none
Lsass crashed on two 2016 servers on hyper-v

    Question

  • Two of our server 2016 servers running SQL were rebooted due to an Lsass.exe system process crash. I'd like some clarity on the below hdmp file located on the Windows error reporting folder. Any advice will be appreciated as we're having issues understanding the root cause behind this reboot and why Lsass went into a non responsive state:

    0:003> !analyze -v

    *******************************************************************************

    *                                                                             *

    *                        Exception Analysis                                   *

    *                                                                             *

    *******************************************************************************

    GetUrlPageData2 (WinHttp) failed: 12002.

    DUMP_CLASS: 2

    DUMP_QUALIFIER: 400

    CONTEXT:  (.ecxr)

    rax=0000000000000000 rbx=0000000000000000 rcx=000000000000000a

    rdx=0000000000000000 rsi=000000dd7dafddc0 rdi=0000000000000000

    rip=00007ffd7abd51ff rsp=000000dd7dafd688 rbp=000000dd7dafd7c0

    r8=000000dd7dafddc0  r9=000000dd7dafd770 r10=00007ffd7abd51f0

    r11=00007ffd7ac9a4fc r12=000000dd7dafe2b0 r13=00007ffd7ab40000

    r14=000000dd7dafe4c8 r15=00007ffd7abd526e

    iopl=0         nv up ei pl zr na po nc

    cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246

    ntdll!LdrpICallHandler+0xf:

    00007ffd`7abd51ff cd29            int     29h

    Resetting default scope

    FAULTING_IP:

    ntdll!LdrpICallHandler+f

    00007ffd`7abd51ff cd29            int     29h

    EXCEPTION_RECORD:  0000024f6b97a7e0 -- (.exr 0x24f6b97a7e0)

    ExceptionAddress: 0000000000002754

       ExceptionCode: 0084005c

      ExceptionFlags: 00002001

    NumberParameters: 4724

       Parameter[0]: 000000003ec4a160

       Parameter[1]: 0000000000000003

       Parameter[2]: 0000000100000000

       Parameter[3]: 0000000000000000

       Parameter[4]: 46f984e100000000

       Parameter[5]: fab780a048cc1628

       Parameter[6]: 00000000cdc005d6

       Parameter[7]: 0000000000000001

       Parameter[8]: 0000000200000081

       Parameter[9]: 29fdfeff00000000

       Parameter[10]: 2926a4ba440d66ba

       Parameter[11]: 00000000abfae2af

      Parameter[12]: 0000000000002d80

       Parameter[13]: 80001007a69d043b

       Parameter[14]: 007000610064006c

    PROCESS_NAME:  lsass.exe

    ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

    EXCEPTION_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

    EXCEPTION_CODE_STR:  c0000409

    EXCEPTION_PARAMETER1:  000000000000000a

    WATSON_BKT_PROCSTAMP:  57899b4c

    WATSON_BKT_PROCVER:  10.0.14393.0

    PROCESS_VER_PRODUCT:  Microsoft® Windows® Operating System

    WATSON_BKT_MODULE:  ntdll.dll

    WATSON_BKT_MODSTAMP:  578997b2

    WATSON_BKT_MODOFFSET:  951ff

    WATSON_BKT_MODVER:  10.0.14393.0

    MODULE_VER_PRODUCT:  Microsoft® Windows® Operating System

    BUILD_VERSION_STRING:  10.0.14393.0 (rs1_release.160715-1616)

    MODLIST_WITH_TSCHKSUM_HASH:  564e3f0ae599d16d42a5b452fdf2d062835504ab

    MODLIST_SHA1_HASH:  b1323172a9403171b0cffc6a9f3a459d5da1dc13

    NTGLOBALFLAG:  0

    APPLICATION_VERIFIER_FLAGS:  0

    PRODUCT_TYPE:  3

    SUITE_MASK:  274

    DUMP_FLAGS:  d96

    DUMP_TYPE:  0

    APP:  lsass.exe

    ANALYSIS_SESSION_HOST:  CNF01FAF54FB4E

    ANALYSIS_SESSION_TIME:  03-22-2017 08:33:03.0675

    ANALYSIS_VERSION: 10.0.10586.567 amd64fre

    THREAD_ATTRIBUTES:

    OS_LOCALE:  ENS

    PROBLEM_CLASSES:

    GUARD_ICALL_CHECK_FAILURE

        Tid    [0x0]

        Frame  [0x00]

        Failure Bucketing

    CRITICAL_PROCESS_FAULT

        Tid    [0x0]

        Frame  [0x00]

    BUGCHECK_STR:  CRITICAL_PROCESS_FAULT_GUARD_ICALL_CHECK_FAILURE

    DEFAULT_BUCKET_ID:  CRITICAL_PROCESS_FAULT_GUARD_ICALL_CHECK_FAILURE

    LAST_CONTROL_TRANSFER:  from 0000000000000000 to 0002d8d5058b4800

    IP_ON_HEAP:  0002d8d5058b4800

    The fault address in not in any loaded module, please check your build's rebase

    log at <releasedir>\bin\build_logs\timebuild\ntrebase.log for module which may

    contain the address if it were loaded.

    STACK_TEXT: 

    000000dd`7dafd688 00007ffd`7abe991d : 00007ffd`7ac95000 00007ffd`7ab40000 0000d698`001d1000 000000dd`7dafd7c0 : ntdll!LdrpICallHandler+0xf

    000000dd`7dafd690 00007ffd`7ab886d3 : 00000000`00000000 000000dd`7dafddc0 00000000`00000000 0000024f`6a390de0 : ntdll!RtlpExecuteHandlerForException+0xd

    000000dd`7dafd6c0 00007ffd`7abe8a3a : 0000024f`6b97a7e0 00007ffd`762f18e3 00000000`00000005 000000dd`7dafe220 : ntdll!RtlDispatchException+0x373

    000000dd`7dafddc0 00007ffd`7abd526e : 00007ffd`7630a05f 00000000`c0000022 00000000`00002268 00000000`00140008 : ntdll!KiUserExceptionDispatch+0x3a

    000000dd`7dafe4c8 00007ffd`7630a05f : 00000000`c0000022 00000000`00002268 00000000`00140008 00000000`00000008 : ntdll!LdrpDispatchUserCallTarget+0xe

    000000dd`7dafe4d0 00007ffd`763061a2 : 00000000`00000000 0000024f`6b83a420 00000000`00000000 00000000`00002268 : dpapisrv!HandleDomainUserPasswordChange+0x32f

    000000dd`7dafe870 00007ffd`76d99781 : 00000000`00000000 0000024f`6becc580 0000024f`6b8ba1f0 0000024f`6b8ba1f0 : dpapisrv!DPAPINotifyCredentialKeyChange+0x1a2

    000000dd`7dafe8e0 00007ffd`76d9a670 : 00000000`00000000 000000dd`7dafea79 0000024f`6b8ba1f0 00000000`00000002 : lsasrv!LsapDPAPINotifyCredentialKeyChange+0x189

    000000dd`7dafe9b0 00007ffd`76809846 : 00000000`00000000 0000024f`6bdfb110 00000000`00000000 00000000`00000000 : lsasrv!LsapDPAPIPasswordChangeForGMSA+0x470

    000000dd`7dafeae0 00007ffd`767b3dd7 : 00000000`00000000 000000dd`7dafed40 00000000`00000000 000000dd`7dafed04 : netlogon!NetpUpdateLSASecretCreds+0x2d6

    000000dd`7dafecd0 00007ffd`767b44a3 : 00000000`00000000 0000024f`6b865204 00000000`00000000 000000dd`7dafee68 : gmsaclient!GmsapGetPassword+0x35b

    000000dd`7dafed70 00007ffd`767b1b32 : 0000024f`6b8652f0 0000024f`6b8652f0 000000dd`00000000 00000000`00000000 : gmsaclient!GmsapGetPassword+0xa27

    000000dd`7dafee60 00007ffd`7681365b : 000000dd`7dafef18 01d29f8c`9b7d804e 000000dd`7daff010 00000000`01eab8b9 : gmsaclient!GMSARefreshPasswords+0xf2

    000000dd`7dafeee0 00007ffd`767fd3e8 : 01d28906`ffffffff 00007ffd`ffffffff 00000000`00000000 00000000`00000000 : netlogon!NlWksScavenger+0x7b

    000000dd`7dafef10 00007ffd`767e257a : 00007ffd`76885b40 00000000`00000001 00000000`00000000 00007ffd`7683552c : netlogon!NetpSrvComparePriority+0x147a8

    000000dd`7daff3c0 00007ffd`76d366fc : 00000000`00000000 00007ffd`76e38190 00007ffd`76e38190 00007ffd`767c0000 : netlogon!NlNetlogonMain+0x52a

    000000dd`7daff410 00007ffd`78ce3dd2 : 00000000`00000000 00000000`00000000 00000000`00000000 0000024f`6a47d530 : lsasrv!LsapStartService+0x248

    000000dd`7daff900 00007ffd`780d8364 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : sechost!ScSvcctrlThreadA+0x22

    000000dd`7daff930 00007ffd`7aba5e91 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : kernel32!BaseThreadInitThunk+0x14

    000000dd`7daff960 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21

    THREAD_SHA1_HASH_MOD_FUNC:  4c4bdf38ade9751f8ef36befd82ad663aa5a3847

    THREAD_SHA1_HASH_MOD_FUNC_OFFSET:  5750d7990f8e53597a1c703c905cda31723da635

    THREAD_SHA1_HASH_MOD:  7fc366dcd1158608e8fce6785cdb6498afb8ed99

    FOLLOWUP_IP:

    dpapisrv!HandleDomainUserPasswordChange+32f

    00007ffd`7630a05f 33c0            xor     eax,eax

    FAULT_INSTR_CODE:  8d48c033

    SYMBOL_STACK_INDEX:  5

    SYMBOL_NAME:  dpapisrv!HandleDomainUserPasswordChange+32f

    FOLLOWUP_NAME:  MachineOwner

    MODULE_NAME: dpapisrv

    IMAGE_NAME:  dpapisrv.dll

    DEBUG_FLR_IMAGE_TIMESTAMP:  578999a6

    STACK_COMMAND:  .ecxr ; kb

    BUCKET_ID:  CRITICAL_PROCESS_FAULT_GUARD_ICALL_CHECK_FAILURE_dpapisrv!HandleDomainUserPasswordChange+32f

    PRIMARY_PROBLEM_CLASS:  CRITICAL_PROCESS_FAULT_GUARD_ICALL_CHECK_FAILURE_dpapisrv!HandleDomainUserPasswordChange+32f

    BUCKET_ID_OFFSET:  32f

    BUCKET_ID_MODULE_STR:  dpapisrv

    BUCKET_ID_MODTIMEDATESTAMP:  578999a6

    BUCKET_ID_MODCHECKSUM:  3a9bf

    BUCKET_ID_MODVER_STR:  10.0.14393.0

    BUCKET_ID_PREFIX_STR:  CRITICAL_PROCESS_FAULT_GUARD_ICALL_CHECK_FAILURE_

    FAILURE_PROBLEM_CLASS:  CRITICAL_PROCESS_FAULT_GUARD_ICALL_CHECK_FAILURE

    FAILURE_EXCEPTION_CODE:  c0000409

    FAILURE_IMAGE_NAME:  dpapisrv.dll

    FAILURE_FUNCTION_NAME:  HandleDomainUserPasswordChange

    BUCKET_ID_FUNCTION_STR:  HandleDomainUserPasswordChange

    FAILURE_SYMBOL_NAME:  dpapisrv.dll!HandleDomainUserPasswordChange

    FAILURE_BUCKET_ID:  CRITICAL_PROCESS_FAULT_GUARD_ICALL_CHECK_FAILURE_c0000409_dpapisrv.dll!HandleDomainUserPasswordChange

    WATSON_STAGEONE_URL: 

    TARGET_TIME:  2017-03-18T02:09:02.000Z

    OSBUILD:  14393

    OSSERVICEPACK:  0

    SERVICEPACK_NUMBER: 0

    OS_REVISION: 0

    OSPLATFORM_TYPE:  x64

    OSNAME:  Windows 10

    OSEDITION:  Windows 10 Server Enterprise TerminalServer SingleUserTS

    USER_LCID:  0

    OSBUILD_TIMESTAMP:  2016-07-16 04:21:29

    BUILDDATESTAMP_STR:  160715-1616

    BUILDLAB_STR:  rs1_release

    BUILDOSVER_STR:  10.0.14393.0

    ANALYSIS_SESSION_ELAPSED_TIME: 12240

    ANALYSIS_SOURCE:  UM

    FAILURE_ID_HASH_STRING:  um:critical_process_fault_guard_icall_check_failure_c0000409_dpapisrv.dll!handledomainuserpasswordchange

    FAILURE_ID_HASH:  {edd1e404-f80d-00b0-9a71-7fac9fb4b279}

    Followup:     MachineOwner

    Thursday, March 23, 2017 12:14 PM

All replies