lsass.exe fails and reboots



ChrisOlver
07-09-2005, 10:53 PM
Hello all,

Simple problem this.. Looks like Sasser Worm has hit my Server 23k
Enterprise (acctually all 3 of our server boxes we have). I get lsass.exe has
caused an error and reboots after 60 seconds.. the problem is intermittent...
its been fine for days and we thought it was just a bug but now its doing it
every couple of hours.

When i boot up in the event log there is: A critical system process,
C:\WINDOWS\system32\lsass.exe, failed with status code c0000005

Right ive used stinger and norton removal tools but nothing is picking up
this. Says I am clean? Tried Macfee, Symantec Corprate AntiVirus and AVG to
see if it picks it up and get nothing. Tried Adaware and Microsoft Malicious
Software tool thinking it maybe some form of MalWare but nothing either. The
server is fully up-to-date with its Windows patches and service packs. By
googleing the error someone has had the problem as well but no one replied In
sasser related posts they recommended changing the "restart when crashes"
system in services by changing to restart service instead of restart computer
but doesnt look like it worked. Someone also said when the error comes up do
(i think) shutdown -a in DOS.. thinking this we put it in a bat script and
launched it every 50 seconds. This failed also ive changed it to 10 seconds
but ill have to wait and see if it works.

On event log here is the source and id:

Source: LSAsrv
ID: 5000

and two of the error messages:

Faulting application lsass.exe, version 5.2.3790.0, faulting module
lsasrv.dll, version 5.2.3790.1023, fault address 0x0002a411.

A critical system process, C:\WINDOWS\system32\lsass.exe, failed with status
code c0000005. The machine must now be restarted.

If you need any info please say These 3 servers have our customers on there
and as you can imagine its starting to annoy everyone

Chris

Steven L Umbach
07-09-2005, 10:53 PM
Hi Chris.

I guess the problem is not simple if you have already gone through what you
have with no success. I don't know what it is offhand but I would suggest
that you make sure that you are using the latest virus definition files from
your vendor as of today and email or contact them with specifics about your
problem. Trend Micro also has a free detection and removal tool called
Sysclean and the matching pattern file has a date of June 4, 2005. You
simply download Sysclean and the pattern file to a common folder to run
from - no need to install. You might also want to try running your malware
removal tools in safe mode.

SysInternals also makes a number of free tools that may be of help in
tracking down processes, port use, and startup programs on your computer
such as Process Explorer, TCPView, and Autoruns. They also have a root kit
detection tool called RootKitRevealer. When using such tools it is often
very helpful to compare results to a like configured known clean computer.
The links below may be of help. --- Steve

http://www.trendmicro.com/download/dcs.asp
http://www.trendmicro.com/download/pattern.asp
http://www.sysinternals.com/Utilities/ProcessExplorer.html
http://www.virustotal.com/flash/index_en.html

"ChrisOlver" <ChrisOlver@discussions.microsoft.com> wrote in message
news:60E88BDE-E229-48EB-837E-A876D3E427B6@microsoft.com...
> Hello all,
>
> Simple problem this.. Looks like Sasser Worm has hit my Server 23k
> Enterprise (acctually all 3 of our server boxes we have). I get lsass.exe
> has
> caused an error and reboots after 60 seconds.. the problem is
> intermittent...
> its been fine for days and we thought it was just a bug but now its doing
> it
> every couple of hours.
>
> When i boot up in the event log there is: A critical system process,
> C:\WINDOWS\system32\lsass.exe, failed with status code c0000005
>
> Right ive used stinger and norton removal tools but nothing is picking up
> this. Says I am clean? Tried Macfee, Symantec Corprate AntiVirus and AVG
> to
> see if it picks it up and get nothing. Tried Adaware and Microsoft
> Malicious
> Software tool thinking it maybe some form of MalWare but nothing either.
> The
> server is fully up-to-date with its Windows patches and service packs. By
> googleing the error someone has had the problem as well but no one replied
> In
> sasser related posts they recommended changing the "restart when crashes"
> system in services by changing to restart service instead of restart
> computer
> but doesnt look like it worked. Someone also said when the error comes up
> do
> (i think) shutdown -a in DOS.. thinking this we put it in a bat script and
> launched it every 50 seconds. This failed also ive changed it to 10
> seconds
> but ill have to wait and see if it works.
>
> On event log here is the source and id:
>
> Source: LSAsrv
> ID: 5000
>
> and two of the error messages:
>
> Faulting application lsass.exe, version 5.2.3790.0, faulting module
> lsasrv.dll, version 5.2.3790.1023, fault address 0x0002a411.
>
> A critical system process, C:\WINDOWS\system32\lsass.exe, failed with
> status
> code c0000005. The machine must now be restarted.
>
> If you need any info please say These 3 servers have our customers on
> there
> and as you can imagine its starting to annoy everyone
>
> Chris

ChrisOlver
07-09-2005, 10:53 PM
Hi Steve,

Thanks for your reply. We currently have a fully up-to-date version of
Symantec Corperate AV running which is updated daily... Sysclean is going as
we speak :) On other forums where ive posted this issue as we are really
starting to struggle to sort the problem they have all said "firewall
firewall firewall" now when using a port scanner port 445 (which is sasser
port) was getting connected by wierd locatitions ie china (these are UK
gaming servers) but nothing happened after. We are trying to get our firewall
on but having an issue with Kerio Server Firewall which tbh is the best we
can use.

I cannot boot into safe mode as these servers are only usable via terminal
services. These are stored in a data centre and i would have to pay for
techincal support for an admin to do something.

So what do you recommend , use SysInternals and see what the results it
brings up?


"Steven L Umbach" wrote:

> Hi Chris.
>
> I guess the problem is not simple if you have already gone through what you
> have with no success. I don't know what it is offhand but I would suggest
> that you make sure that you are using the latest virus definition files from
> your vendor as of today and email or contact them with specifics about your
> problem. Trend Micro also has a free detection and removal tool called
> Sysclean and the matching pattern file has a date of June 4, 2005. You
> simply download Sysclean and the pattern file to a common folder to run
> from - no need to install. You might also want to try running your malware
> removal tools in safe mode.
>
> SysInternals also makes a number of free tools that may be of help in
> tracking down processes, port use, and startup programs on your computer
> such as Process Explorer, TCPView, and Autoruns. They also have a root kit
> detection tool called RootKitRevealer. When using such tools it is often
> very helpful to compare results to a like configured known clean computer.
> The links below may be of help. --- Steve
>
> http://www.trendmicro.com/download/dcs.asp
> http://www.trendmicro.com/download/pattern.asp
> http://www.sysinternals.com/Utilities/ProcessExplorer.html
> http://www.virustotal.com/flash/index_en.html
>
> "ChrisOlver" <ChrisOlver@discussions.microsoft.com> wrote in message
> news:60E88BDE-E229-48EB-837E-A876D3E427B6@microsoft.com...
> > Hello all,
> >
> > Simple problem this.. Looks like Sasser Worm has hit my Server 23k
> > Enterprise (acctually all 3 of our server boxes we have). I get lsass.exe
> > has
> > caused an error and reboots after 60 seconds.. the problem is
> > intermittent...
> > its been fine for days and we thought it was just a bug but now its doing
> > it
> > every couple of hours.
> >
> > When i boot up in the event log there is: A critical system process,
> > C:\WINDOWS\system32\lsass.exe, failed with status code c0000005
> >
> > Right ive used stinger and norton removal tools but nothing is picking up
> > this. Says I am clean? Tried Macfee, Symantec Corprate AntiVirus and AVG
> > to
> > see if it picks it up and get nothing. Tried Adaware and Microsoft
> > Malicious
> > Software tool thinking it maybe some form of MalWare but nothing either.
> > The
> > server is fully up-to-date with its Windows patches and service packs. By
> > googleing the error someone has had the problem as well but no one replied
> > In
> > sasser related posts they recommended changing the "restart when crashes"
> > system in services by changing to restart service instead of restart
> > computer
> > but doesnt look like it worked. Someone also said when the error comes up
> > do
> > (i think) shutdown -a in DOS.. thinking this we put it in a bat script and
> > launched it every 50 seconds. This failed also ive changed it to 10
> > seconds
> > but ill have to wait and see if it works.
> >
> > On event log here is the source and id:
> >
> > Source: LSAsrv
> > ID: 5000
> >
> > and two of the error messages:
> >
> > Faulting application lsass.exe, version 5.2.3790.0, faulting module
> > lsasrv.dll, version 5.2.3790.1023, fault address 0x0002a411.
> >
> > A critical system process, C:\WINDOWS\system32\lsass.exe, failed with
> > status
> > code c0000005. The machine must now be restarted.
> >
> > If you need any info please say These 3 servers have our customers on
> > there
> > and as you can imagine its starting to annoy everyone
> >
> > Chris
>
>
>

Steven L Umbach
07-09-2005, 10:53 PM
Chris.

If your firewall is allowing connections to port 445 or other unauthorized
ports then you need to close that ASAP. You can use a free self scan site
such as http://scan.sygatetech.com/. Port 445 availability indicates that
file and print sharing is enabled on the external network adapter. You
should disable file and print sharing on that network adapter ASAP. Note
that doing such will not allow you to manage the server via Computer
Management or other means that use SMB however you can use Remote Desktop
Management to manage the server assuming it is enabled. A RDP connection
over the internet would be encrypted. If you are having problems with Kerio
note that Windows 2003 also has a built in firewall [though not a very
flexible one until SP1 but I believe SP1 will enable it by default and may
lock you out] or an ipsec filtering policy that can be used to supplement
the firewall until everything is working correctly. If you try to configure
such you have to be absolutely sure that you will be able to access the
computer before you enable the Windows firewall or ipsec filtering policy or
you can be blocked out to all but local console logon.

If problems still continue after making sure your network is secure from
the internet and after doing malware scans I would be sure to contact
Symantec to see what they have to say. Not being able to boot into safe mode
is a big disadvantage. Yes I would run Process Explorer, Autoruns, and
TCPView to see if you can find any rouge process that should not be there.
TCPView will show what ports are being used on the computer and by what
process/executable. Autoruns will show what programs are started
automatically when the computer starts up and gives you the option to
disable the program from starting automatically. If you find a questionable
process try searching Google web AND news for more information on the
process and related executable and let Symantec know about it to see if they
can help. The link below is to Microsoft's Antivirus in Depth Guide which
you may want to read. It is geared to system admins and power users. The
last link is to a site that has good info on processes. -- Steve

http://www.microsoft.com/technet/security/topics/serversecurity/avdind_0.mspx
http://www.liutilities.com/products/wintaskspro/processlibrary/

"ChrisOlver" <ChrisOlver@discussions.microsoft.com> wrote in message
news:7C20B853-BA0D-4229-852A-D4A912E56EEC@microsoft.com...
> Hi Steve,
>
> Thanks for your reply. We currently have a fully up-to-date version of
> Symantec Corperate AV running which is updated daily... Sysclean is going
> as
> we speak :) On other forums where ive posted this issue as we are really
> starting to struggle to sort the problem they have all said "firewall
> firewall firewall" now when using a port scanner port 445 (which is sasser
> port) was getting connected by wierd locatitions ie china (these are UK
> gaming servers) but nothing happened after. We are trying to get our
> firewall
> on but having an issue with Kerio Server Firewall which tbh is the best we
> can use.
>
> I cannot boot into safe mode as these servers are only usable via terminal
> services. These are stored in a data centre and i would have to pay for
> techincal support for an admin to do something.
>
> So what do you recommend , use SysInternals and see what the results it
> brings up?
>
>
> "Steven L Umbach" wrote:
>
>> Hi Chris.
>>
>> I guess the problem is not simple if you have already gone through what
>> you
>> have with no success. I don't know what it is offhand but I would suggest
>> that you make sure that you are using the latest virus definition files
>> from
>> your vendor as of today and email or contact them with specifics about
>> your
>> problem. Trend Micro also has a free detection and removal tool called
>> Sysclean and the matching pattern file has a date of June 4, 2005. You
>> simply download Sysclean and the pattern file to a common folder to run
>> from - no need to install. You might also want to try running your
>> malware
>> removal tools in safe mode.
>>
>> SysInternals also makes a number of free tools that may be of help in
>> tracking down processes, port use, and startup programs on your computer
>> such as Process Explorer, TCPView, and Autoruns. They also have a root
>> kit
>> detection tool called RootKitRevealer. When using such tools it is often
>> very helpful to compare results to a like configured known clean
>> computer.
>> The links below may be of help. --- Steve
>>
>> http://www.trendmicro.com/download/dcs.asp
>> http://www.trendmicro.com/download/pattern.asp
>> http://www.sysinternals.com/Utilities/ProcessExplorer.html
>> http://www.virustotal.com/flash/index_en.html
>>
>> "ChrisOlver" <ChrisOlver@discussions.microsoft.com> wrote in message
>> news:60E88BDE-E229-48EB-837E-A876D3E427B6@microsoft.com...
>> > Hello all,
>> >
>> > Simple problem this.. Looks like Sasser Worm has hit my Server 23k
>> > Enterprise (acctually all 3 of our server boxes we have). I get
>> > lsass.exe
>> > has
>> > caused an error and reboots after 60 seconds.. the problem is
>> > intermittent...
>> > its been fine for days and we thought it was just a bug but now its
>> > doing
>> > it
>> > every couple of hours.
>> >
>> > When i boot up in the event log there is: A critical system process,
>> > C:\WINDOWS\system32\lsass.exe, failed with status code c0000005
>> >
>> > Right ive used stinger and norton removal tools but nothing is picking
>> > up
>> > this. Says I am clean? Tried Macfee, Symantec Corprate AntiVirus and
>> > AVG
>> > to
>> > see if it picks it up and get nothing. Tried Adaware and Microsoft
>> > Malicious
>> > Software tool thinking it maybe some form of MalWare but nothing
>> > either.
>> > The
>> > server is fully up-to-date with its Windows patches and service packs.
>> > By
>> > googleing the error someone has had the problem as well but no one
>> > replied
>> > In
>> > sasser related posts they recommended changing the "restart when
>> > crashes"
>> > system in services by changing to restart service instead of restart
>> > computer
>> > but doesnt look like it worked. Someone also said when the error comes
>> > up
>> > do
>> > (i think) shutdown -a in DOS.. thinking this we put it in a bat script
>> > and
>> > launched it every 50 seconds. This failed also ive changed it to 10
>> > seconds
>> > but ill have to wait and see if it works.
>> >
>> > On event log here is the source and id:
>> >
>> > Source: LSAsrv
>> > ID: 5000
>> >
>> > and two of the error messages:
>> >
>> > Faulting application lsass.exe, version 5.2.3790.0, faulting module
>> > lsasrv.dll, version 5.2.3790.1023, fault address 0x0002a411.
>> >
>> > A critical system process, C:\WINDOWS\system32\lsass.exe, failed with
>> > status
>> > code c0000005. The machine must now be restarted.
>> >
>> > If you need any info please say These 3 servers have our customers on
>> > there
>> > and as you can imagine its starting to annoy everyone
>> >
>> > Chris
>>
>>
>>

Roger Abell [MVP]
07-09-2005, 10:53 PM
So, I did not see you mention that these W2k3 are up-to-date on service,
that meaning either (preferred) SP1 is installed, or all security patches.
If so, then while suboptimal for most deployment scenarios, just having
tcp 445 visible is not deadly, nor for that matter the other netbt ports.

Setting the auto reboot is not your route, as when lsass has issues all
of Windows either pays attention or halts. The error is stating that there
is an access violation (which of course should not happen for lsass). So,
the question is, do you recognize everything that is showing a running ?
all services ? The question really is, can you get back to a known good
state of the machines, before this "whatever it is" became implanted?

--
Roger
"ChrisOlver" <ChrisOlver@discussions.microsoft.com> wrote in message
news:60E88BDE-E229-48EB-837E-A876D3E427B6@microsoft.com...
> Hello all,
>
> Simple problem this.. Looks like Sasser Worm has hit my Server 23k
> Enterprise (acctually all 3 of our server boxes we have). I get lsass.exe
> has
> caused an error and reboots after 60 seconds.. the problem is
> intermittent...
> its been fine for days and we thought it was just a bug but now its doing
> it
> every couple of hours.
>
> When i boot up in the event log there is: A critical system process,
> C:\WINDOWS\system32\lsass.exe, failed with status code c0000005
>
> Right ive used stinger and norton removal tools but nothing is picking up
> this. Says I am clean? Tried Macfee, Symantec Corprate AntiVirus and AVG
> to
> see if it picks it up and get nothing. Tried Adaware and Microsoft
> Malicious
> Software tool thinking it maybe some form of MalWare but nothing either.
> The
> server is fully up-to-date with its Windows patches and service packs. By
> googleing the error someone has had the problem as well but no one replied
> In
> sasser related posts they recommended changing the "restart when crashes"
> system in services by changing to restart service instead of restart
> computer
> but doesnt look like it worked. Someone also said when the error comes up
> do
> (i think) shutdown -a in DOS.. thinking this we put it in a bat script and
> launched it every 50 seconds. This failed also ive changed it to 10
> seconds
> but ill have to wait and see if it works.
>
> On event log here is the source and id:
>
> Source: LSAsrv
> ID: 5000
>
> and two of the error messages:
>
> Faulting application lsass.exe, version 5.2.3790.0, faulting module
> lsasrv.dll, version 5.2.3790.1023, fault address 0x0002a411.
>
> A critical system process, C:\WINDOWS\system32\lsass.exe, failed with
> status
> code c0000005. The machine must now be restarted.
>
> If you need any info please say These 3 servers have our customers on
> there
> and as you can imagine its starting to annoy everyone
>
> Chris

rjdriver
07-09-2005, 10:53 PM
Symantic has specific and separate Sasser removal tools. Not sure if they
apply to your particlar situation, but here they are:

http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.removal.tool.html




Bob



"ChrisOlver" <ChrisOlver@discussions.microsoft.com> wrote in message
news:60E88BDE-E229-48EB-837E-A876D3E427B6@microsoft.com...
> Hello all,
>
> Simple problem this.. Looks like Sasser Worm has hit my Server 23k
> Enterprise (acctually all 3 of our server boxes we have). I get lsass.exe
> has
> caused an error and reboots after 60 seconds.. the problem is
> intermittent...
> its been fine for days and we thought it was just a bug but now its doing
> it
> every couple of hours.
>
> When i boot up in the event log there is: A critical system process,
> C:\WINDOWS\system32\lsass.exe, failed with status code c0000005
>
> Right ive used stinger and norton removal tools but nothing is picking up
> this. Says I am clean? Tried Macfee, Symantec Corprate AntiVirus and AVG
> to
> see if it picks it up and get nothing. Tried Adaware and Microsoft
> Malicious
> Software tool thinking it maybe some form of MalWare but nothing either.
> The
> server is fully up-to-date with its Windows patches and service packs. By
> googleing the error someone has had the problem as well but no one replied
> In
> sasser related posts they recommended changing the "restart when crashes"
> system in services by changing to restart service instead of restart
> computer
> but doesnt look like it worked. Someone also said when the error comes up
> do
> (i think) shutdown -a in DOS.. thinking this we put it in a bat script and
> launched it every 50 seconds. This failed also ive changed it to 10
> seconds
> but ill have to wait and see if it works.
>
> On event log here is the source and id:
>
> Source: LSAsrv
> ID: 5000
>
> and two of the error messages:
>
> Faulting application lsass.exe, version 5.2.3790.0, faulting module
> lsasrv.dll, version 5.2.3790.1023, fault address 0x0002a411.
>
> A critical system process, C:\WINDOWS\system32\lsass.exe, failed with
> status
> code c0000005. The machine must now be restarted.
>
> If you need any info please say These 3 servers have our customers on
> there
> and as you can imagine its starting to annoy everyone
>
> Chris

ChrisOlver
07-09-2005, 10:53 PM
Im fully upto date with updates and virus defintions.. Firewall wise i am
wating back on a support issue and as soon as they sort that problem out it
will be depolied in the server. Cant i go back to a time before it was not
stable? Nope.. if this doesnt work it looks like a server 2003 reinstall :(

Tried all removal tools and nothing but still theres still this annoying
bug. Any other ideas?


"rjdriver" wrote:

> Symantic has specific and separate Sasser removal tools. Not sure if they
> apply to your particlar situation, but here they are:
>
> http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.removal.tool.html
>
>
>
>
> Bob
>
>
>
> "ChrisOlver" <ChrisOlver@discussions.microsoft.com> wrote in message
> news:60E88BDE-E229-48EB-837E-A876D3E427B6@microsoft.com...
> > Hello all,
> >
> > Simple problem this.. Looks like Sasser Worm has hit my Server 23k
> > Enterprise (acctually all 3 of our server boxes we have). I get lsass.exe
> > has
> > caused an error and reboots after 60 seconds.. the problem is
> > intermittent...
> > its been fine for days and we thought it was just a bug but now its doing
> > it
> > every couple of hours.
> >
> > When i boot up in the event log there is: A critical system process,
> > C:\WINDOWS\system32\lsass.exe, failed with status code c0000005
> >
> > Right ive used stinger and norton removal tools but nothing is picking up
> > this. Says I am clean? Tried Macfee, Symantec Corprate AntiVirus and AVG
> > to
> > see if it picks it up and get nothing. Tried Adaware and Microsoft
> > Malicious
> > Software tool thinking it maybe some form of MalWare but nothing either.
> > The
> > server is fully up-to-date with its Windows patches and service packs. By
> > googleing the error someone has had the problem as well but no one replied
> > In
> > sasser related posts they recommended changing the "restart when crashes"
> > system in services by changing to restart service instead of restart
> > computer
> > but doesnt look like it worked. Someone also said when the error comes up
> > do
> > (i think) shutdown -a in DOS.. thinking this we put it in a bat script and
> > launched it every 50 seconds. This failed also ive changed it to 10
> > seconds
> > but ill have to wait and see if it works.
> >
> > On event log here is the source and id:
> >
> > Source: LSAsrv
> > ID: 5000
> >
> > and two of the error messages:
> >
> > Faulting application lsass.exe, version 5.2.3790.0, faulting module
> > lsasrv.dll, version 5.2.3790.1023, fault address 0x0002a411.
> >
> > A critical system process, C:\WINDOWS\system32\lsass.exe, failed with
> > status
> > code c0000005. The machine must now be restarted.
> >
> > If you need any info please say These 3 servers have our customers on
> > there
> > and as you can imagine its starting to annoy everyone
> >
> > Chris
>
>
>

rjdriver
07-09-2005, 10:53 PM
It looks like you have tried all the right tools. Maybe this is a new
Sasser varient and you are one of the first recipients. Ouch!

As a last resort, it can't hurt to try the MS Anti Spyware beta and
Counterspy from Sunbelt Software. They are similar spyware/malware removal
tools that use the same scanning engine but with different spyware
definitions. Both are excellent programs.


The MS product is free and Counterspy has a 15 day free evaluation version.

http://www.microsoft.com/athome/security/spyware/software/default.mspx

http://www.sunbelt-software.com/


Good Luck.
Bob




lver" <ChrisOlver@discussions.microsoft.com> wrote in message
news:6B9F690A-151B-4404-BEB0-4AE26F583033@microsoft.com...
> Im fully upto date with updates and virus defintions.. Firewall wise i am
> wating back on a support issue and as soon as they sort that problem out
> it
> will be depolied in the server. Cant i go back to a time before it was
> not
> stable? Nope.. if this doesnt work it looks like a server 2003 reinstall
> :(
>
> Tried all removal tools and nothing but still theres still this annoying
> bug. Any other ideas?
>
>
> "rjdriver" wrote:
>
>> Symantic has specific and separate Sasser removal tools. Not sure if
>> they
>> apply to your particlar situation, but here they are:
>>
>> http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.removal.tool.html
>>
>>
>>
>>
>> Bob
>>
>>
>>
>> "ChrisOlver" <ChrisOlver@discussions.microsoft.com> wrote in message
>> news:60E88BDE-E229-48EB-837E-A876D3E427B6@microsoft.com...
>> > Hello all,
>> >
>> > Simple problem this.. Looks like Sasser Worm has hit my Server 23k
>> > Enterprise (acctually all 3 of our server boxes we have). I get
>> > lsass.exe
>> > has
>> > caused an error and reboots after 60 seconds.. the problem is
>> > intermittent...
>> > its been fine for days and we thought it was just a bug but now its
>> > doing
>> > it
>> > every couple of hours.
>> >
>> > When i boot up in the event log there is: A critical system process,
>> > C:\WINDOWS\system32\lsass.exe, failed with status code c0000005
>> >
>> > Right ive used stinger and norton removal tools but nothing is picking
>> > up
>> > this. Says I am clean? Tried Macfee, Symantec Corprate AntiVirus and
>> > AVG
>> > to
>> > see if it picks it up and get nothing. Tried Adaware and Microsoft
>> > Malicious
>> > Software tool thinking it maybe some form of MalWare but nothing
>> > either.
>> > The
>> > server is fully up-to-date with its Windows patches and service packs.
>> > By
>> > googleing the error someone has had the problem as well but no one
>> > replied
>> > In
>> > sasser related posts they recommended changing the "restart when
>> > crashes"
>> > system in services by changing to restart service instead of restart
>> > computer
>> > but doesnt look like it worked. Someone also said when the error comes
>> > up
>> > do
>> > (i think) shutdown -a in DOS.. thinking this we put it in a bat script
>> > and
>> > launched it every 50 seconds. This failed also ive changed it to 10
>> > seconds
>> > but ill have to wait and see if it works.
>> >
>> > On event log here is the source and id:
>> >
>> > Source: LSAsrv
>> > ID: 5000
>> >
>> > and two of the error messages:
>> >
>> > Faulting application lsass.exe, version 5.2.3790.0, faulting module
>> > lsasrv.dll, version 5.2.3790.1023, fault address 0x0002a411.
>> >
>> > A critical system process, C:\WINDOWS\system32\lsass.exe, failed with
>> > status
>> > code c0000005. The machine must now be restarted.
>> >
>> > If you need any info please say These 3 servers have our customers on
>> > there
>> > and as you can imagine its starting to annoy everyone
>> >
>> > Chris
>>
>>
>>


lsass.exe fails and reboots