none
Error with svchost.exe_gpsvc with module auditcse.dll after updating the Advanced Audit Policy

    Question

  • Hi,

    I was updating the Advanced Audit Policy "Object Access\Audit Removable Storage" using the Local Group Policy Editor.

    After changing the policy, I did a restart of the server and it was working initially. After a few days, I was getting the following error message on the server. 

    ---------------------------------------------------------------

    Faulting application name: svchost.exe_gpsvc, version: 6.2.9200.16384, time stamp: 0x50108897
    Faulting module name: auditcse.dll, version: 6.2.9200.16384, time stamp: 0x50109c99
    Exception code: 0xc0000005
    Fault offset: 0x0000000000012b19
    Faulting process id: 0x5024
    Faulting application start time: 0x01d25b6ae51f1b51
    Faulting application path: C:\Windows\system32\svchost.exe
    Faulting module path: C:\Windows\system32\auditcse.dll
    Report Id: 239d169f-c75e-11e6-9424-0050568923b4
    Faulting package full name: 
    Faulting package-relative application ID: 

    ---------------------------------------------------------------

    This error will also occur when I do a "gpupdate", which will bring down a lot of services. Below are the services:

    1. Server
    2. IP Helper
    3. Shell Hardware Detection
    4. Task Scheduler
    5. Themes
    6. User Profile Service

    This Server is running on Windows Server 2012 and is joined to a domain.

    If I did a restart of the affected server, i will get a "Failure to connect to Group Policy Client Services" message.

    Please help. Thanks

    Wednesday, December 21, 2016 10:50 AM

All replies

  • Hi,
    Have you tried to reboot the domain controller and see if the error is gone?
    In addition, please check the hardware performance of the DC and the problematic server, such as memory, CPU or disk space. And please scan the system for virus, we have seen some people reported about svchost.exe hang and the cause for this behavior was actually the virus.
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Thursday, December 22, 2016 2:47 AM
    Moderator
  • Hi,

    I have done a restart of the domain server and did a check on the harddisk and ram all return ok.

    The virus scan also returns no virus.

    From the error code it seems like access to the auditcse.dll file was denied.

    Friday, December 23, 2016 10:14 AM
  • Hi,
    If the issue is access denied, then we might need to check the permission of the account
    And regarding the error “Failure to connect to Group Policy Client Services”, please take a look at the following article and have a try it to see if it helps:
    http://www.thewindowsclub.com/fix-group-policy-client-service-failed-logon-windows-8
    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, December 26, 2016 1:29 AM
    Moderator
  • Hi,

    I am checking how the issue going, if you still have any questions, please feel free to contact us.

    And if the replies as above are helpful, we would appreciate you to mark them as answers, and if you resolve it using your own solution, please share your experience and solution here. It will be greatly helpful to others who have the same question.

    Appreciate for your feedback.

    Best regards,

    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Thursday, December 29, 2016 9:25 AM
    Moderator
  • Same issue windows 2012 R2 with newest patches.

    Wanted to turn off advanced detail file share auditing:Go to Detailed File Share auditing properties; Select "Do not Audit "Success" and "Failure" settings"

    And after that started to get:

    Faulting application name: svchost.exe_gpsvc, version: 6.3.9600.17415, time stamp: 0x54504177
    Faulting module name: auditcse.dll, version: 6.3.9600.17415, time stamp: 0x54504e9e
    Exception code: 0xc0000005
    Fault offset: 0x0000000000012d0a
    Faulting process id: 0x1b2c
    Faulting application start time: 0x01d27a1b9b2e6cef
    Faulting application path: C:\Windows\system32\svchost.exe
    Faulting module path: C:\Windows\system32\auditcse.dll
    Report Id: d9011e53-e60e-11e6-80c7-94188276a5b7
    Faulting package full name:
    Faulting package-relative application ID:

    Which casues all listed services above to fail..

    Any Idies ?

    Sunday, January 29, 2017 11:26 AM
  • same problem
    Thursday, April 05, 2018 2:09 PM
  • solution from the support and good for my Server 20012R2:
    -download LGPO.exe from microsoft.com
    -export LGPO, example : LGPO.exe /b c:\temp
    - go in c:\temp\{XXX...XXX} search the file audit.csv and edit
    -search the lines:
    ,,FileGlobalSacl,,,,

    or
    <HOSTNAME>,,FileGlobalSacl,,,,

    and
    ,,RegistryGlobalSacl,,,,
    or<HOSTNAME>,,RegistryGlobalSacl,,,,
    an change it with add S:
    ,,FileGlobalSacl,,,,S:
    ,,FileGlobalSacl,,,,S:
    or
    <HOSTNAME>,,FileGlobalSacl,,,,S:
    <HOSTNAME>,,RegistryGlobalSacl,,,,S:
    then save and LGPO.exe /ac audit.csv

    eventually restart

    if the problem persists, you can separate the services in different svchost.
    If one crash,the other continue.
    on cmd
    tasklist /svc > c:\temp\list_svc.txt
    search
    "server" in the file:
    svchost.exe                   5116 AeLookupSvc, CertPropSvc, DsmSvc, gpsvc,    
                                       iphlpsvc, LanmanServer, ProfSvc, Schedule,  
                                       seclogon, SENS, SessionEnv,                 
                                       ShellHWDetection, Themes, Winmgmt, wuauserv
    for each service :

    sc config AeLookupSvc type= own
    net stop CertPropSvc
    net start CertPropSvc

    sc config CertPropSvc type= own
    net stop CertPropSvc
    net start CertPropSvc

    ...
    the space after "type=" is necessary




    Friday, April 06, 2018 8:28 AM