A critical system process, C:\Windows\system32\lsass.exe, failed with status code c0000409. The machine must now be restarted.

Question

Hi folks,

One of our production servers got crashed 5 times in 19 minutes, and all of the reboots are caused by crash in process lsass.

Below are relevant details from Event:

System Event Id 1074:

The process wininit.exe has initiated the restart of computer on behalf of user for the following reason: No title for this reason could be found Reason Code: 0x50006 Shutdown Type: restart Comment: The system process 'C:\Windows\system32\lsass.exe' terminated unexpectedly with status code -1073740791.  The system will now shut down and restart.

Application Event Id 1015:

A critical system process, C:\Windows\system32\lsass.exe, failed with status code c0000409.  The machine must now be restarted.

Application Event Id 1000:

Faulting application name: lsass.exe, version: 10.0.17763.5830, time stamp: 0xcda34c13 Faulting module name: msv1_0.DLL, version: 10.0.17763.5933, time stamp: 0x3330c776 Exception code: 0xc0000409 Fault offset: 0x0000000000040b80 Faulting process id: 0x52c Faulting application start time: 0x01dad0d336a4f737 Faulting application path: C:\Windows\system32\lsass.exe Faulting module path: C:\Windows\system32\msv1_0.DLL Report Id: 5b510143-4359-4b42-bf5c-37c692782018 Faulting package full name:  Faulting package-relative application ID

I tried running basis OS health checks (sfc/DISM/chkdsk) but all green. Could you please suggest what could have caused this issue and what are the possible root causes and the fixes of the same.

I have enabled Full Memory Dump on the server to get more logs for further investigation, but any help in this will be highly appreciated.

Thanks in advance!

Cheers!
Apurva

Answer 1

Hello

The error code c0000409 indicates a buffer overflow issue, which is a type of vulnerability that can be exploited by malicious software. The crash of the lsass.exe process with this error code suggests that there might be a security issue that needs to be addressed.

One possible cause for this issue could be related to the Kerberos authentication protocol, LSASS.EXE process loads its extension LSASRV.DLL, which attempts to load KERBEROS.DLL at boot time. If KERBEROS.DLL fails to load, it could cause the LSASS.EXE process to terminate unexpectedly.

Another potential cause could be related to a known bug with signature updates or application crashes.

To address this issue, you may consider the following steps:

1. Check for any security updates or patches that might be available for your system, especially those related to Kerberos or LSASS.EXE.
2. Review the system and application logs to identify any patterns or recurring issues that might indicate a specific cause.
3. Consider running a memory dump analysis to get more detailed information about the crash, which could help identify the root cause.

Answer 2

You're going to need to load the crash dump up in Windbg or equivalent and run an analyze to figure out what is really going on but a fail fast in lsass means something critical has failed. If this is a physical machine then my original thought would be bad memory or a bad sector on disk. Running a full memory test would help diagnose the memory and the chkdsk tool would handle the drive.

However it is also quite possible the file is corrupted. You said you ran the standard repair options like dism and sfc so I assume the file is not corrupted.

What changed on the machine after which you started seeing the crashes? If you recently applied an update or installed software then revert back. If you haven't done anything then it leans more towards a hardware failure.

Of course you cannot rule out malware potentially causing a problem but I assume the server is locked down and you have AV running so that seems unlikely.