locked
LSASS.exe crashing afer unlocking computer RRS feed

  • Question

  • Hi there,

    I have a problem with LSASS on Win7 RC (Build 7100)

    The computer is connected to an Active Directory domain, and I lock it every time I leave my desk. Unfortunately when I come back and unlock it, 90% of the time, lsass.exe has crashed, and the PC reboots a minute later.

    Here's the event from the Application Log for the latest occourance:

    Faulting application name: lsass.exe, version: 6.1.7100.0, time stamp: 0x49ee8a5d
    Faulting module name: ntdll.dll, version: 6.1.7100.0, time stamp: 0x49eea66e
    Exception code: 0xc0000374
    Fault offset: 0x000c2cd3
    Faulting process id: 0x1d0
    Faulting application start time: 0x01c9faae9c26cf94
    Faulting application path: C:\Windows\system32\lsass.exe
    Faulting module path: C:\Windows\SYSTEM32\ntdll.dll
    Report Id: 34bfabec-6705-11de-ae56-001cc0081c78

    I wonder if anyone has come across this before.
    Thursday, July 2, 2009 3:09 PM

Answers

  • This seems to be the exact issue.

    http://support.microsoft.com/default.aspx?scid=kb;en-us;976586&sd=rss&spid=14481
    Mark Morowczynski|MCT| MCSE 2003:Messaging, Security|MCITP:EMA 2K7,EDA Win 7,ES,SA,EA|MCTS:Windows Mobile Admin|Security+|http://almostdailytech.com
    • Marked as answer by Horsebox_irl Thursday, February 18, 2010 9:41 AM
    Tuesday, February 9, 2010 2:54 PM

All replies

  • I am having a similar issue - my notebook is rebooting due to a problem with lsass.exe and I see the same error event logged in the application log.  I see the problem about every other day even when I'm actively using the computer.  Let's compare our configuration to see if we have more in common

    My PC config
    Acer Aspire 4730z, Intel Pentuim Dual T3400 2.16GHz, 4 GB RAM
    OEM Bluetooth module installed
    SMC SCR3340 Smartcard reader
    Windows 7 build 7100 64 bit
    Member of W2K3 domain - small domain, one domain controller
    Installed SW
    MS Office 2007 SP2
    Virtual PC 2007
    Windows Mobile Device Center
    Activeidentity ActivClient Smartcard middleware
    AVG Free Anti-virus

    I had to install a set of 64 bit Vista drivers from the Acer website to support some fo the HW.  My normal user account is a non-admin account.

    I'm hoping to limp along until the final version is released and I do a clean install but it would be nice to resolve the problem now.

    Wednesday, July 8, 2009 1:59 AM
  • Here is someone else with the same problem...

    http://www.neowin.net/forum/index.php?showtopic=733798

    From what I can see, the only thing that's common is that all three are members of Active Directory Domains.

    I'l get my hands on the RTM version next week (TechNet Subscriber), so I'll try it and let you know if it solves the issue.
    Wednesday, July 8, 2009 9:14 AM
  • OK, seeing as RTM wasn't released when I expected. But seeing as it is now... I've upgraded.

    It stopped happening for a while on the RC, but when I clean-upgraded to RTM on the same machine, it started happening again. Also, Live Messenger now crashes on logon.

    Oddness.
    Monday, August 10, 2009 5:18 PM
  • This just happened to me with the Windows 7 RTM.  My PC is also a member of an Active Directory domain.  When I unlocked the machine after an hour or so with the screen locked, I was forced to reboot.

    Application Log entry for the failed app :

    Faulting application name: lsass.exe, version: 6.1.7600.16385, time stamp: 0x4a5bc155
    Faulting module name: ntdll.dll, version: 6.1.7600.16385, time stamp: 0x4a5be02b
    Exception code: 0xc0000374
    Fault offset: 0x00000000000c6cd2
    Faulting process id: 0x258
    Faulting application start time: 0x01ca17baee7a0dab
    Faulting application path: C:\Windows\system32\lsass.exe
    Faulting module path: C:\Windows\SYSTEM32\ntdll.dll
    Report Id: 30b241ef-85df-11de-8365-00146cc1b6f0
    Monday, August 10, 2009 7:22 PM
  • Has anyone found an answer for this issue?
    I am using a Dell Precision M90 running Windows 7 Enterprise 32-bit RTM hooked up to a domain also.
    It does not matter whether the laptop is docked or not, only if I am plugged into the network.
    I have recieved two errors, the one above and this one.

    A critical system process, C:\Windows\system32\lsass.exe, failed with status code 255. The machine must now be restarted.

    Thursday, August 20, 2009 6:59 PM
  • I'll add a little more info hopefully giving someone that tidbit more to solve this issue. 

    I've installed RC1 (build 7100) on two different computers.  They are both members of a Win 2008 AD.  My primary desktop was installed first with it.  It took 3 reinstalls of RC1 incrementally installing less updates of drivers, until I finally have a version that gives me the error after waking up the computer, maybe once every 5th time waking it up.  I am connected to a domain.

    My second computer, fresh install of RC1, updated a couple of drivers specific to Win 7 64-bit, from the MOBO manufacturer.  When I have it as part of the domain, and I wake it up, I get the error each time.  When I make the computer local to a workgroup, the error does not occur when waking it up. So clearly there is something associated with being a member of a domain running AD.  My AD is Windows 2008 SP2 (not RC2).  No warnings or errors occurring in any of the roles, just information messages in the Server Manager UI, everything seems to run smoothly.

    My computers are home builds, but I've been building computers for quite a few years now, and both computers are new MOBO (Asus, MSI) and CPU's (i7, E8400).
    Sunday, August 23, 2009 8:11 PM
  • I have tried shutting down any Antivirus applications and it doesn't seem to make any difference.
    Also as said above it ONLY happens when hooked to a Domain.
    How did Microsoft not catch this problem?
    It has been happening since the Beta release.
    Will keep working on it and see if I can find an answer.
    Tuesday, August 25, 2009 3:09 PM
  • I have same issue,

    I have iMac 24 inch in the office that i have Windows 7 RTM running under Windows 2003 Domain.
    I have iMac 24 inch at home that i have Windows 7 RTM running that is NOT under any domain.

    Both machines same hardware same softwares.   The one under domain is keep getting this error and reboots.

    Any suggestions or solutions greatly appreciated!

    Eimis
    Wednesday, August 26, 2009 6:16 PM
  • any update on a fix?
    Wednesday, September 2, 2009 4:12 PM
  • We had the same issue and it looks like by disabling the Screen lock gpo we had resolved the issue
    We created a new OU just for windows 7 with no policy and it stop the reboots from happening. then we added the gpo one by one and everytime the screen lock gpo was added, the workstations would reboot when you logged back in
    Tuesday, September 8, 2009 2:09 PM
  • Let's add another crasher to the party. My computer is on the domain and crashes when I unlock the computer. Occasionally it will let me unlock.

    Faulting application name: lsass.exe, version: 6.1.7600.16385, time stamp: 0x4a5bbf3e

    Faulting module name: ntdll.dll, version: 6.1.7600.16385, time stamp: 0x4a5bdadb

    Exception code: 0xc0000374

    Fault offset: 0x000c283b

    Faulting process id: 0x240

    Faulting application start time: 0x01ca331d9070ae72

    Faulting application path: C:\Windows\system32\lsass.exe

    Faulting module path: C:\Windows\SYSTEM32\ntdll.dll

    Report Id: cae59557-9f22-11de-b81f-0011952705a1

    Friday, September 11, 2009 10:39 PM
  • Well, I have been doing some extensive testing the past couple days.
    Loaded up a dell laptop d820 with Windows 7 32-bit.

    Local Account Logon - no crash
    Local Account Logon after hooking to a domain - no crash

    Our Production Domain Logon - crash

    Development Domain Logon - no crash yet

    Our development domain is just a plain Windows 2003 AD with one server no group policies implemented.

    So...there is something different between our Development AD and Production AD that is causing the issue.
    I have tried removing all group policies from my computer and account logon but it did not help.

    I will keep trying to find out what in our production domain is causing this to happen.

    It would GREAT if Microsoft would toss something into the hat....
    Tuesday, September 15, 2009 8:50 PM
  • I have run for a while now without crashing after setting my desktop to static and setting all my power settings to never turn off.

    It lets me lock the computer without crashing anymore and I am still on the domain with Group Policies.
    Tuesday, September 15, 2009 8:52 PM
  • Yeah, mine hasn't happened in a while either. I've not changed any power or desktop settings to my knowledge.
    Tuesday, September 15, 2009 8:54 PM
  • Let me tell you what I have observed so far.  The GPO is set to screen lock at 20 mins.  If I boot the computer, then lock the screen and walk away for 19 minutes, I will be able to log back in.  However, if I wait 21 minutes I get "The remote procedure call failed" and "The RPC server cannot be found".  Then within a couple minutes the machine will reboot.  I find entries on the lsass.exe failing.

    See these other 2 links...
    http://social.technet.microsoft.com/Forums/en-US/w7itprogeneral/thread/f5f44b82-b0cc-4813-8199-62964f386500
    http://social.answers.microsoft.com/Forums/en-US/GettingReadyforWindows7/thread/5f88548b-5bcc-440c-9b32-058529cd9cf6
    • Proposed as answer by David Weisz Monday, October 19, 2009 10:39 AM
    • Unproposed as answer by Horsebox_irl Monday, October 19, 2009 11:02 AM
    Monday, October 12, 2009 10:35 PM
  • No that isn't it. The lock time in my GPO is 3 minutes. It's still random as to when it occours.
    Monday, October 19, 2009 11:02 AM
  • Well i am going to open a case with Microsoft this week.
    Every Windows 7 machine we have does this.
    Sometimes the crash is not immediate it can take up to 1/2 hour before it fails which is odd.
    Monday, October 19, 2009 12:31 PM
  • Hi,
    After suffering from this problem too much time both on my desktop and laptop, I’ve decided to find the real workaround to this problem. All the other workarounds suggested on forums discussing this issue are not working or just partial solutions.
    As far as I can understand the core of the issue is some re-authentication with the domain controller that occurs when the computer is unlocked. At this point some modules that are called by lsass.exe are failing and make the service crash and you know what happens.
    Analyzing the crash dumps using windows debugger I’ve found out that the failure related to kerberos.dll.  See Exception Analysis below.

    So then I started to search settings related to Kerberos authentications and found 2 possible entries that can affect the Kerberos authentication process:
    1. Registry entry HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters\DefaultEncryptionType
    2. Policy setting located at “Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network security: Configure encryption types allowed for Kerberos”, which after all sets the following registry key:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters\SupportedEncryptionTypes

    Searching the net about this parameter reveals more information and details explanations.

    What solved the problem for me is setting the following registry key and values to make Windows 7 behave like Windows Server2003 regarding to Kerberos Encryption Type (KERB_ETYPE_RC4_HMAC_NT)
    Key:   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters
    Type:   REG_DWORD
    Name:   DefaultEncryptionType
    Data:    23 (decimal) or 0x17 (hexadecimal)

    Now it’s also possible to disable the problematic encryption type with a GPO applied the Windows 7 machines or to find a way (which I didn’t search for yet) to change the DefaultEncryptionType using GPO.

    Example Exception Analysis:

    FAULTING_IP:
    ntdll!RtlUnhandledExceptionFilter+2d2
    00000000`776d6cd2 eb00            jmp     ntdll!RtlUnhandledExceptionFilter+0x2d4 (00000000`776d6cd4)

    EXCEPTION_RECORD:  ffffffffffffffff -- (.exr 0xffffffffffffffff)
    ExceptionAddress: 00000000776d6cd2 (ntdll!RtlUnhandledExceptionFilter+0x00000000000002d2)
       ExceptionCode: c0000374
      ExceptionFlags: 00000001
    NumberParameters: 1
       Parameter[0]: 000000007774c3f0

    DEFAULT_BUCKET_ID:  WRONG_SYMBOLS

    PROCESS_NAME:  lsass.exe

    ADDITIONAL_DEBUG_TEXT: 
    Use '!findthebuild' command to search for the target build information.
    If the build information is available, run '!findthebuild -s ; .reload' to set symbol path and load symbols.

    FAULTING_MODULE: 0000000077610000 ntdll

    DEBUG_FLR_IMAGE_TIMESTAMP:  4a5bdfde

    ERROR_CODE: (NTSTATUS) 0xc0000374 - A heap has been corrupted.

    EXCEPTION_CODE: (NTSTATUS) 0xc0000374 - A heap has been corrupted.

    EXCEPTION_PARAMETER1:  000000007774c3f0

    FAULTING_THREAD:  0000000000001538

    PRIMARY_PROBLEM_CLASS:  WRONG_SYMBOLS

    BUGCHECK_STR:  APPLICATION_FAULT_WRONG_SYMBOLS

    LAST_CONTROL_TRANSFER:  from 00000000776d7396 to 00000000776d6cd2

    STACK_TEXT: 
    00000000`01f8e220 00000000`776d7396 : 00000000`00000002 00000000`00000023 00000000`00001028 00000000`00000003 : ntdll!RtlUnhandledExceptionFilter+0x2d2
    00000000`01f8e2f0 00000000`776d86c2 : fffffa80`06ac2010 00000000`00000001 00000000`01f8eff8 00000000`7765a39e : ntdll!EtwEnumerateProcessRegGuids+0x216
    00000000`01f8e320 00000000`776da0c4 : 00000000`00180000 00000000`00000000 00000000`00000000 00000000`00180000 : ntdll!RtlQueryProcessLockInformation+0x952
    00000000`01f8e350 00000000`7767d1cd : 00000000`01b65140 00000000`00180000 00000000`01b65150 00000000`01b83010 : ntdll!RtlLogStackBackTrace+0x444
    00000000`01f8e380 000007fe`fce61120 : 00000000`023ed6f0 00000000`01b82f30 00000000`01b82e80 00000000`00000000 : ntdll!LdrGetProcedureAddress+0x14e0d
    00000000`01f8e400 000007fe`fce8bba2 : 00000000`01b82e80 00000000`00000000 00000000`023ed6f0 00000000`023a7550 : kerberos!Ordinal26+0x1120
    00000000`01f8e430 000007fe`fce82f9c : 00000000`01b82e80 00000000`01ab3a80 00000000`00000000 00000000`01ab3af8 : kerberos!SpInitialize+0x38da
    00000000`01f8e460 000007fe`fce8bb82 : 00000000`01ab3b98 00000000`00000000 00000000`023a7550 00000000`023a7550 : kerberos!SpInstanceInit+0xa08
    00000000`01f8e490 000007fe`fce8b71f : 00000000`00000001 00000000`01ab3a80 00000000`00000000 00000000`00000000 : kerberos!SpInitialize+0x38ba
    00000000`01f8e4c0 000007fe`fce91c75 : 00000000`00000001 00000000`00000000 00000000`00000000 000007fe`fd29120a : kerberos!SpInitialize+0x3457
    00000000`01f8e4f0 000007fe`fce91b67 : 00000000`00000000 00000000`00000000 00000000`023ed6f0 000007fe`fd340830 : kerberos!SpInitialize+0x99ad
    00000000`01f8e5c0 000007fe`fce91d0a : 00000000`00000000 00000000`01f8e700 00000000`00000000 00000000`001d4260 : kerberos!SpInitialize+0x989f
    00000000`01f8e660 000007fe`fd2d48c6 : 00000000`02476ac8 00000000`000000e8 00000000`023dead0 00000000`02476ac8 : kerberos!SpInitialize+0x9a42
    00000000`01f8ebb0 000007fe`fd29be80 : 00000000`02476ac8 00000000`00000002 00000000`000000e8 00000000`00180000 : lsasrv!LsaIAllocateHeap+0x1b776
    00000000`01f8ed20 000007fe`fd29b880 : 00000000`01f8f230 000007fe`fd291f61 00000000`00000002 00000000`00000002 : lsasrv!LsaIAuditLogonUsingExplicitCreds+0x2ab0
    00000000`01f8ee60 000007fe`fd29a7d3 : 00000000`01f8f2a0 00000000`001d9578 00000000`00000000 00000000`01f8f370 : lsasrv!LsaIAuditLogonUsingExplicitCreds+0x24b0
    00000000`01f8ef00 000007fe`fd29a30e : 00000000`0026b010 00000000`02476ac8 00000000`01f8f308 00000000`00000000 : lsasrv!LsaIAuditLogonUsingExplicitCreds+0x1403
    00000000`01f8f1d0 000007fe`fd4018c8 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`01f8f6c8 : lsasrv!LsaIAuditLogonUsingExplicitCreds+0xf3e
    00000000`01f8f4e0 000007fe`fd417c5a : 00000000`00000000 00000000`01f8f6b8 00000000`00000000 00000000`00000007 : sspisrv+0x18c8
    00000000`01f8f600 000007fe`fd41808b : 00000000`00000001 00000000`00000000 00000000`00000000 000007fe`fd417a97 : sspicli!SeciAllocateAndSetIPAddress+0x106
    00000000`01f8f770 000007fe`fd346813 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : sspicli!LsaLogonUser+0x83
    00000000`01f8f7f0 00000000`7740f56d : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000001 : lsasrv!LsaIUpdateLogonSession+0x1703
    00000000`01f8f940 00000000`77643281 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : kernel32!BaseThreadInitThunk+0xd
    00000000`01f8f970 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21


    FOLLOWUP_IP:
    kerberos!Ordinal26+1120
    000007fe`fce61120 eb00            jmp     kerberos!Ordinal26+0x1122 (000007fe`fce61122)

    SYMBOL_STACK_INDEX:  5

    SYMBOL_NAME:  kerberos!Ordinal26+1120

    FOLLOWUP_NAME:  MachineOwner

    MODULE_NAME: kerberos

    IMAGE_NAME:  kerberos.dll

    STACK_COMMAND:  ~12s; .ecxr ; kb

    BUCKET_ID:  WRONG_SYMBOLS

    FAILURE_BUCKET_ID:  WRONG_SYMBOLS_c0000374_kerberos.dll!Ordinal26


    wdavid
    • Proposed as answer by esvabas Friday, October 23, 2009 2:59 PM
    Monday, October 19, 2009 12:37 PM
  • I haven't had a single crash in almost a week since I disabled the power save feature on my NIC.  Previously this would happen 5-6 times a day.
    • Proposed as answer by m7Techn0 Tuesday, April 8, 2014 7:23 AM
    • Unproposed as answer by m7Techn0 Tuesday, April 8, 2014 8:03 AM
    Monday, October 19, 2009 2:43 PM
  • I've tryed to disable the power save feature both on my laptop and desktop and had no effect at all. Lock/unlock triggered the restart most of the time.
    wdavid
    Monday, October 19, 2009 2:49 PM
  • Thanks a bunch David, it seemed to fix the issue on 2 of our computers so far.
    Guess it is time to upgrade my domain servers to 2008...
    You would have thought this would have been tested.
    Monday, October 19, 2009 5:22 PM
  • I am experiencing the same issues you guys are.  There are several other users at my company that aren't having any issues.  Just wondering if you guys have Blackberry's installed?

    Also, As for DAVE, I have tried to find a crashdump on this, but I don't get any dumps even though I have full dumps enabled

    Where did you get that dump file because my computer didn't blue screan, I just get a pop-up box stating that windows has a critical error and is shutting down in one minute.  Very odd.

    Did anyone open a case yet?
    Tuesday, October 20, 2009 7:16 PM
  • Still happening for me.  What is weird though, that it is happening only to me, we have about 5-10 Windows 7 machines on the network with different hardware and they run fine, no single crash.  They are under same OU same Group Policies etc.,  
    If anyone finds solution please post!
    Thanks

    Tuesday, October 20, 2009 9:56 PM
  • Hi,
    After suffering from this problem too much time both on my desktop and laptop, I’ve decided to find the real workaround to this problem. All the other workarounds suggested on forums discussing this issue are not working or just partial solutions.
    As far as I can understand the core of the issue is some re-authentication with the domain controller that occurs when the computer is unlocked. At this point some modules that are called by lsass.exe are failing and make the service crash and you know what happens.
    Analyzing the crash dumps using windows debugger I’ve found out that the failure related to kerberos.dll.  See Exception Analysis below.

    So then I started to search settings related to Kerberos authentications and found 2 possible entries that can affect the Kerberos authentication process:
    1. Registry entry HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters\DefaultEncryptionType
    2. Policy setting located at “Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network security: Configure encryption types allowed for Kerberos”, which after all sets the following registry key:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters\SupportedEncryptionTypes

    Searching the net about this parameter reveals more information and details explanations.

    What solved the problem for me is setting the following registry key and values to make Windows 7 behave like Windows Server2003 regarding to Kerberos Encryption Type (KERB_ETYPE_RC4_HMAC_NT)
    Key:   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters
    Type:   REG_DWORD
    Name:   DefaultEncryptionType
    Data:    23 (decimal) or 0x17 (hexadecimal)

    Now it’s also possible to disable the problematic encryption type with a GPO applied the Windows 7 machines or to find a way (which I didn’t search for yet) to change the DefaultEncryptionType using GPO.

    Example Exception Analysis:

    FAULTING_IP:
    ntdll!RtlUnhandledExceptionFilter+2d2
    00000000`776d6cd2 eb00            jmp     ntdll!RtlUnhandledExceptionFilter+0x2d4 (00000000`776d6cd4)

    EXCEPTION_RECORD:  ffffffffffffffff -- (.exr 0xffffffffffffffff)
    ExceptionAddress: 00000000776d6cd2 (ntdll!RtlUnhandledExceptionFilter+0x00000000000002d2)
       ExceptionCode: c0000374
      ExceptionFlags: 00000001
    NumberParameters: 1
       Parameter[0]: 000000007774c3f0

    DEFAULT_BUCKET_ID:  WRONG_SYMBOLS

    PROCESS_NAME:  lsass.exe

    ADDITIONAL_DEBUG_TEXT: 
    Use '!findthebuild' command to search for the target build information.
    If the build information is available, run '!findthebuild -s ; .reload' to set symbol path and load symbols.

    FAULTING_MODULE: 0000000077610000 ntdll

    DEBUG_FLR_IMAGE_TIMESTAMP:  4a5bdfde

    ERROR_CODE: (NTSTATUS) 0xc0000374 - A heap has been corrupted.

    EXCEPTION_CODE: (NTSTATUS) 0xc0000374 - A heap has been corrupted.

    EXCEPTION_PARAMETER1:  000000007774c3f0

    FAULTING_THREAD:  0000000000001538

    PRIMARY_PROBLEM_CLASS:  WRONG_SYMBOLS

    BUGCHECK_STR:  APPLICATION_FAULT_WRONG_SYMBOLS

    LAST_CONTROL_TRANSFER:  from 00000000776d7396 to 00000000776d6cd2

    STACK_TEXT: 
    00000000`01f8e220 00000000`776d7396 : 00000000`00000002 00000000`00000023 00000000`00001028 00000000`00000003 : ntdll!RtlUnhandledExceptionFilter+0x2d2
    00000000`01f8e2f0 00000000`776d86c2 : fffffa80`06ac2010 00000000`00000001 00000000`01f8eff8 00000000`7765a39e : ntdll!EtwEnumerateProcessRegGuids+0x216
    00000000`01f8e320 00000000`776da0c4 : 00000000`00180000 00000000`00000000 00000000`00000000 00000000`00180000 : ntdll!RtlQueryProcessLockInformation+0x952
    00000000`01f8e350 00000000`7767d1cd : 00000000`01b65140 00000000`00180000 00000000`01b65150 00000000`01b83010 : ntdll!RtlLogStackBackTrace+0x444
    00000000`01f8e380 000007fe`fce61120 : 00000000`023ed6f0 00000000`01b82f30 00000000`01b82e80 00000000`00000000 : ntdll!LdrGetProcedureAddress+0x14e0d
    00000000`01f8e400 000007fe`fce8bba2 : 00000000`01b82e80 00000000`00000000 00000000`023ed6f0 00000000`023a7550 : kerberos!Ordinal26+0x1120
    00000000`01f8e430 000007fe`fce82f9c : 00000000`01b82e80 00000000`01ab3a80 00000000`00000000 00000000`01ab3af8 : kerberos!SpInitialize+0x38da
    00000000`01f8e460 000007fe`fce8bb82 : 00000000`01ab3b98 00000000`00000000 00000000`023a7550 00000000`023a7550 : kerberos!SpInstanceInit+0xa08
    00000000`01f8e490 000007fe`fce8b71f : 00000000`00000001 00000000`01ab3a80 00000000`00000000 00000000`00000000 : kerberos!SpInitialize+0x38ba
    00000000`01f8e4c0 000007fe`fce91c75 : 00000000`00000001 00000000`00000000 00000000`00000000 000007fe`fd29120a : kerberos!SpInitialize+0x3457
    00000000`01f8e4f0 000007fe`fce91b67 : 00000000`00000000 00000000`00000000 00000000`023ed6f0 000007fe`fd340830 : kerberos!SpInitialize+0x99ad
    00000000`01f8e5c0 000007fe`fce91d0a : 00000000`00000000 00000000`01f8e700 00000000`00000000 00000000`001d4260 : kerberos!SpInitialize+0x989f
    00000000`01f8e660 000007fe`fd2d48c6 : 00000000`02476ac8 00000000`000000e8 00000000`023dead0 00000000`02476ac8 : kerberos!SpInitialize+0x9a42
    00000000`01f8ebb0 000007fe`fd29be80 : 00000000`02476ac8 00000000`00000002 00000000`000000e8 00000000`00180000 : lsasrv!LsaIAllocateHeap+0x1b776
    00000000`01f8ed20 000007fe`fd29b880 : 00000000`01f8f230 000007fe`fd291f61 00000000`00000002 00000000`00000002 : lsasrv!LsaIAuditLogonUsingExplicitCreds+0x2ab0
    00000000`01f8ee60 000007fe`fd29a7d3 : 00000000`01f8f2a0 00000000`001d9578 00000000`00000000 00000000`01f8f370 : lsasrv!LsaIAuditLogonUsingExplicitCreds+0x24b0
    00000000`01f8ef00 000007fe`fd29a30e : 00000000`0026b010 00000000`02476ac8 00000000`01f8f308 00000000`00000000 : lsasrv!LsaIAuditLogonUsingExplicitCreds+0x1403
    00000000`01f8f1d0 000007fe`fd4018c8 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`01f8f6c8 : lsasrv!LsaIAuditLogonUsingExplicitCreds+0xf3e
    00000000`01f8f4e0 000007fe`fd417c5a : 00000000`00000000 00000000`01f8f6b8 00000000`00000000 00000000`00000007 : sspisrv+0x18c8
    00000000`01f8f600 000007fe`fd41808b : 00000000`00000001 00000000`00000000 00000000`00000000 000007fe`fd417a97 : sspicli!SeciAllocateAndSetIPAddress+0x106
    00000000`01f8f770 000007fe`fd346813 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : sspicli!LsaLogonUser+0x83
    00000000`01f8f7f0 00000000`7740f56d : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000001 : lsasrv!LsaIUpdateLogonSession+0x1703
    00000000`01f8f940 00000000`77643281 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : kernel32!BaseThreadInitThunk+0xd
    00000000`01f8f970 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21


    FOLLOWUP_IP:
    kerberos!Ordinal26+1120
    000007fe`fce61120 eb00            jmp     kerberos!Ordinal26+0x1122 (000007fe`fce61122)

    SYMBOL_STACK_INDEX:  5

    SYMBOL_NAME:  kerberos!Ordinal26+1120

    FOLLOWUP_NAME:  MachineOwner

    MODULE_NAME: kerberos

    IMAGE_NAME:  kerberos.dll

    STACK_COMMAND:  ~12s; .ecxr ; kb

    BUCKET_ID:  WRONG_SYMBOLS

    FAILURE_BUCKET_ID:  WRONG_SYMBOLS_c0000374_kerberos.dll!Ordinal26


    wdavid

    This has worked for me, created that regkey, hasn't crashed yet!

    What solved the problem for me is setting the following registry key and values to make Windows 7 behave like Windows Server2003 regarding to Kerberos Encryption Type (KERB_ETYPE_RC4_HMAC_NT)
    Key:   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters
    Type:   REG_DWORD
    Name:   DefaultEncryptionType
    Data:    23 (decimal) or 0x17 (hexadecimal)
    • Proposed as answer by esvabas Friday, October 23, 2009 3:00 PM
    Friday, October 23, 2009 3:00 PM
  • David Weisz suggestion helped:

    This has worked for me, created that regkey, hasn't crashed yet!

    What solved the problem for me is setting the following registry key and values to make Windows 7 behave like Windows Server2003 regarding to Kerberos Encryption Type (KERB_ETYPE_RC4_HMAC_NT)
    Key:   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters
    Type:   REG_DWORD
    Name:   DefaultEncryptionType
    Data:    23 (decimal) or 0x17 (hexadecimal)


    Not crashing anyomore
    Friday, October 23, 2009 3:01 PM
  • This has immediately started working or me.  I will post back if I encounter any more problems after this change.
    Thanks
    Friday, October 23, 2009 4:43 PM
  • This has started happening to me again today.

    I have 2 Domain Controllers - one 2008 and one 2003 - is it the 2003 one that's causing the issue?
    Monday, November 16, 2009 10:26 AM
  • David Weisz suggestion helped:

    This has worked for me, created that regkey, hasn't crashed yet!

    What solved the problem for me is setting the following registry key and values to make Windows 7 behave like Windows Server2003 regarding to Kerberos Encryption Type (KERB_ETYPE_RC4_HMAC_NT)
    Key:   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters
    Type:   REG_DWORD
    Name:   DefaultEncryptionType
    Data:    23 (decimal) or 0x17 (hexadecimal)


    Not crashing anyomore
    Same here not crashing anymore, thank you guys.
    Tuesday, January 19, 2010 7:19 AM
  • This seems to be the exact issue.

    http://support.microsoft.com/default.aspx?scid=kb;en-us;976586&sd=rss&spid=14481
    Mark Morowczynski|MCT| MCSE 2003:Messaging, Security|MCITP:EMA 2K7,EDA Win 7,ES,SA,EA|MCTS:Windows Mobile Admin|Security+|http://almostdailytech.com
    • Marked as answer by Horsebox_irl Thursday, February 18, 2010 9:41 AM
    Tuesday, February 9, 2010 2:54 PM
  • David Weisz suggestion helped:

    This has worked for me, created that regkey, hasn't crashed yet!

    What solved the problem for me is setting the following registry key and values to make Windows 7 behave like Windows Server2003 regarding to Kerberos Encryption Type (KERB_ETYPE_RC4_HMAC_NT)
    Key:   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters
    Type:   REG_DWORD
    Name:   DefaultEncryptionType
    Data:    23 (decimal) or 0x17 (hexadecimal)


    Not crashing anyomore
    Same here not crashing anymore, thank you guys.

    Coul´d you please specify what I am supposed to do in the registry editor...

    I really wouldn't like to risk the stability of my system if I mess something up :(

    Sunday, May 9, 2010 8:18 AM