NorrieC
asked on
Alerter Service LSASS.EXE will not start. EV ID 7009 Timeout
Hi all,
Having got rid of a virus on our server the following message dialogue appears on startup:
LSASS.exe - System Error
Object Name already exists
"OK" button
If I hit OK then the server reboots instantly. If I leave alone then the dialogue remains on screen on top of all the other windows and the server appears to boot normally.
However many services will not start. The failure to start starts at the Alerter Service (LSASS.EXE) and everything below it including workstation and netlogon. Hence the domain is unavailable.
I have tried to start the alerter service several times but the Service Control Manager reports a timeout waiting for a response from Alerter Service.
Netdiag and DCdiag give predictable results since the domain hasn't been established.
I am at my wits end. I have tried everything within my knowledge sphere to no avail. Any help greatly appreciated.
Norrie
Having got rid of a virus on our server the following message dialogue appears on startup:
LSASS.exe - System Error
Object Name already exists
"OK" button
If I hit OK then the server reboots instantly. If I leave alone then the dialogue remains on screen on top of all the other windows and the server appears to boot normally.
However many services will not start. The failure to start starts at the Alerter Service (LSASS.EXE) and everything below it including workstation and netlogon. Hence the domain is unavailable.
I have tried to start the alerter service several times but the Service Control Manager reports a timeout waiting for a response from Alerter Service.
Netdiag and DCdiag give predictable results since the domain hasn't been established.
I am at my wits end. I have tried everything within my knowledge sphere to no avail. Any help greatly appreciated.
Norrie
Have you gone through following:
http://support.microsoft.com/kb/883268
Exported Alerter Service registry key is attached (remove .txt)
Alerter.reg.txt
http://support.microsoft.com/kb/883268
Exported Alerter Service registry key is attached (remove .txt)
Alerter.reg.txt
Also check following link for fixup batch script:
http://windowsitpro.com/article/articleid/81894/jsi-tip-8511-you-cannot-log-on-or-you-experience-a-long-delay-on-domain-computers-that-are-running-windows-2000-windows-xp-or-windows-server-2003.html
http://windowsitpro.com/article/articleid/81894/jsi-tip-8511-you-cannot-log-on-or-you-experience-a-long-delay-on-domain-computers-that-are-running-windows-2000-windows-xp-or-windows-server-2003.html
ASKER
OK we progress slightly. When the virus struck it updated the registry by changine the fiolename and path for the alerter service to c:\windows\system32\LSSAS.
THe Workstation service depends on the alerter service. The Alerter service does not say that it depends on the workstation service. However, one of the services which depends on the workstation service is called "Microsoft Exchange System Attendant". Under the MESA dependencies it says it relies on the workstation service in the top pane of the dependencies tab. However, there's a + sign in front of the workstation and if it is expanded then the alert service is listed below. I think this is the source of the circular dependency. However, because the virus changed so many registry entries I've lost the dependency structure ,or at least part of it.
Can anyone check a working SBS 2003 server and tell me what the dependency relationship is between the Workstation, Alerter and MESA services please?
I think I see light at the end of the tunnel. Thanks for your help thus far.
Cheers
Norrie
THe Workstation service depends on the alerter service. The Alerter service does not say that it depends on the workstation service. However, one of the services which depends on the workstation service is called "Microsoft Exchange System Attendant". Under the MESA dependencies it says it relies on the workstation service in the top pane of the dependencies tab. However, there's a + sign in front of the workstation and if it is expanded then the alert service is listed below. I think this is the source of the circular dependency. However, because the virus changed so many registry entries I've lost the dependency structure ,or at least part of it.
Can anyone check a working SBS 2003 server and tell me what the dependency relationship is between the Workstation, Alerter and MESA services please?
I think I see light at the end of the tunnel. Thanks for your help thus far.
Cheers
Norrie
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Just a quick update. I have progressed since my first post. The alerter service (LSASS.EXE) wont start because there's another service which has started LSASS.EXE already with the context Win32_Own_Process instead of Win32_Shared_Process. That means that the Alerter service gets a "Duplicate Object" error when it tries to start it also.
Does anyone know how to find out which service has started LSASS.EXE in the Own_Process context rather than the "Shared_Process context?
Can anyone send me the exported key for the Alerter service from a working copy of SBS2003 registry?
Can anyone help with this? Being new here, how can I tell if anyone has even read my post?
Cheers
Norrie