs? As you've apparently seen, this
generally gets blamed on Sasser.

Meanwhile, please don't attempt to reinstall anything without having
first
diagnosed the cause of your problem. If no one comes up with a
solution
here, I'd recommend calling PSS rather than doing a reinstall - if
nothing
else, if this is being caused by software you installed on the server,
you'll install it again and be right back in the same situation.

"Michael J. Clarkson, Jr."
<MichaelJClarksonJr@xxxxxxxxxxxxxxxxxxxxxxxxx>
wrote in message
news:DE072CC9-368A-4C94-9284-7BA9D0F77393@xxxxxxxxxxxxxxxx

I am using Small Business Server 2003. It is fully service packed
and
updated. At least two to three times a day I will get an error
message
that
LSA Shell had an issue, would you like to send to Microsoft, etc.
Every
few
days LSA Shell will quit unexpectedly and force a reboot after 40
seconds.

I have run F-Prot Enterprise, McAfee, Panda on-line scan, and
stinger
and
I
can assure you the server is virus and malware free. I have further
applied
the fix from KB-818080. I have all Microsoft service packs,
updates,
and
patches applied. Still receiving this error. The server just
rebooted
again
this morning. I am at a loss. How do I fix the LSA Shell short of
wiping
the system and re-installing?

Follow-Ups:
- Re: LSA Shell failure
  - From: Michael J. Clarkson, Jr.

References:
- Re: LSA Shell failure
  - From: Dave Nickason [SBS MVP]
- Re: LSA Shell failure
  - From: Dave Nickason [SBS MVP]
- Re: LSA Shell failure
  - From: Michael J. Clarkson, Jr.

Prev by Date: Re: SBS 2003 Server Stops Responding to Network Requests...Please help!
Next by Date: Re: Disaster Recovery with NTBackup
Previous by thread: Re: LSA Shell failure
Next by thread: Re: LSA Shell failure
Index(es):
- Date
- Thread

Relevant Pages

Re: LSA Shell failure
... but at this point my advice is to call PSS. ... a virus expert. ... any other form of malware infection. ... LSA Shell had an issue, would you like to send to Microsoft, etc. ...
(microsoft.public.windows.server.sbs)
Re: LSA Shell failure
... 'Faulting application lsass.exe, version 5.2.3790.0, faulting module ... a virus expert. ... any other form of malware infection. ... LSA Shell had an issue, would you like to send to Microsoft, etc. ...
(microsoft.public.windows.server.sbs)
Re: Trojan horse Downloader.Generic.ML
... >> Malware doesn't make arbitrary changes, ... > so data diddlers don't exist? ... is the now extinct Ripper boot virus. ... As to disinfection vs integrity restoration, everything disinfection can do, ...
(comp.security.firewalls)
Re: Trojan horse Downloader.Generic.ML
... >> Malware doesn't make arbitrary changes, ... > so data diddlers don't exist? ... is the now extinct Ripper boot virus. ... As to disinfection vs integrity restoration, everything disinfection can do, ...
(alt.computer.security)
Re: RFC: virus handling
... > the virus or the test conducted. ... English speakers where the malware in question was not forged from some ... > their infection and should thereafter be disconnected entirely or ... Connect to open wireless network. ...
(Bugtraq)