Unlocking workstaion causes lsass.exe crash/forced reboot

[brobee]

I'm running Windows 7 Beta x32 build 7000 on a Dell Precision M6300 notebook.

Intel T7800, 4 gigs RAM, Quatro FX1600M, 120 gig 7200 RPM HDD

All critical and recommended patches/drivers have been installed including the NVidia Quadro driver for my display adapter.

I also had to install a patch provided for KB961402 to allow my machine to join our Active Directory domain.

At this point the only software installed is Firefox 3 and MS Office 2007 Professional. I had AVG 8 installed but I uninstalled it figuring it may be causing the problem.

What happens is before I walk away from my desk I press ALT+CTL+Del and select lock workstation so it's secure until I return.

As soon as I enter my password it returns me to my desktop and then prompts me with an error that says something to the effect "A critical error has occurred and your machine will reboot in 1 minute". Eventually it reboots and operates normally until I look it again.

This is the second installation of Windows 7 Beta build 7000 on this laptop. When I had this problem last week and could not resolve it I reloaded a 2nd time to try and clear it up, but the problem persists.

As long as I do not lock the workstation or do not require a password when the screen saver ends, I have no problems and the machine works wonderful.

Does anyone have any advice?

I have provided detailed event log data below....

In the Event Viewer I see the following 3 error entries in the Application Log:

FIRST ENTRY:

Log Name: Application

Source: Application Error

Date: 2/10/2009 12:40:29 PM

Event ID: 1000

Task Category: (100)

Level: Error

Keywords: Classic

User: N/A

Computer: xxxxxxxxxx.xxxxxxxxxx.com

Description:

Faulting application name: lsass.exe, version: 6.1.7000.0, time stamp: 0x4943152e

Faulting module name: ntdll.dll, version: 6.1.7000.0, time stamp: 0x49433e67

Exception code: 0xc0000374

Fault offset: 0x000c0853

Faulting process id: 0x214

Faulting application start time: 0x01c98ba1b28b136a

Faulting application path: C:\Windows\system32\lsass.exe

Faulting module path: C:\Windows\SYSTEM32\ntdll.dll

Report Id: e83c54e5-f799-11dd-ac4c-001e377e16ad

Event Xml:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

<System>

<Provider Name="Application Error" />

<EventID Qualifiers="0">1000</EventID>

<Level>2</Level>

<Task>100</Task>

<Keywords>0x80000000000000</Keywords>

<TimeCreated SystemTime="2009-02-10T17:40:29.000000000Z" />

<EventRecordID>1015</EventRecordID>

<Channel>Application</Channel>

<Computer>xxxxxxxx.xxxxxxxxxx.com</Computer>

<Security />

</System>

<EventData>

<Data>lsass.exe</Data>

<Data>6.1.7000.0</Data>

<Data>4943152e</Data>

<Data>ntdll.dll</Data>

<Data>6.1.7000.0</Data>

<Data>49433e67</Data>

<Data>c0000374</Data>

<Data>000c0853</Data>

<Data>214</Data>

<Data>01c98ba1b28b136a</Data>

<Data>C:\Windows\system32\lsass.exe</Data>

<Data>C:\Windows\SYSTEM32\ntdll.dll</Data>

<Data>e83c54e5-f799-11dd-ac4c-001e377e16ad</Data>

</EventData>

</Event>

SECOND ENTRY:

Log Name: Application

Source: Windows Error Reporting

Date: 2/10/2009 12:40:30 PM

Event ID: 1001

Task Category: None

Level: Information

Keywords: Classic

User: N/A

Computer: xxxxxxxxxx.xxxxx.com

Description:

Fault bucket , type 0

Event Name: APPCRASH

Response: Not available

Cab Id: 0

Problem signature:

P1: lsass.exe

P2: 6.1.7000.0

P3: 4943152e

P4: StackHash_52be

P5: 6.1.7000.0

P6: 49433e67

P7: c0000374

P8: 000c0853

P9:

P10:

Attached files:

C:\Windows\Temp\WERCE46.tmp.appcompat.txt

C:\Windows\Temp\WERCE57.tmp.WERInternalMetadata.xml

C:\Windows\Temp\WERCE58.tmp.hdmp

C:\Windows\Temp\WERCEB7.tmp.mdmp

These files may be available here:

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_lsass.exe_db822d789c398dd2a8adfd6b9494bb22bb6b1e7_cab_05e4cf30

Analysis symbol:

Rechecking for solution: 0

Report Id: e83c54e5-f799-11dd-ac4c-001e377e16ad

Report Status: 20

Event Xml:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

<System>

<Provider Name="Windows Error Reporting" />

<EventID Qualifiers="0">1001</EventID>

<Level>4</Level>

<Task>0</Task>

<Keywords>0x80000000000000</Keywords>

<TimeCreated SystemTime="2009-02-10T17:40:30.000000000Z" />

<EventRecordID>1016</EventRecordID>

<Channel>Application</Channel>

<Computer>xxxxxxxxxx.xxxxx.com</Computer>

<Security />

</System>

<EventData>

<Data>

</Data>

<Data>0</Data>

<Data>APPCRASH</Data>

<Data>Not available</Data>

<Data>0</Data>

<Data>lsass.exe</Data>

<Data>6.1.7000.0</Data>

<Data>4943152e</Data>

<Data>StackHash_52be</Data>

<Data>6.1.7000.0</Data>

<Data>49433e67</Data>

<Data>c0000374</Data>

<Data>000c0853</Data>

<Data>

</Data>

<Data>

</Data>

<Data>

C:\Windows\Temp\WERCE46.tmp.appcompat.txt

C:\Windows\Temp\WERCE57.tmp.WERInternalMetadata.xml

C:\Windows\Temp\WERCE58.tmp.hdmp

C:\Windows\Temp\WERCEB7.tmp.mdmp</Data>

<Data>C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_lsass.exe_db822d789c398dd2a8adfd6b9494bb22bb6b1e7_cab_05e4cf30</Data>

<Data>

</Data>

<Data>0</Data>

<Data>e83c54e5-f799-11dd-ac4c-001e377e16ad</Data>

<Data>20</Data>

</EventData>

</Event>

THIRD ENTRY:

Log Name: Application

Source: Microsoft-Windows-Wininit

Date: 2/10/2009 12:40:30 PM

Event ID: 1015

Task Category: None

Level: Error

Keywords: Classic

User: N/A

Computer: xxxxxxxxxx.xxxxx.com

Description:

A critical system process, C:\Windows\system32\lsass.exe, failed with status code 255. The machine must now be restarted.

Event Xml:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

<System>

<Provider Name="Microsoft-Windows-Wininit" Guid="{206f6dea-d3c5-4d10-bc72-989f03c8b84b}" EventSourceName="Wininit" />

<EventID Qualifiers="49152">1015</EventID>

<Version>0</Version>

<Level>2</Level>

<Task>0</Task>

<Opcode>0</Opcode>

<Keywords>0x80000000000000</Keywords>

<TimeCreated SystemTime="2009-02-10T17:40:30.000000000Z" />

<EventRecordID>1017</EventRecordID>

<Correlation />

<Execution ProcessID="0" ThreadID="0" />

<Channel>Application</Channel>

<Computer>xxxxxxxxxx.xxxxx.com</Computer>

<Security />

</System>

<EventData>

<Data>C:\Windows\system32\lsass.exe</Data>

<Data>255</Data>

</EventData>

</Event>

Edited February 10, 2009 by brobee

[pmarkiewicz]

Hi,

I have had this error off and on for over a year on Windows XP. Any answers would be extremely appreciated.

Patrick

[MagicAndre1981]

could you please post the Dump file (packed as 7zip archive) here?

[brobee]

It's not creating one. Just to be sure I set the dump file path to c:\temp and locked/unlocked the workstation, it notified me of the critical error and rebooted (not a BSOD mind you, just a dialog box popping up), it rebooted, and no memory.dmp file. What gives?

could you please post the Dump file (packed as 7zip archive) here?

By the way, I noticed that when I'm at home and not connected to the AD domain everything is fine. I can lock/unlock without any trouble.

When I'm at work is when the fun begins. The only difference is at work it's in a dock. Hmm, maybe I should try it out of the dock but still connected to the network to see if the docking hardware has something to do with it.

[WDavid]

Hi,

After suffering from this problem too much time both on my desktop and laptop, I?ve decided to find the real workaround to this problem. All the other workarounds suggested on forums discussing this issue are not working or just partial solutions.

As far as I can understand the core of the issue is some re-authentication with the domain controller that occurs when the computer is unlocked. At this point some modules that are called by lsass.exe are failing and make the service crash and you know what happens.

Analyzing the crash dumps using windows debugger I?ve found out that the failure related to kerberos.dll. See Exception Analysis below.

So then I started to search settings related to Kerberos authentications and found 2 possible entries that can affect the Kerberos authentication process:

1. Registry entry HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters\DefaultEncryptionType

2. Policy setting located at ?Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network security: Configure encryption types allowed for Kerberos?, which after all sets the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters\SupportedEncryptionTypes

Searching the net about this parameter reveals more information and details explanations.

What solved the problem for me is setting the following registry key and values to make Windows 7 behave like Windows Server2003 regarding to Kerberos Encryption Type (KERB_ETYPE_RC4_HMAC_NT)

Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters

Type: REG_DWORD

Name: DefaultEncryptionType

Data: 23 (decimal) or 0x17 (hexadecimal)

Now it?s also possible to disable the problematic encryption type with a GPO applied the Windows 7 machines or to find a way (which I didn?t search for yet) to change the DefaultEncryptionType using GPO.

Example Exception Analysis:

FAULTING_IP:

ntdll!RtlUnhandledExceptionFilter+2d2

00000000`776d6cd2 eb00 jmp ntdll!RtlUnhandledExceptionFilter+0x2d4 (00000000`776d6cd4)

EXCEPTION_RECORD: ffffffffffffffff -- (.exr 0xffffffffffffffff)

ExceptionAddress: 00000000776d6cd2 (ntdll!RtlUnhandledExceptionFilter+0x00000000000002d2)

ExceptionCode: c0000374

ExceptionFlags: 00000001

NumberParameters: 1

Parameter[0]: 000000007774c3f0

DEFAULT_BUCKET_ID: WRONG_SYMBOLS

PROCESS_NAME: lsass.exe

ADDITIONAL_DEBUG_TEXT:

Use '!findthebuild' command to search for the target build information.

If the build information is available, run '!findthebuild -s ; .reload' to set symbol path and load symbols.

FAULTING_MODULE: 0000000077610000 ntdll

DEBUG_FLR_IMAGE_TIMESTAMP: 4a5bdfde

ERROR_CODE: (NTSTATUS) 0xc0000374 - A heap has been corrupted.

EXCEPTION_CODE: (NTSTATUS) 0xc0000374 - A heap has been corrupted.

EXCEPTION_PARAMETER1: 000000007774c3f0

FAULTING_THREAD: 0000000000001538

PRIMARY_PROBLEM_CLASS: WRONG_SYMBOLS

BUGCHECK_STR: APPLICATION_FAULT_WRONG_SYMBOLS

LAST_CONTROL_TRANSFER: from 00000000776d7396 to 00000000776d6cd2

STACK_TEXT:

00000000`01f8e220 00000000`776d7396 : 00000000`00000002 00000000`00000023 00000000`00001028 00000000`00000003 : ntdll!RtlUnhandledExceptionFilter+0x2d2

00000000`01f8e2f0 00000000`776d86c2 : fffffa80`06ac2010 00000000`00000001 00000000`01f8eff8 00000000`7765a39e : ntdll!EtwEnumerateProcessRegGuids+0x216

00000000`01f8e320 00000000`776da0c4 : 00000000`00180000 00000000`00000000 00000000`00000000 00000000`00180000 : ntdll!RtlQueryProcessLockInformation+0x952

00000000`01f8e350 00000000`7767d1cd : 00000000`01b65140 00000000`00180000 00000000`01b65150 00000000`01b83010 : ntdll!RtlLogStackBackTrace+0x444

00000000`01f8e380 000007fe`fce61120 : 00000000`023ed6f0 00000000`01b82f30 00000000`01b82e80 00000000`00000000 : ntdll!LdrGetProcedureAddress+0x14e0d

00000000`01f8e400 000007fe`fce8bba2 : 00000000`01b82e80 00000000`00000000 00000000`023ed6f0 00000000`023a7550 : kerberos!Ordinal26+0x1120

00000000`01f8e430 000007fe`fce82f9c : 00000000`01b82e80 00000000`01ab3a80 00000000`00000000 00000000`01ab3af8 : kerberos!SpInitialize+0x38da

00000000`01f8e460 000007fe`fce8bb82 : 00000000`01ab3b98 00000000`00000000 00000000`023a7550 00000000`023a7550 : kerberos!SpInstanceInit+0xa08

00000000`01f8e490 000007fe`fce8b71f : 00000000`00000001 00000000`01ab3a80 00000000`00000000 00000000`00000000 : kerberos!SpInitialize+0x38ba

00000000`01f8e4c0 000007fe`fce91c75 : 00000000`00000001 00000000`00000000 00000000`00000000 000007fe`fd29120a : kerberos!SpInitialize+0x3457

00000000`01f8e4f0 000007fe`fce91b67 : 00000000`00000000 00000000`00000000 00000000`023ed6f0 000007fe`fd340830 : kerberos!SpInitialize+0x99ad

00000000`01f8e5c0 000007fe`fce91d0a : 00000000`00000000 00000000`01f8e700 00000000`00000000 00000000`001d4260 : kerberos!SpInitialize+0x989f

00000000`01f8e660 000007fe`fd2d48c6 : 00000000`02476ac8 00000000`000000e8 00000000`023dead0 00000000`02476ac8 : kerberos!SpInitialize+0x9a42

00000000`01f8ebb0 000007fe`fd29be80 : 00000000`02476ac8 00000000`00000002 00000000`000000e8 00000000`00180000 : lsasrv!LsaIAllocateHeap+0x1b776

00000000`01f8ed20 000007fe`fd29b880 : 00000000`01f8f230 000007fe`fd291f61 00000000`00000002 00000000`00000002 : lsasrv!LsaIAuditLogonUsingExplicitCreds+0x2ab0

00000000`01f8ee60 000007fe`fd29a7d3 : 00000000`01f8f2a0 00000000`001d9578 00000000`00000000 00000000`01f8f370 : lsasrv!LsaIAuditLogonUsingExplicitCreds+0x24b0

00000000`01f8ef00 000007fe`fd29a30e : 00000000`0026b010 00000000`02476ac8 00000000`01f8f308 00000000`00000000 : lsasrv!LsaIAuditLogonUsingExplicitCreds+0x1403

00000000`01f8f1d0 000007fe`fd4018c8 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`01f8f6c8 : lsasrv!LsaIAuditLogonUsingExplicitCreds+0xf3e

00000000`01f8f4e0 000007fe`fd417c5a : 00000000`00000000 00000000`01f8f6b8 00000000`00000000 00000000`00000007 : sspisrv+0x18c8

00000000`01f8f600 000007fe`fd41808b : 00000000`00000001 00000000`00000000 00000000`00000000 000007fe`fd417a97 : sspicli!SeciAllocateAndSetIPAddress+0x106

00000000`01f8f770 000007fe`fd346813 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : sspicli!LsaLogonUser+0x83

00000000`01f8f7f0 00000000`7740f56d : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000001 : lsasrv!LsaIUpdateLogonSession+0x1703

00000000`01f8f940 00000000`77643281 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : kernel32!BaseThreadInitThunk+0xd

00000000`01f8f970 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21

FOLLOWUP_IP:

kerberos!Ordinal26+1120

000007fe`fce61120 eb00 jmp kerberos!Ordinal26+0x1122 (000007fe`fce61122)

SYMBOL_STACK_INDEX: 5

SYMBOL_NAME: kerberos!Ordinal26+1120

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: kerberos

IMAGE_NAME: kerberos.dll

STACK_COMMAND: ~12s; .ecxr ; kb

BUCKET_ID: WRONG_SYMBOLS

FAILURE_BUCKET_ID: WRONG_SYMBOLS_c0000374_kerberos.dll!Ordinal26

Edited October 19, 2009 by WDavid