We help IT Professionals succeed at work.

System shutdown problem - NT Authority\system - RPC service terminated.

TimManley
TimManley asked
on
399,676 Views
Last Modified: 2011-08-18
Can anyone please help - this problem appears to have been reported by afew people. It is happening after connecting to the internet. An error message appears:

"This system is shutting down. Please save all work in progress and log off. Any unsaved changes will be lost. This shutdown was initiated by NT Authority\system.

Windows must now restart because Remote Procedure Call (RPC) Service terminated unexpectedly."

This happened 10ish times - on one occassion another error message came up that mentioned something about "generic host process" and "windows32" but that message only came up once and disappeared before I could read it properly or write it down.

Some people have suggested a virus called msblast may be responsible. Norton found no viruses but I am unable to connect to the internet for long enough to download live updates.

This is my first time on this site and I don't understand the points bit but I hope someone can help.
Comment
Watch Question

CERTIFIED EXPERT

Commented:
Download the MS03-026 patch from Microsoft.

http://www.microsoft.com/security/security_bulletins/ms03-026.asp

http://www.bigblackglasses.com/Article.aspx?Article=342
http://www.microsoft.com/security/incident/blast.asp

Worm Removal:
************
From Symantec: W32.Baster.Worm is exploiting the vulnerabilities of the RPC interface.

http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html

From McAfee:
http://vil.nai.com/vil/content/v_100547.htm
http://vil.nai.com/vil/content/v_100516.htm

Sophos:
http://www.sophos.com/virusinfo/analyses/w32blastera.html



======More Reading======

This is caused by a worm someone unleashed on the internet. The short of it is that you should immediately disconnect from the internet so you don't get infected if you aren't already, enable a firewall, run a virus scan, and then go to http://windowsupdate.microsoft.com and install all of the critical updates.

To enable the built-in firewall, open the Network Connections control panel. Then right click on your internet connection, or the network card you use to connect to broadband and select properties.  Go to the Advanced tab and check the checkbox labeled "Protect my computer and network by limiting or preventing access to this computer from the Internet."

There are online virus scanners out there. If you have a virus scanner on your computer, make sure you download the latest virus definitions for it.

===
Around the Internet, system administrators report strange "rebooting" of their Windows systems as they are being taken over remotely, and many firewall watchers report a jump in scans for port 135. This problem is especially explosive because an attacker can run a rogue program by merely sending packets to a remote machine using any one of various ports. One of these, port 135, is commonly used to send pop-up messages across a network.

===

Exploitation of Vulnerabilities in Microsoft RPC Interface
http://www.cert.org/advisories/CA-2003-19.html

If you don't have enough time download and apply the patch before the PC reboots,

Go to start > run > Services.msc.
Right click Remote Procedure Call.
Select Properties > Recovery.
On all three drop-down boxes in this window, select "Take no action."

This temp fix will give you the time to update. After the update, reverse the procedure to get RPC back.

===
Said here:
https://www.experts-exchange.com/Operating_Systems/WinXP/Q_20706639.html
CERTIFIED EXPERT
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION
CERTIFIED EXPERT

Commented:
first, make sure you have the latest virus defs installed.

then refer to the symantec site for worm removal.

temporary fix:
Exploitation of Vulnerabilities in Microsoft RPC Interface
http://www.cert.org/advisories/CA-2003-19.html
CERTIFIED EXPERT

Commented:
Refer to this link, a situation where this user is unable to browse the internet after RPC attack.

https://www.experts-exchange.com/Operating_Systems/WinXP/Q_20706632.html

Solution is to reset the TCP using winsockfix

Commented:
our site here has been hit by this, we installed the patch but we did not have to rush we just got the patch from a win 98 machine, not effected, (only xp, 2000 and NT machines are affected) and then we disconnected the XP machine3s from the network and ran the patch, then put the network cable back in after reboot all is ok.
H
Physically Disconnect from the Internet

While the system is shut down, disconnect any network (local network, cable modem, DSL, broadband, etc.) from the back of the system.

Turn on the system.
If using a dial-up (i.e., modem) connection, do not connect to the Internet.

-----------------------------------------------------------------------
Disable DCOM

To manually enable (or disable) DCOM for a computer: Run Dcomcnfg.exe.

Click the Start button, click Run, in the Open box type

Dcomcnfg.exe

and click OK.

Under Console Root, click Component Services.

Open the Computers subfolder.

Right-click My Computer, and then click Properties.

Click the Default Properties tab.

Click to to clear the Enable Distributed COM on this Computer check box.

Click OK to apply the changes.

Quit Dcomcnfg.exe.

-------------------------------------------------------------------------

Download Critical Update

NOTE: If you still see the NT AUTHORITY\SYSTEM error message after you have disabled DCOM and reconnected to the Internet:

Click the Start button, click Run, in the Open box type shutdown -a and click OK.  

Reconnect your cable modem or DSL modem.

Start an Internet session and go to this URL:

http://download.microsoft.com/download/9/8/b/98bcfad8-afbc-458f-aaee-b7a52a983f01/WindowsXP-KB823980-x86-ENU.exe

Close all open programs including Internet Explorer.

Double-click the filename to expand and execute the patch. Follow the directions in the Wizard to complete the installation.

The security patch should be applied when you restart Windows.


Remove The Virus/Worm From Your System

Update your virus scan software definition files at the software vendor's web site and run a complete virus scan.

Alternatively, free stand alone virus/worm removal programs are available from Symantec and McAfee:

Symantec:

http://securityresponse.symantec.com/avcenter/FixBlast.exe

McAfee:

http://download.nai.com/products/mcafee-avert/stinger.exe 

Either of these programs can be downloaded and executed to clean this virus/worm from your system
Dave PuseyIT Support Specialist

Commented:
In fact, there is a very easy solution to this...

- Go to services

- Go to properties of "Remote Procedure Call (RPC)"

- Go to "Recovery" tab

- Set first failure, second failure and subsequent failures to "Restart the service" instead of "Restart the computer".

- Press ok.

Works for me and you dont need to fart about with patches or worm removal either.
And in ne case if u dont want to remove it ( lol) . Just open ur command prompt

and type 'shutdown -A' at the prompt

Commented:
I was getting the shutdown message and was told that it was the blaster worm. I put up the firewall, which stopped the shutdown message from appearing.  

I then downloaded the patch from Microsoft and then ran the removal tool. It said my computer does not have the blaster worm.

If it's not the blaster worm, what else would cause that shutdown message to appear? Though the message isn't popping up anymore (probably thanks to the firewall), I'm not satisfied.
Dave PuseyIT Support Specialist

Commented:
In fact, there is a very easy solution to this...

- Go to services

- Go to properties of "Remote Procedure Call (RPC)"

- Go to "Recovery" tab

- Set first failure, second failure and subsequent failures to "Restart the service" instead of "Restart the computer".

- Press ok.

Works for me and you dont need to fart about with patches or worm removal either.

Commented:
It sounds like the blaster virus.

First thing to do is log on as the administrator.
When you have done that, press CTRL-Alt-Delete and go to processes.
End task the blast.exe process.

This will stop you automatically shutting down in a minute and will buying you some time.

Next click on START - RUN and type regedit - press return
Go to the following
HKeyLocalMachine - Software - Microsoft - Windows - Current Version - Run

You may find a line containing the word blast.exe

Delete it.

When you have done this, exit out of the registry and run a full virus scan on your computer. If your computer is now clear do a restart.

Download the Microsoft patch for blaster and run it.

Good luck
Dave PuseyIT Support Specialist

Commented:
You DO NOT need to do all that! Simply do this...

- Go to services

- Go to properties of "Remote Procedure Call (RPC)"

- Go to "Recovery" tab

- Set first failure, second failure and subsequent failures to "Restart the service" instead of "Restart the computer".

- Press ok.
Dave PuseyIT Support Specialist

Commented:
It works for me!

Commented:
Tim

There are many viruses/worms out there that use the RPC vulnerability to propagate. The first one was Blaster. If you do not have the Blaster virus, then it might be some other one that uses it. But if you have patched your machine, then there should not be any case of the shutdown happening. There is another worm that was released after Blaster, Welchia which basically goes around trying to find machines infected with Blaster, removing this worm and downloading the patched to your machine to fix the vulnerability. Now the only reason that this worm has become a nuisance is because of the way it tries to find the vulnerable machines. This is bascially the same way that blaster works. So I would suggest you download the welchia fix from the symantec site and have a go with it. To manually see if your machine has been infected with Welchia, do the following.

Goto

c:\windows\system32\wins

Check to see if you have the following files present

dllhost.exe
svchost.exe

If they are then your machine is infected with Welchia.

Hope this helps.
I have heard lots of solutions over and over and i have heard that it is the blaster worm or the Welchia but nothing can detect anything and it is upsetting me because the RPC is no longer popping up because i had turned the firewall on and I dont want to do the other suggestions by other people to change it and just let it sit there like that because it isnt helped anything. All it is doing is avoiding the virus and i wont the thing completely out and i have called microsoft and they told me where to go to get everything fixed and i done it word for word and its still not fixed and its worrying me and if it doesnt get fixed then i am scared that my computer is going to be more vulnerable to other viruses that links to the blaster worm that i have but i had the: Nachi, Lovsan, and the MsBlast and I am so irritated in getting all of this stuff done because its just overwhelming to come home and sit down and know that i can encounter with more viruses and i have an anti-virus and its says nothing and i have done scans and patches and its all just not working out........PLEASE, try and come up with some more advice besides what i have already read and tried.
Dave PuseyIT Support Specialist

Commented:
>> the RPC is no longer popping up because i had turned the firewall on

that's all you have to do!
if you do that then it doesnt fix what has already been done.
Dave PuseyIT Support Specialist

Commented:
It prevents your computer from restarting. Which is what it's doing in the first place.

Commented:
I Think, you go to Administrator Tools -> services and choice Remote Procedure Call -> right click-> properties and choice Recovery tab -> First and.. failure choice Take no action
Dave PuseyIT Support Specialist

Commented:
That is what you do. However, I recommend setting it to "Restart the Service" instead of "Take no action".
thank you jesus .............wow that was annoying as all get out

Commented:
I get an error report for Generic Host Process for Win32 Services then I get the the shutdown messege for NT AUTHORITY\SYSTEM. This has happened a couple of times since I got a new hard drive. Why is that happening and what is Generic Host Process for Win32 Servies?

 
                                                    Thank you,
                                                         Boo71
Dave PuseyIT Support Specialist

Commented:
I also suggest ativating the ICF. That will block the shutdowns and the messenger spam at the same time.

Commented:
setup your self a firewall (personal firewall).
then set the firewall to block any connection from/to svchost.exe (Generic Host Processes).

Luckily your Win 2K still can survive (not shut down) with minor disabilities (can't paste the clipboard).
If you were using XP .... it will be shut down in 60 seconds (After the svchost.exe was attacked)
Dave PuseyIT Support Specialist

Commented:
>> setup your self a firewall (personal firewall). then set the firewall to block any connection to svchost.exe (Generic Host Processes)

The ICF (internet connection firewall) in xp does that. Just enable it BEFORE connecting.
1babygurl:
 
I sympathize with you (and millions of other victims of Microsoft which builds security holes for its own use, the retailers who like to let you think that you need a new computer, and the majority of 'experts' who are either clueless (such as in Microsoft-trained)  or who see job security in only providing temporary solutions). Enough preaching...
 
Others have advised you on how to remove blaster and Welchia. I will not duplicate that (except: read Symantec's recommendations on it since XP has a backup feature you need to temporarily disable if I remember correctly since it will happily restore the worm(s) upon restart). As for PC security: On modern PCs you have to deal not only with (A) viruses but also (B) worms and (C) trojans, spyware, adware and similar (mostly TSRs). What you need in order to run a fairly safe machine even when it's an IBM-compatble that runs a Microsoft OS like Windows is 3rd-party software. The below list looks like a lot more work than it is. In truth, much of this you do only once or very infrequently. It would be easier to get a Macintosh instead (at least in former times - haven't seen the latest Mac OS' which might follow the race to the bottom for all I know), but then you would be incompatible with much of the world since quality is always in the minority.
 
How to run a safe Wondows-PC:
 
(1) Install a 3rd-party firewall. (ZoneAlarm is free and very good. In contrast, that little so-called FireWall in WinXP is nothing but a nuisance) -- This will protect especially against worms and trojans.
(2) Give your machine a good house-cleaning now and then with a spy-/ad-ware catcher like Spybot (is free). -- It will catch many who slipped in before or despite the other installations mentioned here.
(3) Install and use a process controler like CodeStuff Starter (also free). Use it to control which processes you allow to run on your machine. (hint: anything that isn't described as a component of Windows, your Antivirus software, or your 3rd-party firewall has probably no business running on your machine) -- By deselecting the weirdos in the list, you disable the various trojans, spy- and adware TSRs as well as resource-wasting preloaders, etc. You may find your computer running much faster after that. Occasionally you may want to revist the list and check if all is alright.
(4) Regularly update the virus definitions of your antivirus software such as Norton Antivirus. Typically, this can be set to automatic. -- While new Windows system viruses and Microsoft macro viruses are countless and need such vigilance, do understand that nowadays viruses are only a third of the problem.
(5) Either disable active-X when using Internet Explorer, or better yet, don't use it at all (except for visiting windowsupdate.microsoft.com). Use Mozilla Firebird instead. It's not only much more secure (no active-X, better pop-up and cookie control, etc.) but also simply the better browser even in its beta version. Armies of spyware, adware and trojans slip in through IE all the time.
(6) Either don't use a local email client or stay away from MS Office/Outlook or what have you from Microsoft. Since I currently stick to email portals on the web (using Firebird!!!), I have no firm recommendation as to what 3rd-party client to recommend. Mozilla Thunderbird is free and open-source. Some people swear by Eudora or Pegasus mail(?). Pay attention to how they handle HTML email with images, popups, javascript, etc. The more you can limit this, the more secure you will be.
 
I think I covered it all. Anyway, I must get back to my errands now. Good luck. Like I said, the above looks like more work than it is, and it will save you from countless hours, days, and weeks of utter frustration.
 
Take care,
RenegadeWizard ;-)
 
---- Can I be hired? Depends. Who must I kill? ---
Thank you sooooooo much!!! I have no idea what i'm doing with this computer stuff and all of a sudden it kept restarting... my friend recommended this site and it helped me out alot!! I am forever greatful!!!
Hey if any one disbles the RPC heres how to restore that setting, because once you disable it theres no turning back... heres a link showing you how to fix this prob...

http://www.blackviper.com/WIN2K/Files/RpcRepair.zip

i hope it works for you....
there is an Easier way to do it but you got to be quick before it loads  when windows loads and the desktop appears hit  ALT CONTROL DEL  and remove it from your Task's then what you do is this go to where it resides at that would be in your msconfig  uncheck mark it from see where it is shortcutted to and remove it from the system  or you can just go get the quick fix for it if your computer can stay running long enough to get it  but if you need to remove it temp until your able to get the fix just hit ALT CONT DEL on windows desktop and stop process of  mblast then go to RUN  type in  msconfig  then go to STARTUP it will be listed in there as MBLAST then you should be fine...
God I cant believe that this post is so big, like the guy has either the blaster or sasser worm and he has everyone posting a solution. He is too miserable to get his pc cleaned at a computer repair company.I hope he has the RPC Exploit and sdbot worm with the korgo mixed with it. I also hope he has lots of spyware and hijackers with it when he gets his phone bill its in the thousands. Christ I hate miserable bastards that wont pay to have their computer cleaned by it professionals and post a miserable sentence on the internet and all you muppets give him the solution to fix his computer. Like I studied for years in college to make a living at fixing pcs and idiots like you guys fix it free over the internet, are you guys making a single penny out of this. Next you will be doing a fix it yourself microwave oven or telling people how to service their cars by themselves. what a bunch of dumb assess
How magnanimous.
I can't boot my machine in safe mode or normal mode. I get the count down rpc thing and after 60 seconds in shuts down. I can't even get to the start button to turn on the firewall or anything. Is there a patch that I can put on a floppy and turn the machine on. All the patches I have down loaded keep telling me they can't be run from ms-dos mode. I am getting ready to make this machine a boat anchor and keep using the one I am on now.

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.