question

Brett-0417 avatar image
0 Votes"
Brett-0417 asked Brett-0417 edited

Server 2016, 2nd User Logon Forces Server Reboot, Currently happening to critical system server

This is a client environment. Contracted by time and materials, no management or day to day oversight.

This is on a Windows Server 2016 not Windows 10 PC

If a user has logged on to the console and an RDP session signs in second, a message appears on screen "Your PC will automatically restart in one minute" happens the other direction too. If RDP is logged in and a console connection is established same message. The first login is allowed but the second one crashes the system. Even ID 1015 is produced
Log Name: Application
Source: Microsoft-Windows-Wininit
Date: 3/24/2021 3:43:31 PM
Event ID: 1015
Description: A critical system process, C:\Windows\system32\lsass.exe, failed with status code c0000005. The machine must now be restarted.
Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">;
<System> <Provider Name="Microsoft-Windows-Wininit" Guid="{206f6dea-d3c5-4d10-bc72-989f03c8b84b}" EventSourceName="Wininit" /> <EventID Qualifiers="49152">1015</EventID> <Version>0</Version> <Level>2</Level> <Task>0</Task> <Opcode>0</Opcode> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2021-03-24T20:43:31.810658800Z" /> <EventRecordID>28367126</EventRecordID> <Correlation /> <Execution ProcessID="0" ThreadID="0" /> <Channel>Application</Channel> <Computer>[REMOVED FOR OBVIOUS REASONS]</Computer> <Security /> </System>
<EventData> <Data>C:\Windows\system32\lsass.exe</Data> <Data>c0000005</Data> </EventData>
</Event>

I have scoured the task scheduler, I have ran every scan known to man, server is fully up to date, I have deleted contents of software distribution folder, i have restarted in safe mode, ran scans. I cannot find anything anywhere regarding this issue. Why would a 2nd logon force a server reboot or how to i at least stop lsass.exe from crashing my server every time while i try to figure out remediation?

windows-server-2016
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DSPatrick avatar image
0 Votes"
DSPatrick answered

I don't think it is the directly the second user, it is directly that lsass.exe failed with status code c0000005 I'd check that it is patched fully and lastly start a case here with product support.
https://support.serviceshub.microsoft.com/supportforbusiness

--please don't forget to Accept as answer if the reply is helpful--




5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

CarlFan-MSFT avatar image
0 Votes"
CarlFan-MSFT answered

Hi,
For application crash issue, you need to create dump file and then analyze it.
Steps pf creating dump logs:

  1. Run regedit.exe and create the LocalDumps key if it does not exist under:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting

  1. Please create a new key for the affected process lsass.exe (which will crash) under HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\LocalDumps

For example: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\LocalDumps\lsass.exe

  1. Add the dump settings under the lsass.exe key. If the process crashes, WER will first read the global settings, and then will override any of the settings with the application-specific settings. To do this, please create the following values:

a. Value name: DumpFolder

Type: REG_EXPAND_SZ

Value: Provide the path to where you would like the dumps files to reside. Default location is: %LOCALAPPDATA%\CrashDumps (C:\Windows\System32\config\systemprofile\AppData\Local\CrashDumps)

b. Value name: DumpCount

Type: REG_DWORD

Value: 10

Note: Specifies the max number of dumps file to keep in the folder at one time. Default is 10.

c. Value name: DumpType

Type: REG_DWORD

Value: 2

Note: 0 = custom, 1= mini dump (default), 2 = full dump
In addition, if this problem is more urgent for you I still recommend that you open a case to Microsoft for further professional help.
https://support.microsoft.com/en-us/help/4341255/support-for-busines
Best Regards,
Carl

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Brett-0417 avatar image
0 Votes"
Brett-0417 answered Brett-0417 edited

@CarlFan-MSFT
I have completed the above, I have also opened a case with Microsoft, however i do not want to sit on my hands and wait. I wont pretend to understand anything about the output that i was able to get by sending the dump file through WinDgb but i do recognize kerberos, rpc and lsasrv references in the meat here.

Any additional guidance is appreciated.


Loading Dump File [lsass.exe.736.dmp]
User Mini Dump File with Full Memory: Only application data is available

Symbol search path is: srv*
Executable search path is:
Windows 10 Version 14393 MP (4 procs) Free x64
Product: Server, suite: TerminalServer SingleUserTS
10.0.14393.4283 (rs1_release.210303-1802)
Machine Name:
Debug session time: Thu Mar 25 11:27:19.000 2021 (UTC - 5:00)
System Uptime: 0 days 0:17:45.250
Process Uptime: 0 days 0:16:24.000
................................................................
........................
Loading unloaded module list
.........
This dump file has an exception of interest stored in it.
The stored exception information can be accessed via .ecxr.
(2e0.308): Access violation - code c0000005 (first/second chance not available)
For analysis of this file, run !analyze -v
ntdll!NtWaitForMultipleObjects+0x14:
00007ffd`0f196714 c3 ret
0:003> !analyze -v


Exception Analysis


NTGLOBALFLAG: 0

APPLICATION_VERIFIER_FLAGS: 0

EXCEPTION_RECORD: (.exr -1)
ExceptionAddress: 00007ffd0a901088 (7zp+0x0000000000001088)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000000
Parameter[1]: 0000000000000000
Attempt to read from address 0000000000000000

PROCESS_NAME: lsass.exe

READ_ADDRESS: 0000000000000000

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x

EXCEPTION_CODE_STR: c0000005

EXCEPTION_PARAMETER1: 0000000000000000

EXCEPTION_PARAMETER2: 0000000000000000

SYMBOL_NAME: 7zp+1088

MODULE_NAME: 7zp

IMAGE_NAME: 7zp.dll

STACK_COMMAND: ~3s ; .ecxr ; kb

FAILURE_BUCKET_ID: NULL_POINTER_READ_c0000005_7zp.dll!Unknown

OS_VERSION: 10.0.14393.4283

BUILDLAB_STR: rs1_release

OSPLATFORM_TYPE: x64

OSNAME: Windows 10

FAILURE_ID_HASH: {246499da-450d-519c-2828-615b768c8e9a}

Followup: MachineOwner


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

CarlFan-MSFT avatar image
0 Votes"
CarlFan-MSFT answered

@Brett-0417
Thank you for your understanding and cooperation. Please understand due to security policy, we do not provide dump/log analysis. This can better protect your personal information.
As you said, kerberos, rpc and lsasrv could be found. It represents the procedure that your account's verification procedure calls.
For the information you provided, I consider that you could uninstall 7zp software to check if it works.
If the issue still insists, wait for Microsoft to deep analysis.
Thank you for your understanding and cooperation.
Hope this helps and please help to accept as Answer if the response is useful.
Best Regards,
Carl


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.