-
WINDOWS SERVER 2003
Our Windows Server 2003 is restarting randomly. When I log back in there are
various error messages, but the most common is a reference to the SHELL
encountering a problem. I have tried disconnecting the UPS, the virus
software, monitoring all applications from PC's connected to the server and
still it restarts. One of the problems I also have is when copying or moving
a large file, the status bar moves along as if it's completed the copy over
and then it will come up with a message stating the server is no longer
available.
-
Re: WINDOWS SERVER 2003
Shane Sensor wrote:
> Our Windows Server 2003 is restarting randomly. When I log back in
> there are various error messages, but the most common is a reference
> to the SHELL encountering a problem. I have tried disconnecting the
> UPS, the virus software, monitoring all applications from PC's
> connected to the server and still it restarts. One of the problems I
> also have is when copying or moving a large file, the status bar
> moves along as if it's completed the copy over and then it will come
> up with a message stating the server is no longer available.
Describe your hardware and check the errors in the event id.....
--
---
Giuseppe Nacci
Microsoft Certified System Engineer
Security Manager
--------------------------------------------------------------------
CONFIDENTIALITY NOTICE
This message and its attachments are addressed solely to the persons
above and may contain confidential information. If you have received
the message in error, be informed that any use of the content hereof
is prohibited. Please return it immediately to the sender and delete
the message. Should you have any questions, please contact us by
replying to supporto.informatico@degennaro.biz
Thank you
--------------------------------------------------------------------
-
Re: WINDOWS SERVER 2003
Below is a listing of hardware direct from the installers:-
INTEL STORAGE SERVER INCLUDING INTEL PENTIUM 4 - S40 - 3.2GHZ 800MHZ FSB
LGA77, INTEL BLKD915PGNL/915P/ICH6/PCI-EX16/4XDDR, 2 X KINGSTON 512MB 184PIN
400MHZ (PC3200) CL3 DD, 1 X CHANBRO 209AB BLACK INTEL APPROVED HIGH END SER,
1 X ENHNACE PS-0262 INTEL APPROVED EPS12V 520W PO, 4 X 74GB WESTERN DIGITAL
SATA 10000RPM (8MB CACH), 1 X ASUS EAX300/TD/128 VIDEO CARD, 1 X MICROSOFT
SMALL BUSINESS SERVER 2003 STANDARD, 1 X MICROSOFT SBS CAL 203 5NL USER CAL,
1 X PROMISE S150 SX4-M 4XSATA RAID CONTROLLER
Hope this helps. I have also gone through the event logs as you suggested,
unfortunately there are so many error logs i'm not sure what i'm looking for
exactly. Just prior to me sending this message, the server came up with a
red screen this time saying that it is going to restart in 30 seconds and
there was a problem with the NT Authority System, so that's a new message
altogether that I haven't seen. The virus system we're running is eTrust
Antivirus.
Thanks
Shane
"Giuseppe Nacci" wrote:
> Shane Sensor wrote:
> > Our Windows Server 2003 is restarting randomly. When I log back in
> > there are various error messages, but the most common is a reference
> > to the SHELL encountering a problem. I have tried disconnecting the
> > UPS, the virus software, monitoring all applications from PC's
> > connected to the server and still it restarts. One of the problems I
> > also have is when copying or moving a large file, the status bar
> > moves along as if it's completed the copy over and then it will come
> > up with a message stating the server is no longer available.
>
> Describe your hardware and check the errors in the event id.....
> --
> ---
> Giuseppe Nacci
> Microsoft Certified System Engineer
> Security Manager
>
> --------------------------------------------------------------------
> CONFIDENTIALITY NOTICE
> This message and its attachments are addressed solely to the persons
> above and may contain confidential information. If you have received
> the message in error, be informed that any use of the content hereof
> is prohibited. Please return it immediately to the sender and delete
> the message. Should you have any questions, please contact us by
> replying to supporto.informatico@degennaro.biz
> Thank you
> --------------------------------------------------------------------
>
>
>
>
-
Re: WINDOWS SERVER 2003
Additional:- I have re-examined the event logs and have noticed that there
is a Warning that appears as follows prior to a unexpected shutdown. The
server seems to be resetting at all hours of the night when no users are
present.
SOURCE: W32Time, Type: Warning.
The time provider NtpServer encountered an error while digitally signing the
NTP response from peer xxxx. NtpServer cannot provide secure (signed) time
to the client and will ignore the request. The erro was: The RPC server is
unavailable (Ox800706BA)
"Shane Sensor" wrote:
> Below is a listing of hardware direct from the installers:-
>
> INTEL STORAGE SERVER INCLUDING INTEL PENTIUM 4 - S40 - 3.2GHZ 800MHZ FSB
> LGA77, INTEL BLKD915PGNL/915P/ICH6/PCI-EX16/4XDDR, 2 X KINGSTON 512MB 184PIN
> 400MHZ (PC3200) CL3 DD, 1 X CHANBRO 209AB BLACK INTEL APPROVED HIGH END SER,
> 1 X ENHNACE PS-0262 INTEL APPROVED EPS12V 520W PO, 4 X 74GB WESTERN DIGITAL
> SATA 10000RPM (8MB CACH), 1 X ASUS EAX300/TD/128 VIDEO CARD, 1 X MICROSOFT
> SMALL BUSINESS SERVER 2003 STANDARD, 1 X MICROSOFT SBS CAL 203 5NL USER CAL,
> 1 X PROMISE S150 SX4-M 4XSATA RAID CONTROLLER
>
> Hope this helps. I have also gone through the event logs as you suggested,
> unfortunately there are so many error logs i'm not sure what i'm looking for
> exactly. Just prior to me sending this message, the server came up with a
> red screen this time saying that it is going to restart in 30 seconds and
> there was a problem with the NT Authority System, so that's a new message
> altogether that I haven't seen. The virus system we're running is eTrust
> Antivirus.
>
> Thanks
> Shane
>
> "Giuseppe Nacci" wrote:
>
> > Shane Sensor wrote:
> > > Our Windows Server 2003 is restarting randomly. When I log back in
> > > there are various error messages, but the most common is a reference
> > > to the SHELL encountering a problem. I have tried disconnecting the
> > > UPS, the virus software, monitoring all applications from PC's
> > > connected to the server and still it restarts. One of the problems I
> > > also have is when copying or moving a large file, the status bar
> > > moves along as if it's completed the copy over and then it will come
> > > up with a message stating the server is no longer available.
> >
> > Describe your hardware and check the errors in the event id.....
> > --
> > ---
> > Giuseppe Nacci
> > Microsoft Certified System Engineer
> > Security Manager
> >
> > --------------------------------------------------------------------
> > CONFIDENTIALITY NOTICE
> > This message and its attachments are addressed solely to the persons
> > above and may contain confidential information. If you have received
> > the message in error, be informed that any use of the content hereof
> > is prohibited. Please return it immediately to the sender and delete
> > the message. Should you have any questions, please contact us by
> > replying to supporto.informatico@degennaro.biz
> > Thank you
> > --------------------------------------------------------------------
> >
> >
> >
> >
-
Re: WINDOWS SERVER 2003
Hi Shane,
check for viruses on your server. You can run free online scan from
trendmicro.com.
Lukesh
"Shane Sensor" wrote:
> Additional:- I have re-examined the event logs and have noticed that there
> is a Warning that appears as follows prior to a unexpected shutdown. The
> server seems to be resetting at all hours of the night when no users are
> present.
>
> SOURCE: W32Time, Type: Warning.
> The time provider NtpServer encountered an error while digitally signing the
> NTP response from peer xxxx. NtpServer cannot provide secure (signed) time
> to the client and will ignore the request. The erro was: The RPC server is
> unavailable (Ox800706BA)
>
>
>
> "Shane Sensor" wrote:
>
> > Below is a listing of hardware direct from the installers:-
> >
> > INTEL STORAGE SERVER INCLUDING INTEL PENTIUM 4 - S40 - 3.2GHZ 800MHZ FSB
> > LGA77, INTEL BLKD915PGNL/915P/ICH6/PCI-EX16/4XDDR, 2 X KINGSTON 512MB 184PIN
> > 400MHZ (PC3200) CL3 DD, 1 X CHANBRO 209AB BLACK INTEL APPROVED HIGH END SER,
> > 1 X ENHNACE PS-0262 INTEL APPROVED EPS12V 520W PO, 4 X 74GB WESTERN DIGITAL
> > SATA 10000RPM (8MB CACH), 1 X ASUS EAX300/TD/128 VIDEO CARD, 1 X MICROSOFT
> > SMALL BUSINESS SERVER 2003 STANDARD, 1 X MICROSOFT SBS CAL 203 5NL USER CAL,
> > 1 X PROMISE S150 SX4-M 4XSATA RAID CONTROLLER
> >
> > Hope this helps. I have also gone through the event logs as you suggested,
> > unfortunately there are so many error logs i'm not sure what i'm looking for
> > exactly. Just prior to me sending this message, the server came up with a
> > red screen this time saying that it is going to restart in 30 seconds and
> > there was a problem with the NT Authority System, so that's a new message
> > altogether that I haven't seen. The virus system we're running is eTrust
> > Antivirus.
> >
> > Thanks
> > Shane
> >
> > "Giuseppe Nacci" wrote:
> >
> > > Shane Sensor wrote:
> > > > Our Windows Server 2003 is restarting randomly. When I log back in
> > > > there are various error messages, but the most common is a reference
> > > > to the SHELL encountering a problem. I have tried disconnecting the
> > > > UPS, the virus software, monitoring all applications from PC's
> > > > connected to the server and still it restarts. One of the problems I
> > > > also have is when copying or moving a large file, the status bar
> > > > moves along as if it's completed the copy over and then it will come
> > > > up with a message stating the server is no longer available.
> > >
> > > Describe your hardware and check the errors in the event id.....
> > > --
> > > ---
> > > Giuseppe Nacci
> > > Microsoft Certified System Engineer
> > > Security Manager
> > >
> > > --------------------------------------------------------------------
> > > CONFIDENTIALITY NOTICE
> > > This message and its attachments are addressed solely to the persons
> > > above and may contain confidential information. If you have received
> > > the message in error, be informed that any use of the content hereof
> > > is prohibited. Please return it immediately to the sender and delete
> > > the message. Should you have any questions, please contact us by
> > > replying to supporto.informatico@degennaro.biz
> > > Thank you
> > > --------------------------------------------------------------------
> > >
> > >
> > >
> > >
-
Re: WINDOWS SERVER 2003
Hello, I have run 2 separate full virus scans of all individual pc's and the
server using different virus software and both scans came up clean. This
resetting problem is really weird because today, we've had all pc's running
and the server hasn't reset once, but tomorrow could reset 10 times.
"lukesh" wrote:
> Hi Shane,
> check for viruses on your server. You can run free online scan from
> trendmicro.com.
>
> Lukesh
>
> "Shane Sensor" wrote:
>
> > Additional:- I have re-examined the event logs and have noticed that there
> > is a Warning that appears as follows prior to a unexpected shutdown. The
> > server seems to be resetting at all hours of the night when no users are
> > present.
> >
> > SOURCE: W32Time, Type: Warning.
> > The time provider NtpServer encountered an error while digitally signing the
> > NTP response from peer xxxx. NtpServer cannot provide secure (signed) time
> > to the client and will ignore the request. The erro was: The RPC server is
> > unavailable (Ox800706BA)
> >
> >
> >
> > "Shane Sensor" wrote:
> >
> > > Below is a listing of hardware direct from the installers:-
> > >
> > > INTEL STORAGE SERVER INCLUDING INTEL PENTIUM 4 - S40 - 3.2GHZ 800MHZ FSB
> > > LGA77, INTEL BLKD915PGNL/915P/ICH6/PCI-EX16/4XDDR, 2 X KINGSTON 512MB 184PIN
> > > 400MHZ (PC3200) CL3 DD, 1 X CHANBRO 209AB BLACK INTEL APPROVED HIGH END SER,
> > > 1 X ENHNACE PS-0262 INTEL APPROVED EPS12V 520W PO, 4 X 74GB WESTERN DIGITAL
> > > SATA 10000RPM (8MB CACH), 1 X ASUS EAX300/TD/128 VIDEO CARD, 1 X MICROSOFT
> > > SMALL BUSINESS SERVER 2003 STANDARD, 1 X MICROSOFT SBS CAL 203 5NL USER CAL,
> > > 1 X PROMISE S150 SX4-M 4XSATA RAID CONTROLLER
> > >
> > > Hope this helps. I have also gone through the event logs as you suggested,
> > > unfortunately there are so many error logs i'm not sure what i'm looking for
> > > exactly. Just prior to me sending this message, the server came up with a
> > > red screen this time saying that it is going to restart in 30 seconds and
> > > there was a problem with the NT Authority System, so that's a new message
> > > altogether that I haven't seen. The virus system we're running is eTrust
> > > Antivirus.
> > >
> > > Thanks
> > > Shane
> > >
> > > "Giuseppe Nacci" wrote:
> > >
> > > > Shane Sensor wrote:
> > > > > Our Windows Server 2003 is restarting randomly. When I log back in
> > > > > there are various error messages, but the most common is a reference
> > > > > to the SHELL encountering a problem. I have tried disconnecting the
> > > > > UPS, the virus software, monitoring all applications from PC's
> > > > > connected to the server and still it restarts. One of the problems I
> > > > > also have is when copying or moving a large file, the status bar
> > > > > moves along as if it's completed the copy over and then it will come
> > > > > up with a message stating the server is no longer available.
> > > >
> > > > Describe your hardware and check the errors in the event id.....
> > > > --
> > > > ---
> > > > Giuseppe Nacci
> > > > Microsoft Certified System Engineer
> > > > Security Manager
> > > >
> > > > --------------------------------------------------------------------
> > > > CONFIDENTIALITY NOTICE
> > > > This message and its attachments are addressed solely to the persons
> > > > above and may contain confidential information. If you have received
> > > > the message in error, be informed that any use of the content hereof
> > > > is prohibited. Please return it immediately to the sender and delete
> > > > the message. Should you have any questions, please contact us by
> > > > replying to supporto.informatico@degennaro.biz
> > > > Thank you
> > > > --------------------------------------------------------------------
> > > >
> > > >
> > > >
> > > >
-
Re: WINDOWS SERVER 2003
Shane Sensor wrote:
> Hello, I have run 2 separate full virus scans of all individual pc's
> and the server using different virus software and both scans came up
> clean. This resetting problem is really weird because today, we've
> had all pc's running and the server hasn't reset once, but tomorrow
> could reset 10 times.
Sorry for lateness.
Try also this from Microsoft:
http://www.microsoft.com/security/ma...e/default.mspx
Regards
--
---
Giuseppe Nacci
Microsoft Certified System Engineer
Security Manager
--------------------------------------------------------------------
CONFIDENTIALITY NOTICE
This message and its attachments are addressed solely to the persons
above and may contain confidential information. If you have received
the message in error, be informed that any use of the content hereof
is prohibited. Please return it immediately to the sender and delete
the message. Should you have any questions, please contact us by
replying to supporto.informatico@degennaro.biz
Thank you
--------------------------------------------------------------------
-
Re: WINDOWS SERVER 2003
Hi, thanks for the suggestion link, I downloaded and ran the Malicious
Software Removal Tool on every pc and the server and nothing was found. I
was checking the event logs earlier and noticed that every time the server
restarts there is a error message from HIDKBDUSER and then one from LSA SHELL
both stating that they encountered a problem and had to shutdown. The random
restarts were not occurring this week for the first couple of days, and then
today, it's restarted about 4 times in the past hour. Any more suggestions
that you may be able to think of. I had one question that I was going to ask
that i've seen on newsgroups on the Microsoft website. It states that you
can right click on my computer, advanced tab, settings, startup and recovery
and Clear Auto Restart check. Do you think there is any danger in clearing
this check, because I remember reading that the blue screen may appear and i
may have to get someone from Microsoft to clear the blue screen. I guess the
most frustrating part of this is that there are all these error reports
generated by Exchange Server, but they aren't very helpful in this situation.
It tells my that it was an unplanned shutdown, but doesn't tell me why, or
what caused it. Very frustrating.
"Giuseppe Nacci" wrote:
> Shane Sensor wrote:
> > Hello, I have run 2 separate full virus scans of all individual pc's
> > and the server using different virus software and both scans came up
> > clean. This resetting problem is really weird because today, we've
> > had all pc's running and the server hasn't reset once, but tomorrow
> > could reset 10 times.
>
> Sorry for lateness.
> Try also this from Microsoft:
> http://www.microsoft.com/security/ma...e/default.mspx
> Regards
> --
> ---
> Giuseppe Nacci
> Microsoft Certified System Engineer
> Security Manager
>
> --------------------------------------------------------------------
> CONFIDENTIALITY NOTICE
> This message and its attachments are addressed solely to the persons
> above and may contain confidential information. If you have received
> the message in error, be informed that any use of the content hereof
> is prohibited. Please return it immediately to the sender and delete
> the message. Should you have any questions, please contact us by
> replying to supporto.informatico@degennaro.biz
> Thank you
> --------------------------------------------------------------------
>
>
>
>
-
Re: WINDOWS SERVER 2003
"Shane Sensor" <ShaneSensor@discussions.microsoft.com> ha scritto nel
messaggio news:38D428E0-D4A5-4311-8FC1-2CC7B9FD3680@microsoft.com...
> Hi, thanks for the suggestion link, I downloaded and ran the Malicious
> Software Removal Tool on every pc and the server and nothing was found. I
> was checking the event logs earlier and noticed that every time the server
> restarts there is a error message from HIDKBDUSER and then one from LSA
> SHELL
> both stating that they encountered a problem and had to shutdown. The
> random
> restarts were not occurring this week for the first couple of days, and
> then
> today, it's restarted about 4 times in the past hour. Any more
> suggestions
> that you may be able to think of. I had one question that I was going to
> ask
> that i've seen on newsgroups on the Microsoft website. It states that you
> can right click on my computer, advanced tab, settings, startup and
> recovery
> and Clear Auto Restart check. Do you think there is any danger in
> clearing
> this check, because I remember reading that the blue screen may appear and
> i
> may have to get someone from Microsoft to clear the blue screen. I guess
> the
> most frustrating part of this is that there are all these error reports
> generated by Exchange Server, but they aren't very helpful in this
> situation.
> It tells my that it was an unplanned shutdown, but doesn't tell me why, or
> what caused it. Very frustrating.
Read also this: http://support.microsoft.com/kb/827363/en-us
I suggest to scan the server (or the pc) in Safe Mode.
Let me know the result.
--
---
Giuseppe Nacci
Microsoft Certified System Engineer
Security Manager
--------------------------------------------------------------------
CONFIDENTIALITY NOTICE
This message and its attachments are addressed solely to the persons
above and may contain confidential information. If you have received
the message in error, be informed that any use of the content hereof
is prohibited. Please return it immediately to the sender and delete
the message. Should you have any questions, please contact us by
replying to supporto.informatico@degennaro.biz
Thank you
--------------------------------------------------------------------
-
Re: WINDOWS SERVER 2003
Was this ever resolved? I have the exact same issue.
Thanks
Jeff
-
Re: WINDOWS SERVER 2003
I have the same issue but not as frequent.. any resolution?
thanks.
John
"jfoster@aasdifference.com" wrote:
> Was this ever resolved? I have the exact same issue.
>
> Thanks
> Jeff
>
>
-
Re: WINDOWS SERVER 2003
Hello. Have tried running malicious software removal tools and scanning pcs
and server in safe mode. Nothing unusual found. This week had 4 days where
the server didn't reset once, and then today it's reset 7 times in about an
hour. Found the following note in the Event logs which I hadn't noticed
before, but this event actually explains that the server will be restarted.
EVENT: 1074 - USER: NT AUTHORITY/SYSTEM
The process Winlogon.exe has initiated the restart of computer on behalf of
user for the following reason: Not title for this reason could be found.
Reason Code: Ox50006
Shutdown type: Restart
Comment: The system process 'C:Windows\system32\lsass.exe' terminated
unexpectedly with status code-1073740972. The system will now shut down and
restart.
I have also gone back through the logs and this event is definately logged
every time the server restarts, and definately sounds like it is reason for
restarts as it says. Can anyone tell me what I do from here and how I look
into this further. Thanks, Shane
"JohnP" wrote:
> I have the same issue but not as frequent.. any resolution?
> thanks.
> John
>
> "jfoster@aasdifference.com" wrote:
>
> > Was this ever resolved? I have the exact same issue.
> >
> > Thanks
> > Jeff
> >
> >
-
Re: WINDOWS SERVER 2003
I am getting that even, and I have noticed a software install happened
moments before the first occurance. In the system log I see where the MSI
service starts and enters running but then I see an unexpected reboot message
and then a little while later I started getting that message. (lsass
1073740972)
The server is at a site I initially setup, and had 81 days of uptime before
the install, now it is consitent, once every 7 days at the same time (within
a couple of minutes). I have figured out the customer tried to install
Sonicwall Viewpoint software. I would look for software installation in the
event log if your log is long enough to go back that far (when it first
started happening).
I haven't uninstalled or tried to fix that install yet, but it is almost a
given this is what most likely caused my issue.
"Shane Sensor" wrote:
> Hello. Have tried running malicious software removal tools and scanning pcs
> and server in safe mode. Nothing unusual found. This week had 4 days where
> the server didn't reset once, and then today it's reset 7 times in about an
> hour. Found the following note in the Event logs which I hadn't noticed
> before, but this event actually explains that the server will be restarted.
>
> EVENT: 1074 - USER: NT AUTHORITY/SYSTEM
> The process Winlogon.exe has initiated the restart of computer on behalf of
> user for the following reason: Not title for this reason could be found.
> Reason Code: Ox50006
> Shutdown type: Restart
> Comment: The system process 'C:Windows\system32\lsass.exe' terminated
> unexpectedly with status code-1073740972. The system will now shut down and
> restart.
>
> I have also gone back through the logs and this event is definately logged
> every time the server restarts, and definately sounds like it is reason for
> restarts as it says. Can anyone tell me what I do from here and how I look
> into this further. Thanks, Shane
>
> "JohnP" wrote:
>
> > I have the same issue but not as frequent.. any resolution?
> > thanks.
> > John
> >
> > "jfoster@aasdifference.com" wrote:
> >
> > > Was this ever resolved? I have the exact same issue.
> > >
> > > Thanks
> > > Jeff
> > >
> > >
-
Re: WINDOWS SERVER 2003
I have a customer who's server I manage that is also having this issue. OS is 2003 R2 Enterprise Ed., SP2. After deep investigation, we found that the Sasser worm or it's variants seem to be at the heart of this matter, however I am unable to find any of the tell-tale .exe files (and there are several) or registry entries. We have not installed the Microsoft patch (the customer has not given their consent even after letting them know this is will help). Much like the other posters, the reboots are random with no pattern. I just had one happen about 2 hours ago for the first time in a few weeks.
They are running ESET NOD32 Antivirus and are firewalled via an appliance (not software). We see events in both the Application AND System Event Viewer Logs. The following are snippets of the logs entries:
From System Logs:
Event Type: Error
Event Source: LsaSrv
Event Category: Security Package Manager
Event ID: 5000
Date: 11/2/2008
Time: 7:16:47 PM
User: N/A
Computer: XXXXXXXXX
Description: The security package Microsoft Unified Security Protocol Provider generated an exception. The exception information is the data.
Event Type: Information
Event Source: USER32
Event Category: None
Event ID: 1074
Date: 11/2/2008
Time: 7:17:22 PM
User: NT AUTHORITY\SYSTEM
Computer: XXXXXXXXXX
Description: The process winlogon.exe has initiated the restart of computer XXXXXXXXX on behalf of user for the following reason: No title for this reason could be found
Reason Code: 0x50006
Shutdown Type: restart
Comment: The system process 'C:\WINNT\system32\lsass.exe' terminated unexpectedly with status code -1073741819. The system will now shut down and restart.
Application Logs:
Event Type: Error
Event Source: Application Error
Event Category: (100)
Event ID: 1000
Date: 11/2/2008
Time: 7:16:50 PM
User: N/A
Computer: XXXXXXXXX
Description: Faulting application lsass.exe, version 5.2.3790.0, faulting module crypt32.dll, version 5.131.3790.3959, fault address 0x0001ec50.
Event Type: Error
Event Source: Winlogon
Event Category: None
Event ID: 1015
Date: 11/2/2008
Time: 7:17:21 PM
User: N/A
Computer: XXXXXXXXXX
Description: A critical system process, C:\WINNT\system32\lsass.exe, failed with status code c0000005. The machine must now be restarted.
I am starting to wonder if this is a new variant? Last variant was in 2007, but like I said previously, I find none of the tell tale .exe files or the registry entries which makes me wonder. Anyone have any more info or any similar instances?
Also for those who want to dig, I found this link helpful in checking the server, so it might help others who aren't in the same situation as myself:
http://ask-leo.com/what_are_lsass_ls...o_if_i_am.html
-
Re: WINDOWS SERVER 2003
Crossposted to the microsoft.public.security.virus
--
Peter
Please Reply to Newsgroup for the benefit of others
Requests for assistance by email can not and will not be acknowledged.
"LauraW." <LauraW..3ia4zc@DoNotSpam.com> wrote in message news:LauraW..3ia4zc@DoNotSpam.com...
>
> I have a customer who's server I manage that is also having this issue.
> OS is 2003 R2 Enterprise Ed., SP2. After deep investigation, we found
> that the Sasser worm or it's variants seem to be at the heart of this
> matter, however I am unable to find any of the tell-tale .exe files (and
> there are several) or registry entries. We have not installed the
> Microsoft patch (the customer has not given their consent even after
> letting them know this is will help). Much like the other posters, the
> reboots are random with no pattern. I just had one happen about 2 hours
> ago for the first time in a few weeks.
>
> They are running ESET NOD32 Antivirus and are firewalled via an
> appliance (not software). We see events in both the Application AND
> System Event Viewer Logs. The following are snippets of the logs
> entries:
>
> _From_System_Logs:_
>
> Event Type: Error
> Event Source: LsaSrv
> Event Category: Security Package Manager
> Event ID: 5000
> Date: 11/2/2008
> Time: 7:16:47 PM
> User: N/A
> Computer: XXXXXXXXX
> Description: The security package Microsoft Unified Security Protocol
> Provider generated an exception. The exception information is the
> data.
>
>
> Event Type: Information
> Event Source: USER32
> Event Category: None
> Event ID: 1074
> Date: 11/2/2008
> Time: 7:17:22 PM
> User: NT AUTHORITY\SYSTEM
> Computer: XXXXXXXXXX
> Description: The process winlogon.exe has initiated the restart of
> computer XXXXXXXXX on behalf of user for the following reason: No title
> for this reason could be found
> Reason Code: 0x50006
> Shutdown Type: restart
> Comment: The system process 'C:\WINNT\system32\lsass.exe' terminated
> unexpectedly with status code -1073741819. The system will now shut
> down and restart.
>
> _Application_Logs:_
>
> Event Type: Error
> Event Source: Application Error
> Event Category: (100)
> Event ID: 1000
> Date: 11/2/2008
> Time: 7:16:50 PM
> User: N/A
> Computer: XXXXXXXXX
> Description: Faulting application lsass.exe, version 5.2.3790.0,
> faulting module crypt32.dll, version 5.131.3790.3959, fault address
> 0x0001ec50.
>
> Event Type: Error
> Event Source: Winlogon
> Event Category: None
> Event ID: 1015
> Date: 11/2/2008
> Time: 7:17:21 PM
> User: N/A
> Computer: XXXXXXXXXX
> Description: A critical system process, C:\WINNT\system32\lsass.exe,
> failed with status code c0000005. The machine must now be restarted.
>
> I am starting to wonder if this is a new variant? Last variant was in
> 2007, but like I said previously, I find none of the tell tale .exe
> files or the registry entries which makes me wonder. Anyone have any
> more info or any similar instances?
>
> Also for those who want to dig, I found this link helpful in checking
> the server, so it might help others who aren't in the same situation as
> myself:
>
> http://ask-leo.com/what_are_lsass_ls...o_if_i_am.html
>
>
> --
> LauraW.
> ------------------------------------------------------------------------
> LauraW.'s Profile: http://forums.techarena.in/members/lauraw-.htm
> View this thread: http://forums.techarena.in/windows-s...elp/336315.htm
>
> http://forums.techarena.in
>
Page generated in 1,714,233,003.77654 seconds with 11 queries