Lsass.exe error causing machines to restart - EventID 1015

Question

Lsass.exe error causing machines to restart - EventID 1015

Vantilburg, Jarryn 0

Hello! My organisation has recently encountered an issue in Windows 10 with lsass.exe failing and causing machines to restart, seemingly at random. We first discovered it from our MDR flagging it as a Werfault.exe exploit, so naturally thought they were blocking the process from running properly which was causing the crashing. We told our MDR team who confirmed it as a false positive. We then tried to disable that particular threat detection to confirm the root cause yet still noticed system crashing due to lsass.exe failing. In event viewer this is what we receive: Another speculation we had was a possible issue with the 2024-02 Cumulative Windows updates, however we saw conflicting evidence where some machines had crashed before installing this. We have multiple Windows 11 machines too but this is only affecting Windows 10 at the moment. The only answers we've find online have been related to old Windows servers like this: https://support.microsoft.com/en-au/topic/lsass-exe-crashes-and-system-shuts-down-automatically-on-a-windows-server-2012-r2-based-server-5abde4d6-917e-7825-867e-4c9f4ff616b9 Has anyone else experienced this issue? We can't seem to find the root cause.

1 answer

Your answer

Answer 1

Wesley Li 11,260

Hello Have we got any bugcheck code when the machine restart or is there any dump file created in C:\Windows\memory.dmp or C:\Windows\minidump folder? If there is any dump file created, we could try to check the dump with Windbg tool. Install WinDbg - Windows drivers | Microsoft Learn If there is no dump created, we could try to enable WER to create a user mode dump automatically. Open administrator command line then run the follwing command. Reboot the machine. Reg Add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps" /f Reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps" /V DumpFolder /t REG_SZ /D "C:\CrashDumps" /f MD C:\CrashDumps Reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps" /V DumpType /t REG_DWORD /D 2 /f Reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps" /V DumpCount /t REG_DWORD /D 10 /f Next time the service crash again, there should be dump file created in C:\crashdumps. The key to analyze this issue is to get a dump file for the crash service. Analyzing the dump could be complex, it is recommended to open a Microsoft Profession ticket for more resources (Lsass service is covered by our AD team). Microsoft Professional Support (pay-per-incident): FAQ - Microsoft Support For general troubleshooting, please take the following steps:

If there is any third party antivirus software installed, please uninstall it temporarily then reboot to check.
Check the issue in clean boot environment to verify third party service conflict issue. How to perform a clean boot in Windows - Microsoft Support
Open adinistrator command line and run "dism /online /cleanup-image /restorehealth" to check the health of system files.

Vantilburg, Jarryn 0

Hi Wesley,

Thanks for sending through the info, I went ahead and created a dump file path and was able to capture an lsass.exe dump file. This is what the output looks like:

0:009> !analyze -v
*******************************************************************************
*                                                                             *
*                        Exception Analysis                                   *
*                                                                             *
*******************************************************************************

*** WARNING: Check Image - Checksum mismatch - Dump: 0x1628a8, File: 0x15fe25 - C:\ProgramData\Dbg\sym\crypt32.dll\CED46F5915d000\crypt32.dll

KEY_VALUES_STRING: 1

    Key  : AV.Dereference
    Value: NullClassPtr

    Key  : AV.Fault
    Value: Read

    Key  : Analysis.CPU.mSec
    Value: 1109

    Key  : Analysis.Elapsed.mSec
    Value: 1204

    Key  : Analysis.IO.Other.Mb
    Value: 0

    Key  : Analysis.IO.Read.Mb
    Value: 0

    Key  : Analysis.IO.Write.Mb
    Value: 0

    Key  : Analysis.Init.CPU.mSec
    Value: 234

    Key  : Analysis.Init.Elapsed.mSec
    Value: 5427

    Key  : Analysis.Memory.CommitPeak.Mb
    Value: 121

    Key  : Failure.Bucket
    Value: NULL_CLASS_PTR_READ_c0000005_crypt32.dll!GetProperty

    Key  : Failure.Hash
    Value: {95b35e85-d639-9ed8-c529-11fbbf5607c0}

    Key  : Timeline.OS.Boot.DeltaSec
    Value: 23423

    Key  : Timeline.Process.Start.DeltaSec
    Value: 23411

    Key  : WER.OS.Branch
    Value: vb_release

    Key  : WER.OS.Version
    Value: 10.0.19041.1

    Key  : WER.Process.Version
    Value: 10.0.19041.3636


FILE_IN_CAB:  lsass.exe.856.dmp

NTGLOBALFLAG:  0

APPLICATION_VERIFIER_FLAGS:  0

CONTEXT:  (.ecxr)
rax=000001ef3f00e770 rbx=000000d42987db70 rcx=0000000000000001
rdx=0000000000000059 rsi=0000000000000000 rdi=000000d42987d680
rip=00007ffaf5dd0130 rsp=000000d42987de10 rbp=000000d42987df10
 r8=000000d42987e100  r9=000000d42987e080 r10=0000000000001550
r11=000000d42987e058 r12=000000d42987e080 r13=000000d42987e100
r14=0000000000000000 r15=0000000000000080
iopl=0         nv up ei ng nz ac pe cy
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010291
crypt32!GetProperty+0x210:
00007ffa`f5dd0130 483b7f10        cmp     rdi,qword ptr [rdi+10h] ds:000000d4`2987d690=0000000000000059
Resetting default scope

EXCEPTION_RECORD:  (.exr -1)
ExceptionAddress: 00007ffaf5dd0130 (crypt32!GetProperty+0x0000000000000210)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000001
NumberParameters: 2
   Parameter[0]: 0000000000000000
   Parameter[1]: 0000000000000010
Attempt to read from address 0000000000000010

PROCESS_NAME:  lsass.exe

READ_ADDRESS:  0000000000000010 

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

EXCEPTION_CODE_STR:  c0000005

EXCEPTION_PARAMETER1:  0000000000000000

EXCEPTION_PARAMETER2:  0000000000000010

STACK_TEXT:  
000000d4`2987de10 00007ffa`f5dcff0b     : 00000000`00000000 00000000`00000000 00000000`00000001 00000000`00000000 : crypt32!GetProperty+0x210
000000d4`2987dff0 00007ffa`f43c3c33     : 000001ef`3f1e4550 00000000`00000000 00000000`00000000 000001ef`3f00e7b0 : crypt32!CertGetCRLContextProperty+0x1b
000000d4`2987e030 00007ffa`f43cc4e1     : 00000000`00000000 000000d4`2987e160 000001ef`3f00e7b0 00000000`0000a400 : schannel!GetCngHashAndSignatureString+0x73
000000d4`2987e060 00007ffa`f43d61c8     : 000001ef`3e0e4e80 00000000`00000004 00000000`00000e6b 000001ef`3e6800e7 : schannel!IsRemoteCertificateBlacklisted+0x229
000000d4`2987e460 00007ffa`f43da8f5     : 000001ef`3ee756c0 00007ffa`f4382f85 000001ef`3ee756c0 000001ef`3e68108b : schannel!CTls13Handshake<CTls13ClientContext,CTls13ExtClient>::ParseCertificateMsg+0x13c
000000d4`2987e530 00007ffa`f4383f78     : 000001ef`3ee756c0 006f0073`00000fc2 000000d4`00000e6b 000000d4`2987e600 : schannel!CTls13ClientContext::ProcessHandshake+0xe5
000000d4`2987e5c0 00007ffa`f4383edb     : 00530074`00000000 00000000`00000000 00000000`00000fa7 000001ef`3e6800e3 : schannel!CSsl3TlsContext::ProcessHandshakeCommon+0x5c
000000d4`2987e600 00007ffa`f4383e06     : 000001ef`3e6800d9 000001ef`3ee756c0 00000000`00000016 00000000`00000000 : schannel!CSsl3TlsContext::ProcessRecord+0xab
000000d4`2987e670 00007ffa`f43815ed     : 000001ef`3ee756c0 00000000`00000000 00000000`00000fc7 000001ef`3ee756c0 : schannel!CSsl3TlsClientContext::ProcessRecord+0x256
000000d4`2987e6c0 00007ffa`f4380b03     : 000001ef`3ee75c00 000000d4`2987e908 000000d4`2987e868 00000000`00000fc2 : schannel!CSsl3TlsContext::TlsProtocolHandlerWorker+0xa6d
000000d4`2987e7b0 00007ffa`f437bd25     : 00000000`00000000 000000d4`2987e8f0 000001ef`3ee756c0 00000000`00000000 : schannel!CSsl3TlsContext::SslProtocolHandler+0x1c3
000000d4`2987e7f0 00007ffa`f50711e7     : 000001ef`3eceb940 000001ef`3e05cb78 000001ef`3efc77c0 00000000`00000001 : schannel!SpInitLsaModeContext+0x3b5
000000d4`2987e960 00007ffa`f5073264     : 00000000`00000000 000000d4`2987f0c0 000000d4`2987f0a0 00000000`00000000 : lsasrv!WLsaInitContext+0x897
000000d4`2987eb40 00007ffa`f42f1283     : 000001ef`3ec0a780 00000000`00000000 00000000`00000001 000001ef`3eeea3e8 : lsasrv!SspiExProcessSecurityContext+0x854
000000d4`2987efc0 00007ffa`f6c5b583     : 000001ef`3ed5eeb0 000001ef`3e680018 000001ef`3e680028 000001ef`3efc77c0 : sspisrv!SspirProcessSecurityContext+0x273
000000d4`2987f140 00007ffa`f6c5a356     : 00007ffa`f42f61e2 000001ef`3efb49a0 00000000`00000000 00007ffa`f42f5e4e : rpcrt4!Invoke+0x73
000000d4`2987f230 00007ffa`f6bfe1ca     : 00000000`00000000 00000000`00000000 000001ef`3eebba20 000000d4`2987f528 : rpcrt4!NdrStubCall2Heap+0x342
000000d4`2987f4c0 00007ffa`f6c3e00a     : 00000000`00000000 000001ef`3ed749a0 000001ef`3eebba20 00007ffa`f7efcabb : rpcrt4!NdrStubCall2+0x3a
000000d4`2987f4f0 00007ffa`f6c391b8     : 000001ef`00000002 000001ef`00000001 000000d4`2987f598 00000000`00000001 : rpcrt4!NdrServerCall2+0x1a
000000d4`2987f520 00007ffa`f6c1a3d6     : 00000000`00000002 00000150`00000000 000000d4`2987f720 00000000`00000150 : rpcrt4!DispatchToStubInCNoAvrf+0x18
000000d4`2987f570 00007ffa`f6c19d28     : 000001ef`3e06c040 00000000`00000000 00000000`00000000 00000000`00000015 : rpcrt4!RPC_INTERFACE::DispatchToStubWorker+0x1a6
000000d4`2987f650 00007ffa`f6c274ef     : 00000000`00000000 000000d4`2987f7e8 000001ef`3eebb8d0 00007ffa`f7f2bc81 : rpcrt4!RPC_INTERFACE::DispatchToStub+0xf8
000000d4`2987f6c0 00007ffa`f6c268f8     : 00000000`000c5c75 00000000`00000001 00000000`00000000 000001ef`3eecbaa0 : rpcrt4!LRPC_SCALL::DispatchRequest+0x31f
000000d4`2987f790 00007ffa`f6c25ee1     : 00000000`00000000 000001ef`3eeb9260 00000000`00000000 000001ef`3e680000 : rpcrt4!LRPC_SCALL::HandleRequest+0x7f8
000000d4`2987f8a0 00007ffa`f6c2594e     : 00000000`00000000 00000000`00000000 00000000`00000001 000001ef`3e07f3a0 : rpcrt4!LRPC_ADDRESS::HandleRequest+0x341
000000d4`2987f940 00007ffa`f6c2a062     : 000001ef`3ed749a0 000001ef`3ed749a0 000001ef`3e07f4a8 000000d4`2987fd18 : rpcrt4!LRPC_ADDRESS::ProcessIO+0x89e
000000d4`2987fa80 00007ffa`f7ef0330     : 00000001`00000000 000000d4`2987fb28 000000d4`2987fd18 00000000`7ffe0386 : rpcrt4!LrpcIoComplete+0xc2
000000d4`2987fb20 00007ffa`f7f22f86     : 00000000`00000000 000001ef`3e002300 00000000`00000000 000001ef`3f19e590 : ntdll!TppAlpcpExecuteCallback+0x260
000000d4`2987fba0 00007ffa`f6f07344     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!TppWorkerThread+0x456
000000d4`2987fea0 00007ffa`f7f226b1     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : kernel32!BaseThreadInitThunk+0x14
000000d4`2987fed0 00000000`00000000     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21


STACK_COMMAND:  ~9s; .ecxr ; kb

SYMBOL_NAME:  crypt32!GetProperty+210

MODULE_NAME: crypt32

IMAGE_NAME:  crypt32.dll

FAILURE_BUCKET_ID:  NULL_CLASS_PTR_READ_c0000005_crypt32.dll!GetProperty

OS_VERSION:  10.0.19041.1

BUILDLAB_STR:  vb_release

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 10

IMAGE_VERSION:  10.0.19041.3636

FAILURE_ID_HASH:  {95b35e85-d639-9ed8-c529-11fbbf5607c0}

Followup:     MachineOwner
---------

Gary Nebbett 6,216 Reputation points

2024-03-04T11:27:39.67+00:00

Hello Jarryn,

There is something very confusing in that debugger output:

CONTEXT: (.ecxr)

rax=000001ef3f00e770 rbx=000000d42987db70 rcx=0000000000000001 rdx=0000000000000059 rsi=0000000000000000 rdi=000000d42987d680 [...]

cmp rdi,qword ptr [rdi+10h] ds:000000d4`2987d690=0000000000000059

The "CONTEXT" record captured at the moment of the exception indicates that the address referenced in the faulting instruction was 0xd42987d690, which points to valid memory (the quadword value at that address is 0x59).

The "EXCEPTION" record shows the referenced address as 0x10, which would be the case if the value of the rdi register was zero.

This contradiction means that the rest of what I write is built on "shaky ground". My initial thoughts are that there might be a weakness in the way crypt32 validates the plausibility of some external data (e.g. a CRL). What I would do is to use the Microsoft-Windows-CAPI2 ETW provider to capture and check the certificate and CRL that are being evaluated at the time of the crash.

Gary

Share via

Lsass.exe error causing machines to restart - EventID 1015

1 answer

Your answer