none
Having problem with svchost.exe/ntdll.dll errors causing GPSVC (Group Policy Client) to crash preventing users from logging into the server.

    Question

  • Recently (within the past 2 weeks) I have noticed a few of our servers will have problems with the svchost.exe application causing the GPSVC (Group Policy Client) to crash. The only fix at that point is to reboot the server since the GPSVC service is tied to svchost.exe and therefore is protected from being manually restarted.

    I noticed the following errors when this occurs:

    Log Name:      Application
    Source:        Application Error
    Date:          7/23/2013 4:35:26 AM
    Event ID:      1000
    Task Category: (100)
    Level:         Error
    Keywords:      Classic
    User:          N/A
    Computer:      Server1.xxx.xxx.net
    Description:
    Faulting application name: svchost.exe, version: 6.1.7600.16385, time stamp: 0x4a5bc3c1
    Faulting module name: ntdll.dll, version: 6.1.7601.17725, time stamp: 0x4ec4aa8e
    Exception code: 0xc0000024
    Fault offset: 0x00000000000cd7d8
    Faulting process id: 0x46c
    Faulting application start time: 0x01ce877f9476ac07
    Faulting application path: C:\Windows\system32\svchost.exe
    Faulting module path: C:\Windows\SYSTEM32\ntdll.dll
    Report Id: d252d26d-f372-11e2-8ad4-005056ac00e8
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Application Error" />
        <EventID Qualifiers="0">1000</EventID>
        <Level>2</Level>
        <Task>100</Task>
        <Keywords>0x80000000000000</Keywords>
        <TimeCreated SystemTime="2013-07-23T08:35:26.000000000Z" />
        <EventRecordID>158950</EventRecordID>
        <Channel>Application</Channel>
        <Computer>AAW19XM2.agency.nwie.net</Computer>
        <Security />
      </System>
      <EventData>
        <Data>svchost.exe</Data>
        <Data>6.1.7600.16385</Data>
        <Data>4a5bc3c1</Data>
        <Data>ntdll.dll</Data>
        <Data>6.1.7601.17725</Data>
        <Data>4ec4aa8e</Data>
        <Data>c0000024</Data>
        <Data>00000000000cd7d8</Data>
        <Data>46c</Data>
        <Data>01ce877f9476ac07</Data>
        <Data>C:\Windows\system32\svchost.exe</Data>
        <Data>C:\Windows\SYSTEM32\ntdll.dll</Data>
        <Data>d252d26d-f372-11e2-8ad4-005056ac00e8</Data>
      </EventData>
    </Event>

    All of our servers are running Server 2008 R2 Enterprise where we use Citrix to deliver desktop sessions to our users, but some are virtual and some are physical. This seemingly impacts our virtual machines more, and our VMs are hosted through VMWare, however, about 5 months ago a similar error fired on a non-virtual machine:

    Log Name:      Application
    Source:        Application Error
    Date:          2/27/2013 6:57:58 AM
    Event ID:      1000
    Task Category: (100)
    Level:         Error
    Keywords:      Classic
    User:          N/A
    Computer:      AAW29033
    Description:
    Faulting application name: svchost.exe_gpsvc, version: 6.1.7600.16385, time stamp: 0x4a5bc3c1
    Faulting module name: ntdll.dll, version: 6.1.7601.17725, time stamp: 0x4ec4aa8e
    Exception code: 0xc0000024
    Fault offset: 0x00000000000cd7d8
    Faulting process id: 0x6c0
    Faulting application start time: 0x01ce14e1af313fd9
    Faulting application path: C:\Windows\system32\svchost.exe
    Faulting module path: C:\Windows\SYSTEM32\ntdll.dll
    Report Id: ed3d01c4-80d4-11e2-9128-b499baa9e5e8
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Application Error" />
        <EventID Qualifiers="0">1000</EventID>
        <Level>2</Level>
        <Task>100</Task>
        <Keywords>0x80000000000000</Keywords>
        <TimeCreated SystemTime="2013-02-27T11:57:58.000000000Z" />
        <EventRecordID>286291</EventRecordID>
        <Channel>Application</Channel>
        <Computer>AAW29033</Computer>
        <Security />
      </System>
      <EventData>
        <Data>svchost.exe_gpsvc</Data>
        <Data>6.1.7600.16385</Data>
        <Data>4a5bc3c1</Data>
        <Data>ntdll.dll</Data>
        <Data>6.1.7601.17725</Data>
        <Data>4ec4aa8e</Data>
        <Data>c0000024</Data>
        <Data>00000000000cd7d8</Data>
        <Data>6c0</Data>
        <Data>01ce14e1af313fd9</Data>
        <Data>C:\Windows\system32\svchost.exe</Data>
        <Data>C:\Windows\SYSTEM32\ntdll.dll</Data>
        <Data>ed3d01c4-80d4-11e2-9128-b499baa9e5e8</Data>
      </EventData>
    </Event>

    I've searched and cannot seem to find any information as to what may be causing this, or even really where to start. Would someone be able to help me identify what might be causing this event, specific with the Exception code: 0xc0000024, which causes the Group Policy Client service to stop?

    Tuesday, July 23, 2013 8:00 PM

All replies

  • Hiya, 

    Are you able to logon to the server using console?

    What would happend if you opened a cmd and wrote "gpupdate /force"

    Wednesday, July 24, 2013 10:06 AM
  • If my memory serves me correctly, gpupdate /force made no impact, but since this is intermittent I can't simply test that today. The next one we get I'll try it and provide an update.

    As for the console it makes no difference if I use it or simply use Citrix/RDP to get into the server because I'm logging in with an Admin account. The server will not prevent those with Admin access from logging in; only those who are not admins are not permitted into the server when this happens.

    I forgot to mention this seems to mainly occur during our rolling reboot, which we use a script to force reboot all of our servers every morning. I'm going to do some testing to see if the script has any impact, and, of course, I'll update here once I get more info.

    Wednesday, July 24, 2013 3:52 PM
  • Sounds good, wanted to see if you could force some sort of error out of the gpupdate.

    Do I dare ask why it is necessary to reboot all servers each morning? :=)

    Wednesday, July 24, 2013 7:08 PM
  • Sorry for the late response, but the rolling reboots are to ensure that Citrix and other applications on our servers work properly. Still waiting for this to happen again.
    Monday, August 05, 2013 5:22 PM
  • Thanks for keeping us updated :)
    Monday, August 05, 2013 6:33 PM
  • So after many months I have finally got more information!

    It doesn't actually appear that the rolling reboots are part of the problem. While the server's GPSVC service wasn't running I ran gpupdate /force & gpresult /h gpresult.html. Here are my results:

    C:\Users\[admuser]>gpupdate /force
    Updating Policy...

    User Policy Update Failed.
    Computer Policy Update Failed.

    To diagnose the failure, review the event log or run GPRESULT /H GPReport.html f
    rom the command line to access information about Group Policy results.

    C:\Users\[admuser]>GPRESULT /H GPReport.html
    INFO: The user "DOMAIN\[admuser]" does not have RSOP data.

    I also found multiple articles online since and it appears that the issue may be more related to the DCs not working as expected. After rebooting the server it did get another DC and it works fine, so I'm going to go the route of troubleshooting the DCs. I'll provide an update once I find out more.

    Monday, December 09, 2013 4:34 PM
  • Hello NationwideMan

    I'm facing the same problem. Did you find a solution?

    Kinds regards,
    Matias

    Friday, January 10, 2014 12:33 PM
  • Hey,

    same problem here.

    Please let us know if you find a solution.

    Thanks!

    Monday, February 10, 2014 1:00 PM