lsass.exe error loop at bootup

[troxel]

Found the answer to this and a couple other problems with this Microsoft Knowledge Base articel #307545

http://support.microsoft.com/default...#91;LN];307545


Zack

[Khalid Khan]

Hello Gurus

I have a Win2k operating system. When I boot the system and logon, a window pops up telling me that this system is shutting down in 60 seconds and starts the count down. In the same window and little further down there is a message that says "C:/winnt/system32/lsass.exe" terminated unexpectedly

I have another win2k computer and probably use the sick hard drive as a slave and try the remedy froger suggested above, but my questions to the gurus are;

1. Does any body know what lsass.exe is for?
2. What are the files that are related ?
3. Will copying the lsass.exe from the other computer fix the problem?

Thanking you all in anticipation.

Best regards
Khalid

[Badboyfowler]

I have seen an XP machine with this problem, and saw that is was infected with the sasser virus.

The Virus has now been removed, and the machine appears to be OK.

The virus i think attacks the LSASS and causes the machine to shut down.

[kingskin]

To fix this error i used an XP CD and started to install it, then selected "repair" when given the option (nb: not recovery) and this fixed it fine

[HyperLink]

Quote:

Originally posted by Khalid Khan
Hello Gurus

I have a Win2k operating system. When I boot the system and logon, a window pops up telling me that this system is shutting down in 60 seconds and starts the count down. In the same window and little further down there is a message that says "C:/winnt/system32/lsass.exe" terminated unexpectedly

I have another win2k computer and probably use the sick hard drive as a slave and try the remedy froger suggested above, but my questions to the gurus are;

1. Does any body know what lsass.exe is for?
2. What are the files that are related ?
3. Will copying the lsass.exe from the other computer fix the problem?

Thanking you all in anticipation.

Best regards
Khalid

...I have the EXACT same problem. on Win2k even. I can't do any System Restores because that's an XP thing, I don't wanna have to go through formatting my 60 GB HDD AGAIN, and I have several other viruses (virii?) that I 'm trying to take care of. However, I cannot download any fixes, cause anytime I finally find a good place to dl something, I get the 60 second timer.


HELP! PLEASE!!

[Toolz]

Wish i would have been able to read this earlier in the week. Same thing happened and scared the hell out of me.

Thought i got the same thing a friend did, where his HD formatted itself.

Ended up just going out and getting a new HD and setting it up as primary.

Was so scared that i had lost everything, but now my comp is running better than ever.

Good luck.

[Illissius]

Hmm. I just had a similar problem. I booted up and whatever username / password I tried, it said "invalid label". Restarted and it went away, and popped up a notice saying lsass.exe had a critical error. Anyone else had this? For the sake of safety I'm not going to restart again until I get some replies .

[mkutch]

I've had a problem with lsass.exe that I don't think I've read from anyone else here.

I initially had problems with unexpected shutdown so I re-formatted my machine from scratch last night. I was shocked when the problem continued. I wonder if faulty hardware is causing it as I have a bad USB. Also, I have noticed that it only happens when I go connect with my ISP and go on the internet.

[majordolfan]

http://www.microsoft.com/security/incident/sasser.mspx
http://www.microsoft.com/technet/Sec...ts/sasser.mspx

The second link is your best bet if you can get your computer to boot up. Looks like there's lots of info in this post to get everyone on the right track.

Taken from the second link:

RECOVERY:

If your computer has been infected with this virus you should first take the following step to protect against future infection

• To protect against future infections install Microsoft Security Bulletin MS04-011 <http://www.microsoft.com/technet/sec.../ms04-011.mspx> immediately.


Once you have applied the update to prevent against future infection, you can then take steps to clean your system from the current infection. To clean your system from the current infection, please contact your preferred antivirus vendor or refer to Microsoft’s cleaning tool. Currently, Microsoft’s cleaning tool successfully removes the original Sasser worm and the B, C, D, E and F variants.

If your computer is vulnerable to the worm, the worm may cause LSASS.EXE to crash which will force the operating system to shutdown after 60 seconds. This shutdown can be aborted on Windows XP systems by using the built-in “shutdown.exe -a” command. This shutdown can NOT be aborted on Windows 2000 systems.

On Windows 2000 systems, to prevent LSASS.EXE from crashing (thereby restarting the operating system) unplug the network cable (or disable the network adapter before LSASS.EXE crashes) and then perform any one of the following steps to prevent the worm from crashing LSASS.EXE:

1.
Create a file called %systemroot%\debug\dcpromo.log and make the file read-only. To do this, type the following command:

echo dcpromo >%systemroot%\debug\dcpromo.log & attrib +r %systemroot%\debug\dcpromo.log

NOTE: This is the most effective mitigation technique as it completely mitigates this vulnerability by causing the vulnerable code to never be executed. This work-around will work for packets sent to any vulnerable port.

2.
Enable advanced TCP/IP filtering on all adapters to block all un-solicited inbound TCP packets

• Go to Start, Run and type Control and press enter

• In the new Control Panel window double click on Network and Dialup Connections

• Right click on the adapter that is connected to the Internet or the infected network and select Properties

• Double click Internet Protocol (TCP/IP)

• Click Advanced

• Select the Options tab

• Double click TCP/IP filtering

• Check the Enable TCP/IP filtering (all adapters) checkbox

• Select the Permit Only button above TCP Ports

NOTE: Do NOT add any ports to this list and do NOT select the Permit Only button above the UDP Ports label.

• Press OK 4 times and then select Yes when prompted to reboot the system (you must reboot for these settings to take effect)


This is an alternate mitigation technique that can be used to block all attempts to exploit the vulnerability via the TCP protocol. This will not prevent malformed UDP packets from reaching a vulnerable port and does not completely block the vulnerability like the steps outlined above.

3.
Temporarily stop the server service by typing the following command line:

net stop server /y

NOTE: This technique will only block exploit attempts that occur via TCP 139 and 445.


If the machine is currently infected with the Sasser worm it may start flooding the local network connection as soon as the cable is plugged back in making it impossible to download updates. To temporarily disable the worm use Task Manager to kill the following processes:

• End any process beginning with 4 or more numbers and “_up.exe” (for example, 12345_up.exe)

• End any process starting with avserve (for example, avserve.exe, avserve2.exe)

• End any process named skynetave.exe

• End any process named hkey.exe

• End any process named msiwin84.exe

• End any process named wmiprvsw.exe

NOTE: Do not end the process named wmiprvse.exe it is a legitimate system process.


After stopping the worm processes you should be able to download the security update and a Sasser removal tool.

PSS Security Response Team

Good luck!
Donnie

[kris-perry]

Hello, I've had this problem for over a month, and I finally fixed it! I've tried almost every one of your guys solutions with no success. It wasnt the sasser virus, it wasnt fixed by safe mode or sys recovery. I even did two destructive restores but no luck.

Luckily, there was a patch to fix this problem in a recent windows update. But because I got the error on startup, even with typing 'shutdown -a' the windows update wouldn't run because it coincidently needed the lsass.exe file.

So... with my particular problem, a file (i'm sorry I forget the name) called LDA Export Version or something like that would shutdown, and as soon as I click the send or dont send error report buttons, the lsass.exe would pop up saying shutdown in 1 minute. Once the lsass closed, many of my internet functions wouldnt work (such as windows update).

This seems easy now that I figured it out, but all I had to do is when the error for the export version file poped up, just dont click close right away, and that gave me the little bit of extra time I needed to open and run the windows update. Once it was installed, I have no problems anymore.

So everyone having this problem, try a recent windows update. (Start - Programs - Windows Update) Remember though, if you've never updated for a long time, you may have to run it twice. Once for the service pack, twice for the misc recent security fixes.

Ya, so I'm happy its over and done with, but I still didnt forget about you guys ha ha. Anyway, gl to everyone battling this problem. I think I got it from downloading a bad file from kazaa or something. Maybe, I dont know.
take care.