brobee Posted February 10, 2009 Share Posted February 10, 2009 (edited) I'm running Windows 7 Beta x32 build 7000 on a Dell Precision M6300 notebook. Intel T7800, 4 gigs RAM, Quatro FX1600M, 120 gig 7200 RPM HDD All critical and recommended patches/drivers have been installed including the NVidia Quadro driver for my display adapter. I also had to install a patch provided for KB961402 to allow my machine to join our Active Directory domain. At this point the only software installed is Firefox 3 and MS Office 2007 Professional. I had AVG 8 installed but I uninstalled it figuring it may be causing the problem. What happens is before I walk away from my desk I press ALT+CTL+Del and select lock workstation so it's secure until I return. As soon as I enter my password it returns me to my desktop and then prompts me with an error that says something to the effect "A critical error has occurred and your machine will reboot in 1 minute". Eventually it reboots and operates normally until I look it again. This is the second installation of Windows 7 Beta build 7000 on this laptop. When I had this problem last week and could not resolve it I reloaded a 2nd time to try and clear it up, but the problem persists. As long as I do not lock the workstation or do not require a password when the screen saver ends, I have no problems and the machine works wonderful. Does anyone have any advice? I have provided detailed event log data below.... In the Event Viewer I see the following 3 error entries in the Application Log: FIRST ENTRY: Log Name: Application Source: Application Error Date: 2/10/2009 12:40:29 PM Event ID: 1000 Task Category: (100) Level: Error Keywords: Classic User: N/A Computer: xxxxxxxxxx.xxxxxxxxxx.com Description: Faulting application name: lsass.exe, version: 6.1.7000.0, time stamp: 0x4943152e Faulting module name: ntdll.dll, version: 6.1.7000.0, time stamp: 0x49433e67 Exception code: 0xc0000374 Fault offset: 0x000c0853 Faulting process id: 0x214 Faulting application start time: 0x01c98ba1b28b136a Faulting application path: C:\Windows\system32\lsass.exe Faulting module path: C:\Windows\SYSTEM32\ntdll.dll Report Id: e83c54e5-f799-11dd-ac4c-001e377e16ad Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Application Error" /> <EventID Qualifiers="0">1000</EventID> <Level>2</Level> <Task>100</Task> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2009-02-10T17:40:29.000000000Z" /> <EventRecordID>1015</EventRecordID> <Channel>Application</Channel> <Computer>xxxxxxxx.xxxxxxxxxx.com</Computer> <Security /> </System> <EventData> <Data>lsass.exe</Data> <Data>6.1.7000.0</Data> <Data>4943152e</Data> <Data>ntdll.dll</Data> <Data>6.1.7000.0</Data> <Data>49433e67</Data> <Data>c0000374</Data> <Data>000c0853</Data> <Data>214</Data> <Data>01c98ba1b28b136a</Data> <Data>C:\Windows\system32\lsass.exe</Data> <Data>C:\Windows\SYSTEM32\ntdll.dll</Data> <Data>e83c54e5-f799-11dd-ac4c-001e377e16ad</Data> </EventData> </Event> SECOND ENTRY: Log Name: Application Source: Windows Error Reporting Date: 2/10/2009 12:40:30 PM Event ID: 1001 Task Category: None Level: Information Keywords: Classic User: N/A Computer: xxxxxxxxxx.xxxxx.com Description: Fault bucket , type 0 Event Name: APPCRASH Response: Not available Cab Id: 0 Problem signature: P1: lsass.exe P2: 6.1.7000.0 P3: 4943152e P4: StackHash_52be P5: 6.1.7000.0 P6: 49433e67 P7: c0000374 P8: 000c0853 P9: P10: Attached files: C:\Windows\Temp\WERCE46.tmp.appcompat.txt C:\Windows\Temp\WERCE57.tmp.WERInternalMetadata.xml C:\Windows\Temp\WERCE58.tmp.hdmp C:\Windows\Temp\WERCEB7.tmp.mdmp These files may be available here: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_lsass.exe_db822d789c398dd2a8adfd6b9494bb22bb6b1e7_cab_05e4cf30 Analysis symbol: Rechecking for solution: 0 Report Id: e83c54e5-f799-11dd-ac4c-001e377e16ad Report Status: 20 Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Windows Error Reporting" /> <EventID Qualifiers="0">1001</EventID> <Level>4</Level> <Task>0</Task> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2009-02-10T17:40:30.000000000Z" /> <EventRecordID>1016</EventRecordID> <Channel>Application</Channel> <Computer>xxxxxxxxxx.xxxxx.com</Computer> <Security /> </System> <EventData> <Data> </Data> <Data>0</Data> <Data>APPCRASH</Data> <Data>Not available</Data> <Data>0</Data> <Data>lsass.exe</Data> <Data>6.1.7000.0</Data> <Data>4943152e</Data> <Data>StackHash_52be</Data> <Data>6.1.7000.0</Data> <Data>49433e67</Data> <Data>c0000374</Data> <Data>000c0853</Data> <Data> </Data> <Data> </Data> <Data> C:\Windows\Temp\WERCE46.tmp.appcompat.txt C:\Windows\Temp\WERCE57.tmp.WERInternalMetadata.xml C:\Windows\Temp\WERCE58.tmp.hdmp C:\Windows\Temp\WERCEB7.tmp.mdmp</Data> <Data>C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_lsass.exe_db822d789c398dd2a8adfd6b9494bb22bb6b1e7_cab_05e4cf30</Data> <Data> </Data> <Data>0</Data> <Data>e83c54e5-f799-11dd-ac4c-001e377e16ad</Data> <Data>20</Data> </EventData> </Event> THIRD ENTRY: Log Name: Application Source: Microsoft-Windows-Wininit Date: 2/10/2009 12:40:30 PM Event ID: 1015 Task Category: None Level: Error Keywords: Classic User: N/A Computer: xxxxxxxxxx.xxxxx.com Description: A critical system process, C:\Windows\system32\lsass.exe, failed with status code 255. The machine must now be restarted. Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft-Windows-Wininit" Guid="{206f6dea-d3c5-4d10-bc72-989f03c8b84b}" EventSourceName="Wininit" /> <EventID Qualifiers="49152">1015</EventID> <Version>0</Version> <Level>2</Level> <Task>0</Task> <Opcode>0</Opcode> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2009-02-10T17:40:30.000000000Z" /> <EventRecordID>1017</EventRecordID> <Correlation /> <Execution ProcessID="0" ThreadID="0" /> <Channel>Application</Channel> <Computer>xxxxxxxxxx.xxxxx.com</Computer> <Security /> </System> <EventData> <Data>C:\Windows\system32\lsass.exe</Data> <Data>255</Data> </EventData> </Event> Edited February 10, 2009 by brobee Link to comment Share on other sites More sharing options...
pmarkiewicz Posted February 10, 2009 Share Posted February 10, 2009 Hi, I have had this error off and on for over a year on Windows XP. Any answers would be extremely appreciated. Patrick Link to comment Share on other sites More sharing options...
MagicAndre1981 Posted February 10, 2009 Share Posted February 10, 2009 could you please post the Dump file (packed as 7zip archive) here? Link to comment Share on other sites More sharing options...
brobee Posted February 11, 2009 Author Share Posted February 11, 2009 It's not creating one. Just to be sure I set the dump file path to c:\temp and locked/unlocked the workstation, it notified me of the critical error and rebooted (not a BSOD mind you, just a dialog box popping up), it rebooted, and no memory.dmp file. What gives? could you please post the Dump file (packed as 7zip archive) here? By the way, I noticed that when I'm at home and not connected to the AD domain everything is fine. I can lock/unlock without any trouble. When I'm at work is when the fun begins. The only difference is at work it's in a dock. Hmm, maybe I should try it out of the dock but still connected to the network to see if the docking hardware has something to do with it. Link to comment Share on other sites More sharing options...
WDavid Posted October 19, 2009 Share Posted October 19, 2009 (edited) Hi, After suffering from this problem too much time both on my desktop and laptop, I?ve decided to find the real workaround to this problem. All the other workarounds suggested on forums discussing this issue are not working or just partial solutions. As far as I can understand the core of the issue is some re-authentication with the domain controller that occurs when the computer is unlocked. At this point some modules that are called by lsass.exe are failing and make the service crash and you know what happens. Analyzing the crash dumps using windows debugger I?ve found out that the failure related to kerberos.dll. See Exception Analysis below. So then I started to search settings related to Kerberos authentications and found 2 possible entries that can affect the Kerberos authentication process: 1. Registry entry HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters\DefaultEncryptionType 2. Policy setting located at ?Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network security: Configure encryption types allowed for Kerberos?, which after all sets the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters\SupportedEncryptionTypes Searching the net about this parameter reveals more information and details explanations. What solved the problem for me is setting the following registry key and values to make Windows 7 behave like Windows Server2003 regarding to Kerberos Encryption Type (KERB_ETYPE_RC4_HMAC_NT) Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters Type: REG_DWORD Name: DefaultEncryptionType Data: 23 (decimal) or 0x17 (hexadecimal) Now it?s also possible to disable the problematic encryption type with a GPO applied the Windows 7 machines or to find a way (which I didn?t search for yet) to change the DefaultEncryptionType using GPO. Example Exception Analysis: FAULTING_IP: ntdll!RtlUnhandledExceptionFilter+2d2 00000000`776d6cd2 eb00 jmp ntdll!RtlUnhandledExceptionFilter+0x2d4 (00000000`776d6cd4) EXCEPTION_RECORD: ffffffffffffffff -- (.exr 0xffffffffffffffff) ExceptionAddress: 00000000776d6cd2 (ntdll!RtlUnhandledExceptionFilter+0x00000000000002d2) ExceptionCode: c0000374 ExceptionFlags: 00000001 NumberParameters: 1 Parameter[0]: 000000007774c3f0 DEFAULT_BUCKET_ID: WRONG_SYMBOLS PROCESS_NAME: lsass.exe ADDITIONAL_DEBUG_TEXT: Use '!findthebuild' command to search for the target build information. If the build information is available, run '!findthebuild -s ; .reload' to set symbol path and load symbols. FAULTING_MODULE: 0000000077610000 ntdll DEBUG_FLR_IMAGE_TIMESTAMP: 4a5bdfde ERROR_CODE: (NTSTATUS) 0xc0000374 - A heap has been corrupted. EXCEPTION_CODE: (NTSTATUS) 0xc0000374 - A heap has been corrupted. EXCEPTION_PARAMETER1: 000000007774c3f0 FAULTING_THREAD: 0000000000001538 PRIMARY_PROBLEM_CLASS: WRONG_SYMBOLS BUGCHECK_STR: APPLICATION_FAULT_WRONG_SYMBOLS LAST_CONTROL_TRANSFER: from 00000000776d7396 to 00000000776d6cd2 STACK_TEXT: 00000000`01f8e220 00000000`776d7396 : 00000000`00000002 00000000`00000023 00000000`00001028 00000000`00000003 : ntdll!RtlUnhandledExceptionFilter+0x2d2 00000000`01f8e2f0 00000000`776d86c2 : fffffa80`06ac2010 00000000`00000001 00000000`01f8eff8 00000000`7765a39e : ntdll!EtwEnumerateProcessRegGuids+0x216 00000000`01f8e320 00000000`776da0c4 : 00000000`00180000 00000000`00000000 00000000`00000000 00000000`00180000 : ntdll!RtlQueryProcessLockInformation+0x952 00000000`01f8e350 00000000`7767d1cd : 00000000`01b65140 00000000`00180000 00000000`01b65150 00000000`01b83010 : ntdll!RtlLogStackBackTrace+0x444 00000000`01f8e380 000007fe`fce61120 : 00000000`023ed6f0 00000000`01b82f30 00000000`01b82e80 00000000`00000000 : ntdll!LdrGetProcedureAddress+0x14e0d 00000000`01f8e400 000007fe`fce8bba2 : 00000000`01b82e80 00000000`00000000 00000000`023ed6f0 00000000`023a7550 : kerberos!Ordinal26+0x1120 00000000`01f8e430 000007fe`fce82f9c : 00000000`01b82e80 00000000`01ab3a80 00000000`00000000 00000000`01ab3af8 : kerberos!SpInitialize+0x38da 00000000`01f8e460 000007fe`fce8bb82 : 00000000`01ab3b98 00000000`00000000 00000000`023a7550 00000000`023a7550 : kerberos!SpInstanceInit+0xa08 00000000`01f8e490 000007fe`fce8b71f : 00000000`00000001 00000000`01ab3a80 00000000`00000000 00000000`00000000 : kerberos!SpInitialize+0x38ba 00000000`01f8e4c0 000007fe`fce91c75 : 00000000`00000001 00000000`00000000 00000000`00000000 000007fe`fd29120a : kerberos!SpInitialize+0x3457 00000000`01f8e4f0 000007fe`fce91b67 : 00000000`00000000 00000000`00000000 00000000`023ed6f0 000007fe`fd340830 : kerberos!SpInitialize+0x99ad 00000000`01f8e5c0 000007fe`fce91d0a : 00000000`00000000 00000000`01f8e700 00000000`00000000 00000000`001d4260 : kerberos!SpInitialize+0x989f 00000000`01f8e660 000007fe`fd2d48c6 : 00000000`02476ac8 00000000`000000e8 00000000`023dead0 00000000`02476ac8 : kerberos!SpInitialize+0x9a42 00000000`01f8ebb0 000007fe`fd29be80 : 00000000`02476ac8 00000000`00000002 00000000`000000e8 00000000`00180000 : lsasrv!LsaIAllocateHeap+0x1b776 00000000`01f8ed20 000007fe`fd29b880 : 00000000`01f8f230 000007fe`fd291f61 00000000`00000002 00000000`00000002 : lsasrv!LsaIAuditLogonUsingExplicitCreds+0x2ab0 00000000`01f8ee60 000007fe`fd29a7d3 : 00000000`01f8f2a0 00000000`001d9578 00000000`00000000 00000000`01f8f370 : lsasrv!LsaIAuditLogonUsingExplicitCreds+0x24b0 00000000`01f8ef00 000007fe`fd29a30e : 00000000`0026b010 00000000`02476ac8 00000000`01f8f308 00000000`00000000 : lsasrv!LsaIAuditLogonUsingExplicitCreds+0x1403 00000000`01f8f1d0 000007fe`fd4018c8 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`01f8f6c8 : lsasrv!LsaIAuditLogonUsingExplicitCreds+0xf3e 00000000`01f8f4e0 000007fe`fd417c5a : 00000000`00000000 00000000`01f8f6b8 00000000`00000000 00000000`00000007 : sspisrv+0x18c8 00000000`01f8f600 000007fe`fd41808b : 00000000`00000001 00000000`00000000 00000000`00000000 000007fe`fd417a97 : sspicli!SeciAllocateAndSetIPAddress+0x106 00000000`01f8f770 000007fe`fd346813 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : sspicli!LsaLogonUser+0x83 00000000`01f8f7f0 00000000`7740f56d : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000001 : lsasrv!LsaIUpdateLogonSession+0x1703 00000000`01f8f940 00000000`77643281 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : kernel32!BaseThreadInitThunk+0xd 00000000`01f8f970 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21 FOLLOWUP_IP: kerberos!Ordinal26+1120 000007fe`fce61120 eb00 jmp kerberos!Ordinal26+0x1122 (000007fe`fce61122) SYMBOL_STACK_INDEX: 5 SYMBOL_NAME: kerberos!Ordinal26+1120 FOLLOWUP_NAME: MachineOwner MODULE_NAME: kerberos IMAGE_NAME: kerberos.dll STACK_COMMAND: ~12s; .ecxr ; kb BUCKET_ID: WRONG_SYMBOLS FAILURE_BUCKET_ID: WRONG_SYMBOLS_c0000374_kerberos.dll!Ordinal26 Edited October 19, 2009 by WDavid Link to comment Share on other sites More sharing options...
Recommended Posts