• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3070
  • Last Modified:

LSASS.EXE Shutdown after Server 2003 Upgrade

Hi,

I just upgraded my domain controller to server 2k3.  I ran through all the steps listed to do so.  The server starts up and the login window appears, I immediately get a pop up that says:

****************
This system is shutting down.  The shutdown was initiated by NT AUTHORITY\SYSTEM

Message:

Process C:\WINNT\SYSTEM32\LSASS.EXE terminted with status code 1073741819.  The system will now shutdown and restart.
****************

I have recovery console installed.  I copied a new version of lsass.exe from the cd to the \SYSTEM32 folder, but still get same error.

HELP!!!!!!
0
darrennelson
Asked:
darrennelson
  • 7
  • 6
  • 2
  • +1
2 Solutions
 
Rob WilliamsCommented:
Run a virus check specifically looking for the Sasser virus, it can cause the symptoms you are experiencing.
0
 
darrennelsonAuthor Commented:
any tips on how to do this when I can even get in to the server in safe mode?
0
 
Rob WilliamsCommented:
The following articles explain the Sasser virus in more detail and how to deal with it. You may have to interrupt the shutdown process with  shutdown -a  as described in the first article, to deal with it.
http://ask-leo.com/what_are_lsass_lsassexe_and_sasser_and_how_do_i_know_if_im_infected_what_do_i_do_if_i_am.html

http://vil.nai.com/vil/content/v_125007.htm

Free removal tools:
http://vil.nai.com/vil/stinger/
http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.removal.tool.html





0
Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

 
Rob WilliamsCommented:
ps - there can be other causes for the LSASS shut down, but Sasser is a well known common cause.
0
 
darrennelsonAuthor Commented:
im following the ask-leo steps right now, about to scan for sasser.  Here is more info that might help.  i can get in in safemode, but not safemode with networking.  is this characteristic of sasser?
0
 
darrennelsonAuthor Commented:
and what would be the other causes?
0
 
Rant32Commented:
What service pack was Windows 2000 on, and what's the SP level of Windows 2003?

This error can also be caused by an invalid value for ReplicateEvery in a site link. See http://support.microsoft.com/kb/300038

Also, try enabling the Internet connection firewall on the network adapters, if possible. See if the error re-occurs. If it doesn't, then visit the WindowsUpdate website and install all available security updates.
0
 
Rob WilliamsCommented:
>>"i can get in in safe mode, but not safe mode with networking.  is this characteristic of sasser?"
I don't know but it does spread to network shares so it may be the case. I have noticed numerous site recommend starting in safe mode without networking to deal with it. I don't know if that is a recommended procedure r necessary, as per:
http://hsc.usf.edu/is/download/update/index.html

Blaster worm is another that can causes similar problems.
Then there is a list of other possible causes such as installing multiple updates without re-starting between the updates, but all of the others seem to have somewhat different symptoms, like random restarts over a period of time. One you might want to have a look at where your were installing updates:
http://www.jsifaq.com/subM/tip6100/rh6116.htm 
0
 
theruckCommented:
i got this problem when there was NOD32 antivirus installed on the server. if you have it just uninstall it
0
 
darrennelsonAuthor Commented:
server 2000 was on service pack 4, i upgraded to server 2003 standard edition R2 sp1.

I went into device manager and noticed that all drivers has loaded except the NIC drivers.  After installing NIC drivers, on the first subsequent logon, rather than the original error, I got this:

LSASS.EXE - System Error

Object Name Not Found

then it rebooted and i got the same error that i got the first time around.  I am currently going to check the "Replicate Every" settings
0
 
Rob WilliamsCommented:
Based on the sequence of events you have just listed above, it would be unlikely you got hit with a virus in the middle of your upgrade. What if you try uninstalling the NIC drivers or disable the adapter and reboot. If it boots OK, then search for different drivers.
0
 
Rant32Commented:
You're not the only one having problems upgrading a 2000 DC to 2003. The error codes are sometimes different. Maybe this link will help you:

When you upgrade a Windows 2000 domain controller to Windows Server 2003, you receive 'LSASS.EXE terminated unexpectedly with status code -1073741571' when you restart your server?
http://www.jsifaq.com/SUBQ/tip8100/rh8199.htm
0
 
darrennelsonAuthor Commented:
Here is the solution to our specific scenario:

1.  The reason for the upgrade was to be able to use RPC over HTTP.  This allows your Exchange server to be accessed by the Outlook client outside of your LAN (ref article KB833401).  This requires your global catalog to be a Server 2003 box.

2.  Attempts were made to setup RPC over HTTP using KB833401 on GC before it was upgraded to Windows 2003 Server.  In doing so, the key "HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\NSPI interface protocol sequences" was set to a data type of REG_SZ.  The key should actually be REG_MULTI_SZ.  This was causing the lsass.exe error.

Rant32, I just read your post (after typing the above two paragraphs).....ACK!, you would have saved me alot of time had that post been 24hours earlier, but either way, I was a good learning experience.

MODERATORS and POSTERS:  I need some input on points division.  RobWill was extremely helpful and responsive, but was looking in the wrong direction.  Rant32 posted the correct solution, but I actually found in through MS the day before.  Any input will be appreciated.
0
 
Rob WilliamsCommented:
No points necessary on my part. Glad to hear you were able to resolve. Sorry not of more help.
--Rob
0
 
darrennelsonAuthor Commented:
Rob, just knowing there was someone out there willing was enough.
Thanks Again

-Darren
0
 
Rob WilliamsCommented:
Thanks Darren,
--Rob
0

Featured Post

Prep for the ITIL® Foundation Certification Exam

December’s Course of the Month is now available! Enroll to learn ITIL® Foundation best practices for delivering IT services effectively and efficiently.

  • 7
  • 6
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now