TS Connection Issues - logon screen appears for 1 sec and disappears

Hello All,

I am running windows 2003 standard edition (SP2) in terminal services application mode, on a windows 2003 standard edition R2 domain. My DC is a HP ML570 quad Xeon w/ 8GB RAM and my TS is a dual Xeon w/ 4 GB RAM.

I have a problem with the TS rejecting logins, IE: a client will RDC into the server and the logon screen will appear for about 1 second and then disappear.

I go to the TS's console and there is a message stating that lsass.exe -"1073741819" has caused a shutdown of the system, and the system will reboot.

Once i reboot the system, we might not have an issue for a week, then the problem creeps up again and requires a reboot.

I have researched this problem extensively and learned that the primary cause of this is a sasser worm infection. I have scanned the machine with several products and installed the hotfixes that Microsoft has recommended.

I have found no traces of the sasser worm, so i am at a loss to explain what is going on here.

If anyone can shed some light on the subject, it would be much appreciated.
Who is Participating?
PAQed with points refunded (500)

EE Admin
What did you read about sasser - I don't see the slightest connection. if a critical service fails (one that utilizes lsass.exe), then the system will be restarted automatically. See what service fails, look inside the system event log.
Try to go into Safe Mode and see whether the same situation still happen ........... If Not, then at least you can go and check under safe mode for what problems causing of this ...........
Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

VazcomAuthor Commented:
I have read about sasser causing the following error:

Event Type:      Information
Event Source:      USER32
Event Category:      None
Event ID:      1074
Date:            10/01/2007
Time:            5:53:45 PM
User:            NT AUTHORITY\SYSTEM
Computer:      TS
The process winlogon.exe has initiated the restart of computer TS on behalf of user  for the following reason: No title for this reason could be found
 Reason Code: 0x50006
 Shutdown Type: restart
 Comment: The system process 'C:\WINDOWS\system32\lsass.exe' terminated unexpectedly with status code -1073741819.  The system will now shut down and restart.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
0000: 06 00 05 00 43 00 3a 00   ....C.:.
0008: 5c 00 57 00 49 00 4e 00   \.W.I.N.
0010: 44 00 4f 00 57 00 53 00   D.O.W.S.
0018: 5c 00 73 00 79 00 73 00   \.s.y.s.
0020: 74 00 65 00 6d 00 33 00   t.e.m.3.
0028: 32 00 5c 00 4c 00 6f 00   2.\.L.o.
0030: 67 00 46 00 69 00 6c 00   g.F.i.l.
0038: 65 00 73 00 5c 00 53 00   e.s.\.S.
0040: 68 00 75 00 74 00 44 00   h.u.t.D.
0048: 6f 00 77 00 6e 00 5c 00   o.w.n.\.
0050: 53 00 68 00 75 00 74 00   S.h.u.t.
0058: 44 00 6f 00 77 00 6e 00   D.o.w.n.
0060: 5f 00 32 00 30 00 30 00   _.2.0.0.
0068: 37 00 30 00 39 00 32 00
0070: 33 00 31 00 37 00 35 00
0078: 33 00 34 00 33 00 2e 00   3.4.3...
0080: 78 00 6d 00 6c 00 00 00   x.m.l...

Microsoft's site says to apply the latest service pack to fix this issue, i verified that the latest SP was installed.

Then they recommended applying a special HotFix, i will be trying this tonight when most users are off the system to minimize service disruption.

Going into safe mode did nothing, since this issue only happens on rare occassion maybe once or twice a week, and this terminal server is running 24/7 with connections around the clock.

There are times that there may be 8-12 users on and all of the sudden it will not accept new connections, the logon screen appears for a second then closes out, then the restart timer begins.

If you need more info to help diagnose this issue, please elaborate as to what you need.

Thanks for the help.

Joseph Schroeder ~MCSE + Security
Vazcom Communications, Inc.
Please have a look into your ebvent log (system) and see what service fails and requires the system to be rebooted.
VazcomAuthor Commented:
Sorry about the late response.

I have determined that the issue resides in a Microsoft security failure in terminal services, when a user changes thier domain password via a terminal services session, the system (LSASS.exe in general) does not know how to handle the request and begins a security shutdown of the terminal server. By disabling the users ability to change thier passwords on the terminal server the issue has been patched. I am waiting for a permanent resolution from Microsoft to this problem.

Hopefully this will help anyone else out there who may be experiencing the same issue.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.