TS Connection Issues - logon screen appears for 1 sec and disappears

Posted on 2007-10-01
Last Modified: 2013-11-21
Hello All,

I am running windows 2003 standard edition (SP2) in terminal services application mode, on a windows 2003 standard edition R2 domain. My DC is a HP ML570 quad Xeon w/ 8GB RAM and my TS is a dual Xeon w/ 4 GB RAM.

I have a problem with the TS rejecting logins, IE: a client will RDC into the server and the logon screen will appear for about 1 second and then disappear.

I go to the TS's console and there is a message stating that lsass.exe -"1073741819" has caused a shutdown of the system, and the system will reboot.

Once i reboot the system, we might not have an issue for a week, then the problem creeps up again and requires a reboot.

I have researched this problem extensively and learned that the primary cause of this is a sasser worm infection. I have scanned the machine with several products and installed the hotfixes that Microsoft has recommended.

I have found no traces of the sasser worm, so i am at a loss to explain what is going on here.

If anyone can shed some light on the subject, it would be much appreciated.
Question by:Vazcom
    LVL 52

    Expert Comment

    What did you read about sasser - I don't see the slightest connection. if a critical service fails (one that utilizes lsass.exe), then the system will be restarted automatically. See what service fails, look inside the system event log.
    LVL 13

    Expert Comment

    Try to go into Safe Mode and see whether the same situation still happen ........... If Not, then at least you can go and check under safe mode for what problems causing of this ...........

    Author Comment

    I have read about sasser causing the following error:

    Event Type:      Information
    Event Source:      USER32
    Event Category:      None
    Event ID:      1074
    Date:            10/01/2007
    Time:            5:53:45 PM
    User:            NT AUTHORITY\SYSTEM
    Computer:      TS
    The process winlogon.exe has initiated the restart of computer TS on behalf of user  for the following reason: No title for this reason could be found
     Reason Code: 0x50006
     Shutdown Type: restart
     Comment: The system process 'C:\WINDOWS\system32\lsass.exe' terminated unexpectedly with status code -1073741819.  The system will now shut down and restart.

    For more information, see Help and Support Center at
    0000: 06 00 05 00 43 00 3a 00   ....C.:.
    0008: 5c 00 57 00 49 00 4e 00   \.W.I.N.
    0010: 44 00 4f 00 57 00 53 00   D.O.W.S.
    0018: 5c 00 73 00 79 00 73 00   \.s.y.s.
    0020: 74 00 65 00 6d 00 33 00   t.e.m.3.
    0028: 32 00 5c 00 4c 00 6f 00   2.\.L.o.
    0030: 67 00 46 00 69 00 6c 00   g.F.i.l.
    0038: 65 00 73 00 5c 00 53 00   e.s.\.S.
    0040: 68 00 75 00 74 00 44 00   h.u.t.D.
    0048: 6f 00 77 00 6e 00 5c 00   o.w.n.\.
    0050: 53 00 68 00 75 00 74 00   S.h.u.t.
    0058: 44 00 6f 00 77 00 6e 00   D.o.w.n.
    0060: 5f 00 32 00 30 00 30 00   _.2.0.0.
    0068: 37 00 30 00 39 00 32 00
    0070: 33 00 31 00 37 00 35 00
    0078: 33 00 34 00 33 00 2e 00   3.4.3...
    0080: 78 00 6d 00 6c 00 00 00   x.m.l...

    Microsoft's site says to apply the latest service pack to fix this issue, i verified that the latest SP was installed.

    Then they recommended applying a special HotFix, i will be trying this tonight when most users are off the system to minimize service disruption.

    Going into safe mode did nothing, since this issue only happens on rare occassion maybe once or twice a week, and this terminal server is running 24/7 with connections around the clock.

    There are times that there may be 8-12 users on and all of the sudden it will not accept new connections, the logon screen appears for a second then closes out, then the restart timer begins.

    If you need more info to help diagnose this issue, please elaborate as to what you need.

    Thanks for the help.

    Joseph Schroeder ~MCSE + Security
    Vazcom Communications, Inc.
    LVL 52

    Expert Comment

    Please have a look into your ebvent log (system) and see what service fails and requires the system to be rebooted.

    Author Comment

    Sorry about the late response.

    I have determined that the issue resides in a Microsoft security failure in terminal services, when a user changes thier domain password via a terminal services session, the system (LSASS.exe in general) does not know how to handle the request and begins a security shutdown of the terminal server. By disabling the users ability to change thier passwords on the terminal server the issue has been patched. I am waiting for a permanent resolution from Microsoft to this problem.

    Hopefully this will help anyone else out there who may be experiencing the same issue.
    LVL 1

    Accepted Solution

    PAQed with points refunded (500)

    EE Admin

    Featured Post

    Why do Marketing keep bothering you?

    Is your marketing department constantly asking for new email signature updates? Are they requesting a different design for every department? Do they need yet another banner added? Don’t let it get you down! There is an easy way to manage all of these requests...

    Join & Write a Comment

    Some time ago I faced the need to use a uniform folder structure that spanned across numerous sites of an enterprise to be used as a common repository for the Software packages of the Configuration Manager 2007 infrastructure. Because the procedu…
    On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
    The viewer will learn how to successfully download and install the SARDU utility on Windows 8, without downloading adware.
    The viewer will learn how to successfully download and install the SARDU utility on Windows 7, without downloading adware.

    733 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    23 Experts available now in Live!

    Get 1:1 Help Now