Re: csrss.exe unable to locate DLL - Can't connect with Terminal Services
- From: "Vera Noest [MVP]" <vera.noest@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 14 Mar 2006 13:53:33 -0800
No Mike, you're *not* alone :-)
I just found some identical problems, unfortunately without a
solution:
http://www.pcreview.co.uk/forums/thread-1613175.php
http://forums.techarena.in/printthread.php?t=15293
Then I did a search for "csrss.exe unable to locate dll" on Google,
and it returns a number of reports on viruses and spyware, like:
http://securityresponse.symantec.com/avcenter/venc/data/w32.kalel.a
@mm.html
http://securityresponse.symantec.com/avcenter/venc/data/spyware.bey
ondkeylog.html
You wrote that you ran the MS malicious software removal tool, but
that is *not* a substitute for running anti-virus software.
I would perform a full system scan with several different anti-
virus software (you can run a couple of them online).
A virus would explain most of your symptoms, including the
spreading throughout the domain.
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
SQL troubleshooting: http://sql.veranoest.net
___ please respond in newsgroup, NOT by private email ___
"Mike Bayly" <mbayly@xxxxxxxxxxxxxxxxxxxxx> wrote on 14 mar 2006
in microsoft.public.windows.terminal_services:
An update on this issue. Not sure why since I'm apparently the.
only one in the world having it. :)
Microsoft recommended SP4 and the Update Rollup 1 for SP4 be
installed which I have done, but the problem has now recurred.on
2 servers. A reboot seems to have supressed the problem for now
(like it did last time) but it's back to the drawing board for a
solution.
If anyone else has any ideas, I'm all ears!
Mike
"Mike Bayly" <mbayly@xxxxxxxxxxxxxxxxxxxxx> wrote in message
news:OybBUyTJGHA.1388@xxxxxxxxxxxxxxxxxxxxxxx
Hi Vera
Thanks for the reply. I spent a few hours on the phone to
Microsoft Support and based on the fact that 4 servers suffered
the exact same issue in the space of 48 hours, they suspected a
trojan or malware. I ran the MS malicious software removal tool
which found nothing though so the cause is still unclear. In
the end, I rebooted all servers which then began to function
normally, applied SP4 to the SP3 machines, and then installed
the Update Rollup 1 for Windows 2000 SP4 patch on the advice
from MS. They seemed to think that the Event Log errors were
the result of some kind of registry corruption, which also
meant that (using regedt32 to check) the registry key
HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion
couldn't be read properly and hence why the patches thought it
was a checked version of the OS.
So, I still don't really know the cause of the problem, and in
particular how it was replicated across the domain, but at
least the magical reboot seems to have fixed it for now.
Mike
"Vera Noest [MVP]" <vera.noest@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote
in message
news:Xns9757EEB9510D0veranoesthemutforsse@xxxxxxxxxxxxxxxx
Mmm, I've heard that before, about servers having an incorrect
or incomplete pre-installed OS.
I always wipe them clean and install from scratch for that
reason.
Actually, your original error message also points in that
direction, the "The dynamic link library could not be found"
error message reminds of the error message that you get when
you have a version mismatch in a dll.
I'm not really sure what to advice. Personally, if I had a
server with so many issues and errors, I would reinstall it
from scratch immediately.
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
SQL troubleshooting: http://sql.veranoest.net
___ please respond in newsgroup, NOT by private email ___
"Mike Bayly" <mbayly@xxxxxxxxxxxxxxxxxxxxx> wrote on 26 jan
2006 in microsoft.public.windows.terminal_services:
I'm getting all kinds of event log errors and warnings (see
end of message). A third server (THLADL2) has started this
behaviour - this server already has SP4 installed so
Microsoft Support suggested I install Security Rollup 1 for
SP4 and some hotfixes, but when I attempt this, the server
complains that "Setup cannot update a checked (debug) system
with a free (retail) version of KB837585". This led the
support guy to conclude that the wrong OS has been installed
on this server - It's a Dell Poweredge 2550 with Server 2000
SP1 OEM from Dell. This happens on the one SP3 server I can
access via VNC as well, which is a Dell Poweredge as well
with Server 2000 OEM from Dell.
Checking last night's backup (Veritas Backup Exec) I see
these errors for THLADL2 with is an additional concern:
Unable to attach to C:.
Unable to attach to C:.
Unable to attach to D:.
Unable to attach to D:.
Unable to attach to \\THLADL2\System?State.
Unable to attach to \\THLADL2\System?State.
On checking another remote domain controller (same setup,
Server 2000 SP4, DC) I notice that there are the same Event
Log messages: "The dynamic link library winsrv could not be
found in the specified path Default Load Path". and
"csrss.exe - Unable to Locate DLL" in 18th Jan. One of the
other guys here had attempted to connect to that server and
couldn't, so got a local user to perform a hard reboot on it.
After that, the Application and System logs appear to have no
reoccurences of these error messages.
Another weird thing is that if I try to log in on the console
with the administrator account, the box where you enter
username, password and domain vanished for a split second,
and then then "hit ctril alt delete" screen appears. I have
to log in with a different account that has administrator
rights which gives a "Path too long" error in a popup box.
Also, if I check the Performance tab in Task Manager", the
CPU activity is hovering around 50%, but on the Processes
tab, all of the running processes show 0% CPU.
I'm tempted to try and reboot one of the other servers to see
if the problem just "goes away" given that I don't seem to be
getting far with Microsoft Support, but because so far the
users haven't really been impacted, I'd hate to reboot and
have a server that wont boot back up. I'll see what MS have
to say today (public holiday so might be lucky) and will
check here for any further help here.
Thanks
Mike
Event Type: Warning
Event Source: SceCli
Event Category: None
Event ID: 1202
Date: 25/01/2006
Time: 7:51:52 PM
User: N/A
Computer: THLADL2
Description:
Security policies were propagated with warning. 0x4b8 : An
extended error has occurred.
For best results in resolving this event, log on with a
non-administrative account and search
http://support.microsoft.com for "Troubleshooting Event
1202s".
-----
Event Type: Warning
Event Source: SpntLog
Event Category: (4)
Event ID: 222
Date: 25/01/2006
Time: 7:42:21 PM
User: NT AUTHORITY\SYSTEM
Computer: THLADL2
Description:
The description for Event ID ( 222 ) in Source ( SpntLog )
cannot be found. The local computer may not have the
necessary registry information or message DLL files to
display messages from a remote computer. You may be able to
use the /AUXSOURCE= flag to retrieve this description; see
Help and Support for details. The following information is
part of the event: D:\Program
Files\BackupExec\NT\ECM\bumodule.jar, 100.
-----
Event Type: Error
Event Source: EventSystem
Event Category: (3)
Event ID: 4097
Date: 25/01/2006
Time: 7:36:33 PM
User: N/A
Computer: THLADL2
Description:
The description for Event ID ( 4097 ) in Source ( EventSystem
) cannot be found. The local computer may not have the
necessary registry information or message DLL files to
display messages from a remote computer. You may be able to
use the /AUXSOURCE= flag to retrieve this description; see
Help and Support for details. The following information is
part of the event: .\eventsystem2.cpp, 329, 800705AA.
-----
Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1000
Date: 25/01/2006
Time: 7:36:32 PM
User: NT AUTHORITY\SYSTEM
Computer: THLADL2
Description:
Windows cannot create a temporary profile directory. Contact
your network administrator.
DETAIL - Insufficient system resources exist to complete the
requested service.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
-----
Event Type: Warning
Event Source: SpntLog
Event Category: (4)
Event ID: 211
Date: 25/01/2006
Time: 7:26:07 PM
User: NT AUTHORITY\SYSTEM
Computer: THLADL2
Description:
The description for Event ID ( 211 ) in Source ( SpntLog )
cannot be found. The local computer may not have the
necessary registry information or message DLL files to
display messages from a remote computer. You may be able to
use the /AUXSOURCE= flag to retrieve this description; see
Help and Support for details. The following information is
part of the event:
F:\software\Symantec.Norton.Ghost.v9.0.Incl.Keygen-SSG.zip,
nortonghost90p4.rar, 2.
-----
Event Type: Warning
Event Source: MRxSmb
Event Category: None
Event ID: 3019
Date: 25/01/2006
Time: 7:19:51 PM
User: N/A
Computer: THLADL2
Description:
The redirector failed to determine the connection type.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
-----
Event Type: Information
Event Source: Application Popup
Event Category: None
Event ID: 26
Date: 25/01/2006
Time: 7:13:40 PM
User: N/A
Computer: THLADL2
Description:
Application popup: Explorer.EXE - Application Error : The
instruction at "0x7831886a" referenced memory at
"0x00000000". The memory could not be "read".
Click on OK to terminate the program
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
-----
Event Type: Information
Event Source: Application Popup
Event Category: None
Event ID: 26
Date: 25/01/2006
Time: 7:13:03 PM
User: N/A
Computer: THLADL2
Description:
Application popup: File Error : Cannot find NETWORK.DRV
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
-----
Event Type: Warning
Event Source: Srv
Event Category: None
Event ID: 2022
Date: 25/01/2006
Time: 7:03:18 PM
User: N/A
Computer: THLADL2
Description:
The server was unable to find a free connection 9 times in
the last 60 seconds. This indicates a spike in network
traffic. If this is happening frequently, you should consider
increasing the minimum number of free connections to add
headroom. To do that, modify the MinFreeConnections and
MaxFreeConnections for the LanmanServer in the registry.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
-----
Event Type: Information
Event Source: Application Popup
Event Category: None
Event ID: 26
Date: 25/01/2006
Time: 6:57:34 PM
User: N/A
Computer: THLADL2
Description:
Application popup: csrss.exe - Unable To Locate DLL : The
dynamic link library winsrv could not be found in the
specified path Default Load Path.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
"Vera Noest [MVP]" <vera.noest@xxxxxxxxxxxxxxxxxxxxxxxxx>
wrote in message
news:Xns975697D944FA9veranoesthemutforsse@xxxxxxxxxxxxxxxx
Is there anything in the EventLog on these servers?
Have you considered applying SP4 to all DCs?
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
SQL troubleshooting: http://sql.veranoest.net
___ please respond in newsgroup, NOT by private email ___
"Mike Bayly" <mbayly@xxxxxxxxxxxxxxxxxxxxx> wrote on 24 jan
2006 in microsoft.public.windows.terminal_services:
Hi all
I have an interesting problem that occurred simultaneously
on two domain controllers within my domain that I remotely
manage with Terminal Services (admin mode). Both servers
run Windows Server 2000 SP3 and have been running fine up
until now. When attempting a remote desktop or terminal
services client connection to either of these machines, an
application popup appears on the server screen with title
"csrss.exe - Unable to Locate DLL" and with the popup box
showing "The dynamic link library winsrv could not be found
in the specified path Default Load Path".
I've checked the server environmant variables and "Path"
includes "C:\WINNT\System32" and have also verified that
C:\WINNT\System32\WINSRV.DLL exists.
The only significant event for the domain was that a new
Domain controller was installed 6 days ago - Windows Server
2000 SP4, with otherwise identical configuration to the
other servers. In all there are 5 domain controllers in the
domain, all separated by 16K CIR (128K access) frame relay
links. There have been no other issues with the new server
installed last week.
I've exhausted support.microsoft.com and really have no
idea what the problem could be, so any help or advice at
all would be greatly appreciated.
Thanks
Mike
- Follow-Ups:
- References:
- Prev by Date: Re: Unique MachineName in TS sessions
- Next by Date: Re: How to handle shared config infos?
- Previous by thread: Re: csrss.exe unable to locate DLL - Can't connect with Terminal Services
- Next by thread: Re: csrss.exe unable to locate DLL - Can't connect with Terminal Services
- Index(es):
Relevant Pages
|
Loading
