[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

lsass.exe - System Error Preventing OS Startup

Posted on 2004-10-01
6
Medium Priority
?
456 Views
Last Modified: 2012-08-13
I have a laptop running Windows XP Home edition with SP2.  I restarted it tonight because a piece of software that I use to track network activity had stopped doing so.  It's done so before and restarting usually resolves this.  However the machine no longer boots up.  The BIOS loads correctly and the Windows ZP Splash screen comes up with a system error pop up.  The heading is:

lsass.exe - System Error

The message is:

An invalid parameter was passed to a service or function.

My only option is to close the window with or hit ok.  Either action results in the machine restarting.  I can't get past this and a scorched earth plan of action is not an option.  What can I do?  
0
Comment
Question by:Athanman
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 57

Expert Comment

by:Pete Long
ID: 12198103
Instructions for patching and cleaning vulnerable Windows 2000 and Windows XP systems:

Vulnerable Windows 2000 and Windows XP machines may have the LSASS.EXE process crash every time a malicious worm packet targets the vulnerable machine which can occur very shortly after the machine starts up and initialises the network stack.

When cleaning a machine that is vulnerable to the Sasser worm it is necessary to first prevent the LSASS.EXE process from crashing, which in turn causes the machine to reboot after a 60 second delay.  This reboot cannot be aborted on Windows 2000 platforms using the Shutdown.exe or psshutdown.exe utilities and can interfere with the downloading and installation of the patch as well as removal of the worm.

1. To prevent LSASS.EXE from shutting down the machine during the cleaning  process:

a. Unplug the network cable from the machine

b. If you are running Windows XP you can enable the built-in Internet Connection Firewall using the instructions found here: Windows XP

http://support.microsoft.com/?id=283673 and then plug the machine back into the network and go to step 2.

c. If you are running Windows 2000, you won't have a built-in firewall and must use the following work-around to prevent LSASS.EXE from crashing.

This workaround involves creating a read-only file named 'dcpromo.log' in
the "%systemroot%\debug" directory.  Creating this read-only file will prevent the vulnerability used by this worm from crashing the LSASS.EXE process.

i.      NOTE:  %systemroot% is the variable that contains the name of the Windows installation directory.  For example if Windows was installed to the "c:\winnt" directory the following command will create a file called dcpromo.log in the c:\winnt\debug directory.  The following commands must be typed in a command prompt (i.e. cmd.exe) exactly as they are written below.

1. To start a command shell, click Start and then click run and type 'cmd.exe' and press enter.

2.Type the following command:

echo dcpromo >%systemroot%\debug\dcpromo.log

For this workaround to work properly you MUST make the file read-only by typing the following command:

3. attrib +R %systemroot%\debug\dcpromo.log

4. After enabling the Internet Connection Firewall or creating the read-only dcpromo.log you can plug the network cable back in and you must download and install the MS04-011 patch from the MS04-011 download link for the affected machines operating system before cleaning the system.  If the system is cleaned before the patch is installed it is possible that the system could get re-infected prior to installing the patch.

a. Here is the URL for the bulletin which contains the links to the download location for each patch:

http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx

b. If your machine is acting sluggish or your Internet connection is slow you should use Task Manager to kill the following processes and then try downloading the patch again (press the Ctrl + Alt + Del keys simultaneously and select Task Manager):

i. Kill any process ending with '_up.exe' (i.e. 12345_up.exe)  ii. Kill any process starting with 'avserv' (i.e. avserve.exe, avserve2.exe)

iii. Kill any process starting with 'skynetave' (i.e. skynetave.exe)  iv. Kill hkey.exe  v. Kill msiwin84.exe  vi. Kill wmiprvsw.exe

5. Note there is a legitimate system process called 'wmiprvse.exe'that does NOT need to be killed.

c. allow the system to reboot after the patch is installed.

6. Run the Sasser cleaner tool from the following URL:

a. For the on-line ActiveX control based version of the cleaner you can run it directly from the following URL:

 http://www.microsoft.com/security/incident/sasser.asp

b. For the stand-alone download version of the cleaner you can download it from the following URL:

 http://www.microsoft.com/downloads/details.aspx?FamilyId=76C6DE7E-1B6B-4FC3-90D4-9FA42D14CC17&displaylang=en

7. Determine if the machine has been infected with a variant of the Agobot worm which can also get on the machine using the same method as the Sasser worm.

a. To do this run a full antivirus scan of your machine after ensuring your antivirus signatures are up to date.

b. If you do NOT have an antivirus product installed you can visit HouseCall from TrendMicro to perform a free scan using the following

URL:

http://housecall.trendmicro.com/
0
 
LVL 1

Author Comment

by:Athanman
ID: 12198142
Thanks for the speedy response, I saw this solution before.  Unfortunately I can't get into windows since I can no longer get past the splash screen.  If I do not close the pop up Window the system does not reboot.  Nothing happens until I close the pop up window with the error message.  The solution therefore must consider that the error is preventing Windows from starting up.
0
 
LVL 1

Expert Comment

by:jrgn
ID: 12198432
Did you try to start in safe mode? And if that works follow the instructions PeteLong posted.
If that didn't work try to repair Windows using the cdrom and also follow the instructions.

Regards

Jurgen
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 65

Accepted Solution

by:
SheharyaarSaahil earned 750 total points
ID: 12199439
no its not Sasser worm,,,,, ur system file\service lsass.exe has been corrupted..... and beleive me if u will even try a Repair install.... this will not solve the issue..... this is the fourth case im seeing with this error !!  =\

the thing which u can do is a clean and fresh install !!
but if u want to save ur data, then take out ur laptop hard drive and then hook it in another system as a slave drive, then copy ur data and then hook back the drive in laptop, and using wither Recovery disks or WinXP CD, format ur hard drive and then install a fresh copy of XP !!

How To Connect a Laptop Hard Drive to a Desktop PC:
http://techrepublic.com.com/5100-6255-5160538.html
0
 
LVL 1

Author Comment

by:Athanman
ID: 12354972
This was definitely not the Sasser worm; I attempted to solve this problem using the solutions for the Sasser worm before posting this problem initially.  What I ended up doing was replacing the hard drive and starting over.  I retained the previous hard drive in its prior condition so that I can remove information off of it.
0
 

Expert Comment

by:zookept
ID: 13518537
I too also have the problem where it won't boot from normal, safemode and a repair also fails.  it says lsass.exe object name not found then you click ok and it reboots.

It looks like a fix is not possible, tell me someone found the answer ????????
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Ready to improve network connectivity? Watch this webinar to learn how SD-WANs and a one-click instant connect tool can boost provisions, deployment, and management of your cloud connection.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Can you find a fax from a vendor you saved a decade ago in seconds? Have you ever cursed your PC under your breath during an audit because you couldn’t find the requested statement or driver history?  If you answered no to the first question or yes …
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…
Suggested Courses

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question