@Brett
Thank you for your understanding and cooperation. Please understand due to security policy, we do not provide dump/log analysis. This can better protect your personal information.
As you said, kerberos, rpc and lsasrv could be found. It represents the procedure that your account's verification procedure calls.
For the information you provided, I consider that you could uninstall 7zp software to check if it works.
If the issue still insists, wait for Microsoft to deep analysis.
Thank you for your understanding and cooperation.
Hope this helps and please help to accept as Answer if the response is useful.
Best Regards,
Carl
Server 2016, 2nd User Logon Forces Server Reboot, Currently happening to critical system server
This is a client environment. Contracted by time and materials, no management or day to day oversight.
This is on a Windows Server 2016 not Windows 10 PC
If a user has logged on to the console and an RDP session signs in second, a message appears on screen "Your PC will automatically restart in one minute" happens the other direction too. If RDP is logged in and a console connection is established same message. The first login is allowed but the second one crashes the system. Even ID 1015 is produced
Log Name: Application
Source: Microsoft-Windows-Wininit
Date: 3/24/2021 3:43:31 PM
Event ID: 1015
Description: A critical system process, C:\Windows\system32\lsass.exe, failed with status code c0000005. The machine must now be restarted.
Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System> <Provider Name="Microsoft-Windows-Wininit" Guid="{206f6dea-d3c5-4d10-bc72-989f03c8b84b}" EventSourceName="Wininit" /> <EventID Qualifiers="49152">1015</EventID> <Version>0</Version> <Level>2</Level> <Task>0</Task> <Opcode>0</Opcode> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2021-03-24T20:43:31.810658800Z" /> <EventRecordID>28367126</EventRecordID> <Correlation /> <Execution ProcessID="0" ThreadID="0" /> <Channel>Application</Channel> <Computer>[REMOVED FOR OBVIOUS REASONS]</Computer> <Security /> </System>
<EventData> <Data>C:\Windows\system32\lsass.exe</Data> <Data>c0000005</Data> </EventData>
</Event>
I have scoured the task scheduler, I have ran every scan known to man, server is fully up to date, I have deleted contents of software distribution folder, i have restarted in safe mode, ran scans. I cannot find anything anywhere regarding this issue. Why would a 2nd logon force a server reboot or how to i at least stop lsass.exe from crashing my server every time while i try to figure out remediation?
4 answers
Sort by: Newest
-
Carl Fan 6,836 Reputation points
2021-03-26T10:02:09.45+00:00 -
Brett 1 Reputation point
2021-03-25T17:32:43.583+00:00 @Carl Fan
I have completed the above, I have also opened a case with Microsoft, however i do not want to sit on my hands and wait. I wont pretend to understand anything about the output that i was able to get by sending the dump file through WinDgb but i do recognize kerberos, rpc and lsasrv references in the meat here.Any additional guidance is appreciated.
Loading Dump File [lsass.exe.736.dmp]
User Mini Dump File with Full Memory: Only application data is availableSymbol search path is: srv*
Executable search path is:
Windows 10 Version 14393 MP (4 procs) Free x64
Product: Server, suite: TerminalServer SingleUserTS
10. 0.14393.4283 (rs1_release.210303-1802)
Machine Name:
Debug session time: Thu Mar 25 11:27:19.000 2021 (UTC - 5:00)
System Uptime: 0 days 0:17:45.250
Process Uptime: 0 days 0:16:24.000
................................................................
........................
Loading unloaded module list
.........
This dump file has an exception of interest stored in it.
The stored exception information can be accessed via .ecxr.
(2e0.308): Access violation - code c0000005 (first/second chance not available)
For analysis of this file, run !analyze -v
ntdll!NtWaitForMultipleObjects+0x14:
00007ffd`0f196714 c3 ret
0:003> !analyze -vException Analysis
NTGLOBALFLAG: 0
APPLICATION_VERIFIER_FLAGS: 0
EXCEPTION_RECORD: (.exr -1)
ExceptionAddress: 00007ffd0a901088 (7zp+0x0000000000001088)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000000
Parameter[1]: 0000000000000000
Attempt to read from address 0000000000000000PROCESS_NAME: lsass.exe
READ_ADDRESS: 0000000000000000
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x
EXCEPTION_CODE_STR: c0000005
EXCEPTION_PARAMETER1: 0000000000000000
EXCEPTION_PARAMETER2: 0000000000000000
SYMBOL_NAME: 7zp+1088
MODULE_NAME: 7zp
IMAGE_NAME: 7zp.dll
STACK_COMMAND: ~3s ; .ecxr ; kb
FAILURE_BUCKET_ID: NULL_POINTER_READ_c0000005_7zp.dll!Unknown
OS_VERSION: 10.0.14393.4283
BUILDLAB_STR: rs1_release
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
FAILURE_ID_HASH: {246499da-450d-519c-2828-615b768c8e9a}
Followup: MachineOwner
-
Carl Fan 6,836 Reputation points
2021-03-25T03:22:21.07+00:00 Hi,
For application crash issue, you need to create dump file and then analyze it.
Steps pf creating dump logs:- Run regedit.exe and create the LocalDumps key if it does not exist under:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting
- Please create a new key for the affected process lsass.exe (which will crash) under HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\LocalDumps
For example: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\LocalDumps\lsass.exe
- Add the dump settings under the lsass.exe key. If the process crashes, WER will first read the global settings, and then will override any of the settings with the application-specific settings. To do this, please create the following values:
a. Value name: DumpFolder
Type: REG_EXPAND_SZ
Value: Provide the path to where you would like the dumps files to reside. Default location is: %LOCALAPPDATA%\CrashDumps (C:\Windows\System32\config\systemprofile\AppData\Local\CrashDumps)
b. Value name: DumpCount
Type: REG_DWORD
Value: 10
Note: Specifies the max number of dumps file to keep in the folder at one time. Default is 10.
c. Value name: DumpType
Type: REG_DWORD
Value: 2
Note: 0 = custom, 1= mini dump (default), 2 = full dump
In addition, if this problem is more urgent for you I still recommend that you open a case to Microsoft for further professional help.
https://support.microsoft.com/en-us/help/4341255/support-for-busines
Best Regards,
Carl -
Dave Patrick 426.1K Reputation points MVP
2021-03-24T21:52:54.943+00:00 I don't think it is the directly the second user, it is directly that lsass.exe failed with status code c0000005 I'd check that it is patched fully and lastly start a case here with product support.
https://support.serviceshub.microsoft.com/supportforbusiness--please don't forget to Accept as answer if the reply is helpful--