Categories
News Software Technical

Possible solution to the lsass Issue – event 1000 application error

Back in July of 2013 I faced an issue with my Exchange 2013 Server running on Microsoft Server 2012.

Our server would unexpectedly reboot ( — chuckles  — aren’t all reboots without notice unexpected).

The message I kept running into was regarding a faulting application which caused the reboot was the local security authority subsystem service (LSASS).

What’s known about the lsass.exe is that if it is stopped it will result in causing your system to reboot. LSASS also handles the validation of user logins on a Windows Computer / Server.

As I mentioned in my previous blog post:

There was an event message in the system event log of: 

The process wininit.exe has initiated the restart of computer EXSERVER on behalf of user for the following reason: No title for this reason could be found

Reason Code: 0×50006
Shutdown Type: restart

Comment: The system process ‘C:Windows\system32\lsass.exe‘ terminated unexpectedly with status code 255. The system will now shut down and restart.

 Later I found in the application log event 1000 application error:

Faulting application name: lsass.exe, version: 6.2.9200.16384, time stamp: 0x50108ab2
Faulting module name: schannel.DLL, version: 6.2.9200.16384, time stamp: 0x5010892c
Exception code: 0xc0000409
Fault offset: 0x000000000001a73a
Faulting process id: 0×224
Faulting application start time: 0x01ce7f8a27d7e7ff
Faulting application path: C:Windowssystem32lsass.exe
Faulting module path: C:Windowssystem32schannel.DLL
Report Id: c2142447-f4f2-11e2-9404-000c299625b9
Faulting package full name:
Faulting package-relative application ID:

The Exception code: 0xc0000409 only tells me that the application experienced an event it could not handle and crashed causing windows to reboot.

Months of searching forums and discussing this with systems administrators from all over the word we all determined that there was no clear regarding how to handle this issue.

Today I got an email regarding a solution for this problem:

There seems to be a solution in the form of roll-up update from Microsoft to address this along with other issues which are also listed in the following KB articles:

2732840 Tasklist.exe tool displays no process information on a computer that is running Windows
2785146 Data is corrupted when there is insufficient memory on a Windows-based computer

2789397 Data corruption and network issues when you run a WFP-based application on a computer that is running Windows

2792867 Virtual switch extension cannot send packets over different network adapters in Windows Server 2012

2793908 Memory leak occurs in the Wmimgmt.exe process on a computer that is running Windows Server 2012

2796620 Application that uses the DirectComposition API does not work correctly in Windows RT, Windows 8, or Windows Server 2012

2798040 You cannot stop a process by using the Taskkill.exe utility in Windows

2800086 Windows Store apps can’t connect to the Internet over PPPoE in Windows 8

2800185 Windows Error Reporting reports a crash when you shut down a computer that is running Windows RT, Windows 8, or Windows Server 2012

2809153 Sound is not playing from the paired Bluetooth audio device after you reconnect the device to a Windows 8-based or Windows RT-based computer

This update roll-up also includes the following performance and reliability improvements:

  • Increased power efficiency to extend battery life
  • Performance improvements in Win 8 applications and Start screen
  • Improved audio and video playback in many scenarios
  • Improved application and driver compatibility with Windows 8

Here are two links to articles to  send you on your way.  I will follow up soon on my findings after this has been applied.

http://support.microsoft.com/kb/2756872
http://support.microsoft.com/kb/2811660

I would like to thank all of you who have commented about this issue via Email, Twitter, Google+ and Facebook