Improve company productivity with a Business Account.Sign Up


Windows XP updates (6/06) result in services.exe and lsass.exe application errors 0xc0000005

Posted on 2006-06-25
Medium Priority
Last Modified: 2012-06-27
The last 40+ Windows XP updates MS put out several weeks ago (May or June 2006) has created a problem.  After installing the latest updates and restarting the following error messages appear: "services.exe - Application error, application failed to initialize properly (0xc0000005), click to terminate" FOLLOWED BY a second message: "lsass.exe  Application error, application failed to initialize properly (0xc0000005). click OK to terminate".   These to error messages once again appear then a black screen with only the cursor pointer appears on the black screen.  The pointer does respond to mouse movement.

I repaired XP, including SP2, installed MS Windows Installer 3.1 without difficulty.  The same error messages appeared after installing the 40+ updates from MS.  I have repeated this problem at least four times after trying various driver updates and removal of several applications.  

Autodesk, all of MS Office applications and several other applications are on this harddrive.  Removing Autodesk is not an option at this time.  

I would like to identify the conflict with MS updates to the software on this system.  Wiping the drive, loading XP with the updates, and then reloading Autodesk and all other applications is not a option at this time.

Can anyone show me the procedure to identify this software conflict?    Thanks
Question by:wllarson
  • 2
  • 2
  • 2

Accepted Solution

ZaSSeR earned 1000 total points
ID: 16979495
When you get the black screen, can you open Task Manager by hitting CTRL+SHIFT+ESC keys? If you can, it's possible you see
from there if there's a nonresponsive program, or a process taking up 100% of CPU time. If there is one, record the name and
kill it - see what happens.

Can you boot in Safe Mode by repeatedly pressing F8 until you get a prompt? Does this problem occur also in Safe Mode?

If you think that it's one of the updates, you could track it down by installing one update at a time.
You can do this by going into with IE before automatic updates start to download
(disable automatic updates from Control Panel if necessary). Then select one update at a time, install, reboot etc. and see
which one causes the behaviour. Tiresome, but if you want to find out this is the way.

One explanation would also be the Sasser virus, which is linked with lsass.exe and can infect computers if you try to download updates
without first turning on your firewall. See info on: .
Connecting your hard drive to another, virus-protected computer and doing a scan would be an option.
You could also obtain a copy of anti-virus software that boots from a CD (at least F-Secure's install CD does) and scan with that - ie. with no Windows running.

Let me know more, sure we can work this out.

Author Comment

ID: 16979778
Thanks for the quit response.

I tried the Safe Mode with various methods of startup.  Each time exactly the same response.

I cleaned out all malware possible (in the safe mode) with Spybot, Adaware, Windows various products, Trendmicro house call, trial versions of Zonealarm and Trendmicro's internet security products.  Turned off restore, rebooted after cleaning and turned on restore.

The keyboard is not responsive, so unable to access Task Manager.

Could be malware, but tend to think conflict.  Your paragraph three is a possibility, but don't know if there is enough time.


Expert Comment

ID: 16979815
Viruses running in the system can fool virus scanners. You should really do a scan so that Windows is not running (even in Safe mode) to be sure.
You can do this by booting from a floppy or a CD-based anti-virus program.

As another option, see for
'XP's No-Reformat, Nondestructive Total-Rebuild Option' .
Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions


Author Comment

ID: 16980814

Do you have any favorite CD based anti-virus scanning applications?  

The InformationWeek article was well written.  The repairing of XP that I mentioned in the original question is the procedure described in this article.  I have used it multiple times, now.  

The PC is now back in service without current updates.  My next step will be to scan the drive without Win XP running or wipe the drive once the client has caught up on their work.

Thanks again.
LVL 70

Assisted Solution

Merete earned 1000 total points
ID: 16981429
Apparently the Sasser worm also modifies a configuration file that renders many Anti-Virus sites and the MicrosoftUpdate site unreachable.
The Sasser worm is the most recent, and one of the most virulent, viruses to impact Windows-based systems. Unlike previous outbreaks, Sasser doesn't even need you to use email or, for that matter, even be at your machine to infect your computer and continue spreading. It exploits a recently patched vulnerability in something called LSASS.EXE.

Use a firewall. This can be as simple as turning on the Internet Connection Firewall included in Windows XP, to purchasing and installing hardware devices such as a NAT router. Either of these solutions will likely protect you from Sasser and many other types of non-email-based threats.
ZoneAlarm Free,fid,7228,RSS,RSS,00.asp

Install the patch. This patch for your operating system can be found with Microsoft Security Bulletin MS04-011.

Open the file "\windows\system32\drivers\etc\hosts" in Notepad. (Press the Start button, click onRun, type Notepad \windows\system32\drivers\etc\hosts, and press OK.) Normally, it will have one entry for something called "localhost". If in addition you see a list of Anti-Virus sites such as Symantec, McAfee and more, then the worm has struck.

take the following steps:

Close Notepad.
Open Windows Explorer on the directory containing the file "hosts" (A quick way to do this is to press the Start button, click on Run, type\windows\system32\drivers\etc, and press OK.)
Right Click on the file hosts and select Rename. Give it a new name, like "oldhosts".
Run the command "nbtstat -R". (Press the Start button, click on Run, type nbtstat -R, and press OK.) You should only see a window flash on the screen briefly, but this little bit of magic should force Windows to re-lookup any of those names it might be keeping in memory.
Now you should be able to get to your anti-virus sites until you reboot - apparently the Sasser worm will recreate these bogus host file entries each time you reboot. So download your updatesand scan to clean up the virus right away.

Update: As was predicted, follow-on viruses that exploit the same vulnerabilities that Sasser exploits are starting to show up. Sasser removal tools may not work because they are different viruses, even though they share some of the same symptoms. I cannot stress enough the importance of using a firewall, keeping your virus definitions up to date and running virus scans on a regular basis. Two current examples of similar viruses include Kibuv-B
and Bobax,
 both of which have removal instructions up on the Symantec Anti-Virus site>>

Please download HijackThis 1.99.1 and save it into its own folder.
Just choose your country

Open Hijackthis, click  scan and save a logfile" donot fix" to the desktop or
then navigate to the hijackthis folder and copy out the log file
 contents and paste the log here into the small windows or panel>> 
look directly below the panel or window see the small analyze

once you hit analyze it will analyse it immediately
you will know by the fact the panel is now empty
just scroll down below this now empty panel and you can see your analysed log,
right at the bottom below your analyzed log is the option to save it.
Please click on this save it.
Copy this address/url and paste it here.
Disable the system restore as trojans can hide in this,re-enable it.
open disc cleanup at start all programs accessories system tools, let it caculate then go to more options and delete all but most the recent.
Also run a system file checker at start run type in sfc /scannow. You will need your xpcd.
Any spyware can be removed to a degree by running the disc cleanup utility this deletes the temp files temporay internet files and history, also recomend deleting cookies.

regards Merete
LVL 70

Expert Comment

ID: 17161694
thank you  :)

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Are you unable to synchronize your OST (Offline Storage Table) file with Microsoft Exchange Server? Is your OST file exceeding 2 GB size limit? In Microsoft Outlook 2002 and earlier versions, there is a 2 GB size limit for the OST file. If the file …
Sometimes people don't understand why download speed shows differently for Windows than Linux.Specially, this article covers and shows the solution for throughput difference for Windows than a Linux machine. For this, I arranged a test scenario.I…
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
In this video I will demonstrate how to set up Nine, which I now consider the best alternative email app to Touchdown.

607 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question