Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


System shuts down in normal mode every time with error message above.

Posted on 2008-11-02
Medium Priority
Last Modified: 2011-10-19
When I boot up in normal mode and login in the computer runs for about a minute and then I get a dialogue box with the error message: ." this system is shutting down..the process c:\windows\system32\isass.exe teminated  code is 1073741819'.

After the message goes thru a 60 second count down, the system seems to hang and the only way to restart the computer is with a hard boot.

I am using a Dell Workstation 690.

Jeff Waymack
206 634-0849
Question by:Starbuck67
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 5

Expert Comment

ID: 22864333
"lsass.exe" is the Local Security Authentication Server. It verifies the validity of user logons to your PC/Server. It generates the process responsible for authenticating users for the Winlogon service. This process is performed by using authentication packages such as the default Msgina.dll. If authentication is successful, Lsass generates the user's access token, which is used to launch the initial shell. Other processes that the user initiates inherit this token. More info

Note: The lsass.exe file is located in the folder C:\Windows\System32. In other cases, lsass.exe is a virus, spyware, trojan or worm! Check this with Security Task Manager.

Virus with same name:
W32.Nimos.Worm - Symantec Corporation
W32.Sasser.E.Worm (Lsasss.exe) - McAfee
W32.HLLW.Lovgate.C@mm - Symantec Corporation

Try to fix it by the following tools:


Also take a look here:
And be sure to get windows up-to-date from

Expert Comment

ID: 22864370
Another method:
When starting your PC and when you get the error and your PC sarts to shutdown..Type this command in Run--> shutdown -a , This will extend the shutdown time and don't panic you will sometimes not be able to shutdown the PC through shutdown option too, Not connect to internet and download the file from Norton.
Run the file to scan your PC and this will remove the worm from your PC.

Author Comment

ID: 22864482
Hi Two People Hk,

I have attached more information (screen captures and HiJacks Log for your reference.

I had already downloaded and run the Symantec utility in safe mode. Nothing was found.

Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.


Expert Comment

ID: 22864511
You may try this:
Scan "Local Disks". You may be infected and a online scanner is best for ensuring the scanner has not been manipulated.

Expert Comment

ID: 22864522
Please make a update for your windows as well.

Author Comment

ID: 22867994

What do you mean "Please make a update for your windows as well."?


Author Comment

ID: 22868520

I ran both the Stinger and Fxsasser detection utilities and nothing was found. I have attached the logs from both.

Author Comment

ID: 22869741

Your instructions "When starting your PC and when you get the error and your PC starts to shutdown..Type this command in Run--> shutdown -a" did not stop the system from shutting down.


Expert Comment

ID: 22873431
Sorry, It should be Please RUN your windows update as well.

Accepted Solution

two_people_hk earned 1500 total points
ID: 22873489
There are anti virus News Groups specifically for this type of discussion.

One of the above and microsoft.public.windowsxp.general is all that this should have been
posted too ! Theefore I have set Follow-ups to those two News Groups.

The following are certainly symptoms of a LSASS buffer overflow exploit via TCP port 445.

'c:\windows\system32\lsass.exe' terminated unexpectedly with status code -1073741819


'c:\winnt\system32\lsass.exe' terminated unexpectedly with status code -1073741819

However, one can NOT assume Sasser. There are several Internet worms now actively taking
advantage of this vulnerability. Most notable are the SDBot/RBot worms

W32/Sasser.worm.a --
W32/Reatle.f@MM --
W32/Gaobot.worm.gen --
Qhosts.apd --
W32/Plexus.b@MM --
W32/Sdbot.worm!ftp --
W32/Mytob.gen@MM --
W32/Radebot.worm --
{ W32/Radebot.worm, W32/Mytob.gen@MM & W32/Sdbot.worm!ftp will all exploit both LSASS and
the RPC/RPCSS DCOM vulnerabilities }

To mitigate the LSASS module buffer overflow vulnerability one needs to install the
following Microsoft LSASS for WinXP KB835732 --

One can execute the 'shutdown -a' command line to stop the 60 second countdown and effect
the installation of the patch. Additionally disconnecting the PC from the Internet will
keep such an attack from happening and allow the installation of the patch.

When you get the (attached) NT Shutdown message with the 60 sec. countdown...
Go to; Start --> Run
enter; shutdown -a

It should also be noted that just becuase one gets the (attched) LSASS shutdown message, it
does NOT mean that one is infected. It means that TCP port 445 is under attack by
attempting to exploit the buffer overflow vulnerability. A non-vulnerable system will not
exhibit the (attached) NT Shutdown message.

One *must* use a FireWall and patch their systems to prevent such an exploitation.

If one is on Broadband a Cable/DSL Router such as the Linksys BEFSR41 can greatly mitigate
such a threat even if LAN nodes are not fully patched. Specifically blocking both TCP and
UDP ports 135 ~ 139 and 445 will completely mitigate and of the worms or hackers trying to
take advantage of MS Networking ports using TCP/IP.

The following tool can be used to find and remove any of the known Internet worms that will
exploit the vulnerability and should be used ASAP.

Download MULTI_AV.EXE from the URL --

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help

Author Comment

ID: 22946675
My bad for having two similar questions running. I had given up on this post as there was about a day when there was no response and I was in a real rush. During that one day span with no reply I tried giving the question a push by 'requesting attention' which had no effect.

Featured Post

Optimum High-Definition Video Viewing and Control

The ATEN VM0404HA 4x4 4K HDMI Matrix Switch supports 4K resolutions of UHD (3840 x 2160) and DCI (4096 x 2160) with refresh rates of 30 Hz (4:4:4) and 60 Hz (4:2:0). It is ideal for applications where the routing of 4K digital signals is required.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Upper back Pain: My back hurt for months. Upper back, mostly my neck, spine and across my shoulder blades. I was getting headaches too, that felt like they were caused by tension in my shoulders, but now I feel fine! I'm sharing this hoping someone…
pc, laptop  monitor connection configurations
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…
The viewer will learn how to successfully download and install the SARDU utility on Windows 7, without downloading adware.

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question