none
lsass.exe, failed with status code 255 RRS feed

  • Question

  • This isn't a question, but I'm posting a solution to a problem that we just recently encountered after the 2020 November Patches were released. On two hosts (one 2008 and one 2012) the patches were automatically installed and the hosts were rebooted. After that, whenever IIS traffic was received, the below errors were observed and the host would reboot.

    EventCode = 1015;
    EventIdentifier = 3221226487;
    Logfile = "Application";
    RecordNumber = 7200892;
    SourceName = "Microsoft-Windows-Wininit";
    TimeGenerated = "20201111131157.000000-000";
    TimeWritten = "20201111131157.000000-000";
    Type = "Error";
    EventType = 1;
    Category = 0;
    CategoryString = "None";
    Message = "A critical system process, C:\Windows\system32\lsass.exe, failed with status code 255.  The machine must now be restarted.";
    InsertionStrings = {"C:\Windows\system32\lsass.exe", "255"};

    EventCode = 1000;
    EventIdentifier = 1000;
    Logfile = "Application";
    RecordNumber = 7200890;
    SourceName = "Application Error";
    TimeGenerated = "20201111131157.000000-000";
    TimeWritten = "20201111131157.000000-000";
    Type = "Error";
    EventType = 1;
    Category = 100;
    CategoryString = "Application Crashing Events";
    Message = "Faulting application name: lsass.exe, version: 6.2.9200.20521, time stamp: 0x505a9b98
    Faulting module name: iiscertprovider.dll, version: 8.0.9200.16384, time stamp: 0x5010a518
    Exception code: 0xc0000005
    Fault offset: 0x00000000000052ab
    Faulting process id: 0x240
    Faulting application start time: 0x01d6b7affcd3239e
    Faulting application path: C:\Windows\system32\lsass.exe
    Faulting module path: C:\Windows\system32\inetsrv\iiscertprovider.dll
    Report Id: 7929c14d-241f-11eb-9463-0050569b2cb5
    Faulting package full name: 
    Faulting package-relative application ID: ";
    InsertionStrings = {"lsass.exe", "6.2.9200.20521", "505a9b98", "iiscertprovider.dll", "8.0.9200.16384", "5010a518", "c0000005", "00000000000052ab", "240", "01d6b7affcd3239e", "C:\Windows\system32\lsass.exe", "C:\Windows\system32\inetsrv\iiscertprovider.dll", "7929c14d-241f-11eb-9463-0050569b2cb5", "", ""}


    EventCode = 5000;
    EventIdentifier = 5000;
    Logfile = "System";
    RecordNumber = 1893786;
    SourceName = "LsaSrv";
    TimeGenerated = "20201111131156.000000-000";
    TimeWritten = "20201111131156.000000-000";
    Type = "Error";
    EventType = 1;
    User = "NT AUTHORITY\SYSTEM";
    Category = 0;
    CategoryString = "None";
    Message = "The security package Schannel generated an exception. The exception information is the data.";
    InsertionStrings = {"Schannel", "050000C0000000000000000000000000AB5288BCF80700000200000000000000000000000000000020040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"};
    };

    Long story short, replacing the iiscertprovider.dll with a newer version fixed our issue. We followed the below:

    takeown /f C:\Windows\system32\inetsrv\iiscertprovider.dll

    SUCCESS: The file (or folder): "C:\Windows\system32\inetsrv\iiscertprovider.dll"
     now owned by user "YOUR USER".

    icacls C:\Windows\system32\inetsrv\iiscertprovider.dll /grant administrators:F
    processed file: C:\Windows\system32\inetsrv\iiscertprovider.dll
    Successfully processed 1 files; Failed processing 0 files

    copy c:\temp\iiscertprovider.dll C:\Windows\system32\inetsrv\iiscertprovider.dll
    Overwrite C:\Windows\system32\inetsrv\iiscertprovider.dll? (Yes/No/All): yes
            1 file(s) copied.

    We hope someone can find this helpful.

    Friday, November 13, 2020 1:39 AM

All replies