locked
lsass.exe: System Error. "Indicates a revision number encountered or specified is not one known to the service." RRS feed

  • Question

  • Howdy y'all,

    The message continues: "It may be a more recent revision than the service is aware of."

    The PC is XP Pro SP3 with all patches. Security Essentials is still running and signatures are current. The system won't boot to XP. The message in the title field is displayed in a dialog. After clicking OK, the system iterates a reboot cycle.

    Tried to boot using Last Known Good Configuration, but no progress.

    Research shows that there was malware that could cause this problem, but not in the last few years.

    What might have caused this and how to fix this efficiently? I read an article that recommended restoring the registry files from an earlier version. We'll try this after removing the disk and connecting it to another PC:

    http://community.spiceworks.com/how_to/214-perform-a-system-restore-manually-when-windows-is-not-bootable

    Thanks kindly.

    Friday, August 21, 2015 5:22 PM

Answers

  • Issue is resolved. Firstly, we scanned the PC with Windows Defender Offline. No malware was detected. The lsass.exe error occurs when the Security hive of the XP registry is corrupted. The Security hive of the registry consists of a key and files. The registry key is HKEY_LOCAL_MACHINE\Security, and the files are Security, Security.log, Security.sav.

    More information about the Windows registry is in this MSDN article:
    https://msdn.microsoft.com/en-us/library/windows/desktop/ms724877(v=vs.85).aspx

    To restore the Security hive, we booted the PC to the Recovery Console that was already installed on the local disk. The password for the Administrator account was prompted for and entered.

    The Recovery Console command line showed that the current folder was C:\Windows.

    CHDIR system32\config
    REN security security.old
    COPY c:\windows\repair\security
    EXIT (to restart Windows XP Pro)

    The system rebooted normally.

    HTH.
    • Marked as answer by OCTurbine Sunday, August 23, 2015 2:10 AM
    Sunday, August 23, 2015 2:09 AM