Lsass.exe Error Message

Discussion in 'ESET NOD32 v3 Beta Forum' started by Blackspear, Jun 23, 2004.

Thread Status:
Not open for further replies.
  1. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    This error message suddenly appeared a few minutes ago, and then the shutdown error message appeared, I aborted shutdown by doing the following: Start> Run> Shutdown -a

    This is what my client was receiving, though they were using the current commercial version of Nod32 and only came across the error message when trying to make a VPN connection.

    The system has been running perfectly overnight, and for hours this morning...

    I am using the new BETA version of Nod.

    Cheers
     

    Attached Files:

  2. flyrfan111

    flyrfan111 Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1,224
    Are you using Sygate Pro? I thought I ran across something similar regarding their latest build a few days ago but I can't seem to find it now. Just a guess though.
     
  3. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    No, all programs are the same, only exception being I installed EVEREST Home Edition from: http://www.lavalys.com/index.php?page=product&view=1 late last night, other than that nothing new.

    From what I understand this is a IMON related problem, see the following thread: https://www.wilderssecurity.com/showthread.php?t=35206

    Cheers :D
     
  4. flyrfan111

    flyrfan111 Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1,224
    Yes, IMON was going to be my next suggestion, I am not familiar with the BETA though, best of luck and hope you get it fixed soon. I'll try to find somemore info later.
     
  5. steve_h

    steve_h Registered Member

    Joined:
    May 20, 2004
    Posts:
    24
    Location:
    NJ, USA
    Blackspear,

    Had a similar problem with 2.000.10 (which was supposed to be a fix for the IMON LSASS error). I discovered that a second winsock stack was running (use JV16 powertools to see all startup items and processes). Mine was insatlled by a Samsung cell phone application, and when I removed this, the problem dissapeared. This is a dificuult problem top diagnose as it is random in nature, and not easlily duplicated. Good luck.

    Steve
     
  6. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Wow, thanks for that, the lads at Eset are going to have fun then aren't they, because this isn't an isolated problem, though it has only appeared lately (over the last month or so), wonder if it has something to do with a MS update? being that I generally don't install anything different on my system, I enjoy having a stable system :D

    Thanks for the info...

    Cheers :D
     
  7. bcronin

    bcronin Registered Member

    Joined:
    Jun 24, 2004
    Posts:
    105
    Location:
    Hyde Park, NY USA
    I regularly get this problem whenever I try to establish a VPN session to my company's network using the AT&T 5.09.2 VPN client. Someone mentioned something about it possibly being related to two TCP/IP stacks. Well, the AT&T client works by creating a new virtual network adapter and using it to create the VPN session (this, to avoid issues with changing parameters of your normal LAN adapter's configuration and forgetting to restore them when your session ends unceremoniously for some reason). I'd be happy to work with whomever at eset to try to get this one nailed down and finally fixed. This is a serious impact on my productivity.

    Bob Cronin
     
  8. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Thanks for your input Bob, keep us posted...

    Cheers :D
     
  9. bcronin

    bcronin Registered Member

    Joined:
    Jun 24, 2004
    Posts:
    105
    Location:
    Hyde Park, NY USA
    Ok, I managed to capture the info from the VPN client bringup log from around the time of the error in imon.dll. Here it is, interspersed with stuff from the WinXP event log showing the imon failure in context with what was going on in the VPN client at the time. Hopefully this will be useful to someone.

    09:05:52.718 Authenticating with the VPN server (129.42.208.240)...
    09:05:52.781 Action 1 of 1 is 'LogonToIPSecTunnelServer' (result required in 105 seconds)...
    09:05:52.781 Configured to negotiate UDP encapsulation
    09:05:52.781 Obtained VPN MTU Size value '1370' from preferences.
    09:05:52.796 Logon request sent to VPN server 129.42.208.240...
    09:05:52.796 Wait for asynchronous action to complete.
    09:05:58.921 A VPN logon message 3 was received.
    09:05:58.921 Authenticating with the VPN server (129.42.208.240)...

    lsass.exe error occurs here at 09:06:07

    Faulting application lsass.exe, version 5.1.2600.1106, faulting module imon.dll, version 0.0.0.0, fault address 0x0000abcd.

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

    09:06:08.031 The VPN logon response was received.
    09:06:08.031 The tunneled intranet address is 9.65.108.24.
    09:06:08.031 The local address is 192.168.0.100.
    09:06:08.031 The local gateway address is 192.168.0.1.
    ...
    09:06:08.046 Key exchange (IKE) encryption is Diffie-Hellman Group 1.
    09:06:08.046 VPN compression (IPCOMP) is none.
    09:06:08.046 VPN protocol and encryption is ESP,3DES,MD5.
    09:06:08.046 The source and destination VPN IKE ports are 0 and 0.
    09:06:08.046 UDP wrapper (for NAT traversal) is off.
    09:06:08.046 The authentication server returned 9.0.2.1 9.0.3.1 as the DNS.
    09:06:08.046 ---------- Change state to 'AfterTunneling'. ----------
    09:06:08.046 VPN connection completed.
    09:06:08.109 Action 1 of 5 is 'WriteToEventLog' (no result required)...
    09:06:08.109 Action 2 of 5 is 'StartConnectionMonitorTimer' (no result required)...
    09:06:08.109 Action 3 of 5 is 'VPNQueryCurrentInterface' (no result required)...
    09:06:08.109 Adapter Description : 'AGN Virtual Network Adapter - Net Firewall Miniport Interface', IP address: '192.168.0.100'.
    09:06:08.109 Connection interface: '{BE22851F-9FF2-466E-8FC2-638EE20824C2}'.


    Windows decides to shutdown here at 09:06:09

    A critical system process, C:\WINDOWS\system32\lsass.exe, failed with status code 00000000. The machine must now be restarted.

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

    09:06:09.484 rc from NetCfg is 0
    09:06:09.484 Action 4 of 5 is 'VPNSLAFinishConnecting' (no result required)...
    09:06:09.484 SLR result code is 0 (0, 0, n, 0, 0).
    09:06:09.500 SLR3007 - VPN connection (1753764628140223124) was logged.
    09:06:09.500 Action 5 of 5 is 'DisplayVPNMessageIfNecessary' (immediate result required)...


    So as you can plainly see, whatever is going wrong is going wrong between this entry:

    09:05:58.921 Authenticating with the VPN server (129.42.208.240)...

    and this one

    09:06:08.031 The VPN logon response was received.

    Hopefully that will provide a clue. I do know that there is an registry hack I can do to get the client to write a more detailed trace (but I forget the details just now, I'll have to try to dig that up and see if I can narrow it down any further).

    Bob Cronin
     
  10. bcronin

    bcronin Registered Member

    Joined:
    Jun 24, 2004
    Posts:
    105
    Location:
    Hyde Park, NY USA
    Ok, some more news. I narrowed it down a bit more. Since the AT&T VPN client has a proprietary implementation of IPSEC, one of the things it does during bringup is to stop the built-in IPSEC service in XP. Well, it is precisely this that is causing the error. However it is doing this, it is causing Windows to get upset. My suspicion is that this is a bug in the recent Windows update that was intended to deal with the sasser worm. Windows sees lsass.exe going away unexpectedly (lsass.exe is the executable identified as the provider of the native IPSEC service in the Services administrative tool) and concludes the system needs to be shutdown and restarted to recover. It appears to me that the bug is that it does not check the exit code and notice that it is ZERO (which would indicate a good shutdown of the service, and so, should not cause a panic).

    I think imon.dll is just an innocent bystander here because it happens to have interposed itself in the middle of the code paths that do alll this stuff (so it can do its scanning as traffic is flowing through the path).

    I was able to bypass the problem by setting the startup type for the IPSEC service to "Manual". Thus, when I boot my system, lsass.exe does not start automatically and therefore, the AT&T client does not need to stop it (and hence, this avoids the bug, since if it doesn't have to stop it, Windows will not get upset about it).

    Bob Cronin
     
  11. bcronin

    bcronin Registered Member

    Joined:
    Jun 24, 2004
    Posts:
    105
    Location:
    Hyde Park, NY USA
    Of course, this means that someone has got to go try to convince Microsoft to fix the sasser-worm windows update to not get upset by some other program (such as the AT&T client) legitimately needing to stop the native IPSEC service. I'm afraid I don't have the energy or patience to fight that fight. Perhaps someone at eset could take up the challenge (since after all, it is their software that is being unfairly implicated, increasing their support costs) ...

    Bob Cronin
     
  12. bcronin

    bcronin Registered Member

    Joined:
    Jun 24, 2004
    Posts:
    105
    Location:
    Hyde Park, NY USA
    Although it *is* interesting that it does not happen if imon is deactivated, so perhaps there is some interaction amongst all these components that does not occur when imon is not in the picture ...
     
  13. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Fantastic posts Bob, great work...

    Cheers :D
     
  14. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    To update, the problem has disappeared from my system after deleting the EVEREST Home Edition software.

    Cheers :D
     
  15. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
    What in the world would be in Everest that would cause such a conflict with IMON? Everest is one of my very favorite programs. I keep it open all the time so I can check the temp of the CPU. I would be really upset if I was using IMON. The more I hear about IMON the more convinced I am that I have been right to not use IMON. I wouldn't take Everest off my computer....I'd be taking NOD32 off!
     
  16. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    I don't know if Everest was the problem with IMON, but logic dictates that when this was the only change to my system, that it had some sort of conflict with IMON, and this is the very first instance of the above error being personally experienced by myself. The only other experience that has crossed my path is one of my customers trying to make a VPN connection. We have others on this forum having the same problem when trying to make VPN connections.

    Bob in the above posts pinpoints the issue back to Microsoft’s Windows patch and IMON having conflicts, though we are still wait to hear anything from Eset, other than there is no known conflict with IMON...

    Cheers :D
     
    Last edited: Jun 26, 2004
  17. MorrisAO

    MorrisAO Registered Member

    Joined:
    May 31, 2003
    Posts:
    14
    Location:
    Perth, Western Australia
    I've been reading this thread with interest, as I recently had a problem getting that same type of error message when trying to run a help file for a program called Intellisync (used to sync between my PC and Ipaq PDA). I gave up on the help file in the end and figured out operations by trial and error - mostly error at first :p Since I am running Nod32 it makes me wonder. I can live without the help file, anyway.
     
  18. Habiru

    Habiru Registered Member

    Joined:
    May 4, 2004
    Posts:
    43
    Location:
    Fredericton
    I don't know what they added in Everest that was not in Aida32 Enterprise edition, but I use Aida32 and do not have the same problems as those indicated with Everest. As Everest is a directly modified version of Aida32, they must have added something when Everest took control of this program. I'm still using Aida Enterprise and I guess will continue to do so. I'm glad I archive all these programs. Been a few lately that have been bought out and went commercial.

    (Edited to make my post clearer. Reread it and it appeared that I was using Everest, which I was not)
     
    Last edited: Jun 26, 2004
  19. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Thanks for your comments Habiru, from what we are seeing through many posts now, this is a IMON conflict with various pieces of software, though mainly VPN. Bob has narrowed it down in one area by capturing a log when the error occured, or this may be THE area, we are yet to see...

    Cheers :D
     
  20. bcronin

    bcronin Registered Member

    Joined:
    Jun 24, 2004
    Posts:
    105
    Location:
    Hyde Park, NY USA
    I have sent an inquiry to the development/support team for the AT&T VPN client infoming them of my findings and asking if they have any ideas what might be wrong. I gave them enough information about my configuration such that they could possibly recreate the error in their labs. Hopefully they will be able to and get to the bottom of whats going on. I'll post any updates of interest to this thread (though I am going away for 3 weeks soon, so if nothing happens this coming week, there will be a long delay before I can post again).
     
  21. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Thanks for keeping us in the loop Bob...

    Cheers :D
     
  22. bsilva

    bsilva Registered Member

    Joined:
    Mar 24, 2004
    Posts:
    238
    Location:
    MA, USA
    I had this happen to me, yesterday at work. I know that we don't have any VPN software on it and no else installed anything on it. I have a few other pc's that have a similar setup (ie same programs, etc). It only happened once and I am going to go take a look at it on Monday to see if I can come up with something.
     
  23. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Thanks for the info Brian, can you keep us up to date with your findings, much appreciated...

    Cheers :D
     
  24. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Well to update, it was just coincidence regarding EVEREST Home Edition, the error returned while the PC was left on overnight.

    I have the latest BETA:

    NOD32 Antivirus System information
    Virus signature database version: 1.796 (20040626)
    Dated: Saturday, 26 June 2004
    Virus signature database build: 4632

    Information on other scanner support parts
    Advanced heuristics module version: 1.007 (20040309)
    Advanced heuristics module build: 1053
    Internet filter version: 1.001 (20031104)
    Internet filter build: 1012
    Archive support module version: 1.014 (20040408 )
    Archive support module build version: 1088

    Information on installed components
    NOD32 For Windows NT/2000/XP/2003 - Base
    Version: 2.000.11
    NOD32 For Windows NT/2000/XP/2003 - Internet support
    Version: 2.000.11
    NOD32 for Windows NT/2000/XP/2003 - Standard component
    Version: 2.000.11

    Operating system information
    Platform: Windows XP
    Version: 5.1.2600 Service Pack 1
    Version of common control components: 5.82.2800
    RAM: 496 MB
    Processor: Intel(R) Pentium(R) 4 CPU 2.80GHz (2813 MHz)



    In the event logs from this morning I have the following:

    Event Type: Error
    Event Source: Userenv
    Event Category: None
    Event ID: 1007
    Date: 27/06/2004
    Time: 7:01:14 AM
    User: NT AUTHORITY\SYSTEM
    Computer: XXXXX
    Description:
    Windows cannot determine the associated site for this computer. (The remote procedure call failed and did not execute. ). Group Policy processing aborted.

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


    and then this:

    Event Type: Error
    Event Source: Userenv
    Event Category: None
    Event ID: 1007
    Date: 27/06/2004
    Time: 7:01:54 AM
    User: XXXXX\XXXXX
    Computer: XXXXX
    Description:
    Windows cannot determine the associated site for this computer. (The RPC server is too busy to complete this operation. ). Group Policy processing aborted.

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.



    In the event logs from yesterday I have the following:

    Event Type: Error
    Event Source: Winlogon
    Event Category: None
    Event ID: 1015
    Date: 26/06/2004
    Time: 11:16:43 AM
    User: N/A
    Computer: XXXXX
    Description:
    A critical system process, C:\WINDOWS\system32\lsass.exe, failed with status code c0000005. The machine must now be restarted.

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.



    and this event log from the 24th:

    Event Type: Information
    Event Source: DrWatson
    Event Category: None
    Event ID: 4097
    Date: 24/06/2004
    Time: 9:25:05 AM
    User: N/A
    Computer: CRAIG
    Description:
    The application, C:\Program Files\Internet Explorer\IEXPLORE.EXE, generated an application error The error occurred on 06/24/2004 @ 09:24:59.312 The exception generated was c0000005 at address 20B0111A (imon)

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

    Data:
    00000: 0d 00 0a 00 0d 00 0a 00 ........
    00008: 41 00 70 00 70 00 6c 00 A.p.p.l.
    00010: 69 00 63 00 61 00 74 00 i.c.a.t.
    00018: 69 00 6f 00 6e 00 20 00 i.o.n. .
    00020: 65 00 78 00 63 00 65 00 e.x.c.e.
    00028: 70 00 74 00 69 00 6f 00 p.t.i.o.
    00030: 6e 00 20 00 6f 00 63 00 n. .o.c.
    00038: 63 00 75 00 72 00 72 00 c.u.r.r.
    00040: 65 00 64 00 3a 00 0d 00 e.d.:...
    00048: 0a 00 20 00 20 00 20 00 .. . . .
    00050: 20 00 20 00 20 00 20 00 . . . .
    00058: 20 00 41 00 70 00 70 00 .A.p.p.
    00060: 3a 00 20 00 43 00 3a 00 :. .C.:.
    00068: 5c 00 50 00 72 00 6f 00 \.P.r.o.
    00070: 67 00 72 00 61 00 6d 00 g.r.a.m.
    and it continues...

    Cheers :D
     
  25. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Further update, siince installing the latest Beta:

    Information on installed components
    NOD32 For Windows NT/2000/XP/2003 - Base
    Version: 2.000.11
    NOD32 For Windows NT/2000/XP/2003 - Internet support
    Version: 2.000.11
    NOD32 for Windows NT/2000/XP/2003 - Standard component
    Version: 2.000.11

    The error messages are more prevalent :(

    Cheers :D
     
Thread Status:
Not open for further replies.