Server 2016, 2nd User Logon Forces Server Reboot, Currently happening to critical system server

Brett 1 Reputation point
2021-03-24T21:31:57.14+00:00

This is a client environment. Contracted by time and materials, no management or day to day oversight.

This is on a Windows Server 2016 not Windows 10 PC

If a user has logged on to the console and an RDP session signs in second, a message appears on screen "Your PC will automatically restart in one minute" happens the other direction too. If RDP is logged in and a console connection is established same message. The first login is allowed but the second one crashes the system. Even ID 1015 is produced
Log Name: Application
Source: Microsoft-Windows-Wininit
Date: 3/24/2021 3:43:31 PM
Event ID: 1015
Description: A critical system process, C:\Windows\system32\lsass.exe, failed with status code c0000005. The machine must now be restarted.
Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System> <Provider Name="Microsoft-Windows-Wininit" Guid="{206f6dea-d3c5-4d10-bc72-989f03c8b84b}" EventSourceName="Wininit" /> <EventID Qualifiers="49152">1015</EventID> <Version>0</Version> <Level>2</Level> <Task>0</Task> <Opcode>0</Opcode> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2021-03-24T20:43:31.810658800Z" /> <EventRecordID>28367126</EventRecordID> <Correlation /> <Execution ProcessID="0" ThreadID="0" /> <Channel>Application</Channel> <Computer>[REMOVED FOR OBVIOUS REASONS]</Computer> <Security /> </System>
<EventData> <Data>C:\Windows\system32\lsass.exe</Data> <Data>c0000005</Data> </EventData>
</Event>

I have scoured the task scheduler, I have ran every scan known to man, server is fully up to date, I have deleted contents of software distribution folder, i have restarted in safe mode, ran scans. I cannot find anything anywhere regarding this issue. Why would a 2nd logon force a server reboot or how to i at least stop lsass.exe from crashing my server every time while i try to figure out remediation?

Windows Server 2016
Windows Server 2016
A Microsoft server operating system that supports enterprise-level management updated to data storage.
2,371 questions
0 comments

4 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Dave Patrick 426.1K Reputation points MVP
    2021-03-24T21:52:54.943+00:00

    I don't think it is the directly the second user, it is directly that lsass.exe failed with status code c0000005 I'd check that it is patched fully and lastly start a case here with product support.
    https://support.serviceshub.microsoft.com/supportforbusiness

    --please don't forget to Accept as answer if the reply is helpful--

    0 comments
  2. Carl Fan 6,836 Reputation points
    2021-03-25T03:22:21.07+00:00

    Hi,
    For application crash issue, you need to create dump file and then analyze it.
    Steps pf creating dump logs:

    1. Run regedit.exe and create the LocalDumps key if it does not exist under:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting

    1. Please create a new key for the affected process lsass.exe (which will crash) under HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\LocalDumps

    For example: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\LocalDumps\lsass.exe

    1. Add the dump settings under the lsass.exe key. If the process crashes, WER will first read the global settings, and then will override any of the settings with the application-specific settings. To do this, please create the following values:

    a. Value name: DumpFolder

    Type: REG_EXPAND_SZ

    Value: Provide the path to where you would like the dumps files to reside. Default location is: %LOCALAPPDATA%\CrashDumps (C:\Windows\System32\config\systemprofile\AppData\Local\CrashDumps)

    b. Value name: DumpCount

    Type: REG_DWORD

    Value: 10

    Note: Specifies the max number of dumps file to keep in the folder at one time. Default is 10.

    c. Value name: DumpType

    Type: REG_DWORD

    Value: 2

    Note: 0 = custom, 1= mini dump (default), 2 = full dump
    In addition, if this problem is more urgent for you I still recommend that you open a case to Microsoft for further professional help.
    https://support.microsoft.com/en-us/help/4341255/support-for-busines
    Best Regards,
    Carl

    0 comments
  3. Brett 1 Reputation point
    2021-03-25T17:32:43.583+00:00

    @Carl Fan
    I have completed the above, I have also opened a case with Microsoft, however i do not want to sit on my hands and wait. I wont pretend to understand anything about the output that i was able to get by sending the dump file through WinDgb but i do recognize kerberos, rpc and lsasrv references in the meat here.

    Any additional guidance is appreciated.

    Loading Dump File [lsass.exe.736.dmp]
    User Mini Dump File with Full Memory: Only application data is available

    Symbol search path is: srv*
    Executable search path is:
    Windows 10 Version 14393 MP (4 procs) Free x64
    Product: Server, suite: TerminalServer SingleUserTS
    10. 0.14393.4283 (rs1_release.210303-1802)
    Machine Name:
    Debug session time: Thu Mar 25 11:27:19.000 2021 (UTC - 5:00)
    System Uptime: 0 days 0:17:45.250
    Process Uptime: 0 days 0:16:24.000
    ................................................................
    ........................
    Loading unloaded module list
    .........
    This dump file has an exception of interest stored in it.
    The stored exception information can be accessed via .ecxr.
    (2e0.308): Access violation - code c0000005 (first/second chance not available)
    For analysis of this file, run !analyze -v
    ntdll!NtWaitForMultipleObjects+0x14:
    00007ffd`0f196714 c3 ret
    0:003> !analyze -v

    Exception Analysis

    NTGLOBALFLAG: 0

    APPLICATION_VERIFIER_FLAGS: 0

    EXCEPTION_RECORD: (.exr -1)
    ExceptionAddress: 00007ffd0a901088 (7zp+0x0000000000001088)
    ExceptionCode: c0000005 (Access violation)
    ExceptionFlags: 00000000
    NumberParameters: 2
    Parameter[0]: 0000000000000000
    Parameter[1]: 0000000000000000
    Attempt to read from address 0000000000000000

    PROCESS_NAME: lsass.exe

    READ_ADDRESS: 0000000000000000

    ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x

    EXCEPTION_CODE_STR: c0000005

    EXCEPTION_PARAMETER1: 0000000000000000

    EXCEPTION_PARAMETER2: 0000000000000000

    SYMBOL_NAME: 7zp+1088

    MODULE_NAME: 7zp

    IMAGE_NAME: 7zp.dll

    STACK_COMMAND: ~3s ; .ecxr ; kb

    FAILURE_BUCKET_ID: NULL_POINTER_READ_c0000005_7zp.dll!Unknown

    OS_VERSION: 10.0.14393.4283

    BUILDLAB_STR: rs1_release

    OSPLATFORM_TYPE: x64

    OSNAME: Windows 10

    FAILURE_ID_HASH: {246499da-450d-519c-2828-615b768c8e9a}

    Followup: MachineOwner

    0 comments
  4. Carl Fan 6,836 Reputation points
    2021-03-26T10:02:09.45+00:00

    @Brett
    Thank you for your understanding and cooperation. Please understand due to security policy, we do not provide dump/log analysis. This can better protect your personal information.
    As you said, kerberos, rpc and lsasrv could be found. It represents the procedure that your account's verification procedure calls.
    For the information you provided, I consider that you could uninstall 7zp software to check if it works.
    If the issue still insists, wait for Microsoft to deep analysis.
    Thank you for your understanding and cooperation.
    Hope this helps and please help to accept as Answer if the response is useful.
    Best Regards,
    Carl

    0 comments