Remove From My Forums

The process wininit.exe has initiated the restart of computer on behalf of user for the following :reason No title for this reason could be found Reason Code: 0x50006. The system process 'C:\Windows\system32\lsass.exe' terminated unexpectedly with statu

Question
0

Sign in to vote
Environment having 4 DCs and almost 10000 users and computers. After DC OS and DFL & FFL upgrade of the forest/domain 1 months works fine but recently the DCs started auto restarting with the below mentioned few error logs.

Log Name: Application

Source: Microsoft-Windows-Wininit
Date: 7.12.2017 17:45:52
Event ID: 1015
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: DC1
Description:
A critical system process, C:\Windows\system32\lsass.exe, failed with status code c0000005. The machine must now be restarted.

Log Name: Application
Source: Application Error
Date: 7.12.2017 17:45:51
Event ID: 1000
Task Category: (100)
Level: Error
Keywords: Classic
User: N/A
Computer: DC1
Description:
Faulting application name: lsass.exe, version: 6.3.9600.17415, time stamp: 0x545042fe
Faulting module name: ESENT.dll, version: 6.3.9600.18429, time stamp: 0x579cdff7
Exception code: 0xc0000005
Fault offset: 0x00000000000dd82f
Faulting process id: 0x26c
Faulting application start time: 0x01d36f32c70ab77a
Faulting application path: C:\Windows\system32\lsass.exe
Faulting module path: C:\Windows\system32\ESENT.dll
Report Id: 1548c42a-db6e-11e7-8102-005056843270
Faulting package full name:
Faulting package-relative application ID:

Log Name: System
Source: User32
Date: 7.12.2017 9:08:47
Event ID: 1074
Task Category: None
Level: Information
Keywords: Classic
User: SYSTEM
Computer: DC1
Description:
The process wininit.exe has initiated the restart of computer DC1 on behalf of user for the following reason: No title for this reason could be found
Reason Code: 0x50006
Shutdown Type: restart
Comment: The system process 'C:\Windows\system32\lsass.exe' terminated unexpectedly with status code -1073741819. The system will now shut down and restart.

All the DCs OS version is 2012 R2. Anyone have faced this issue before or anyone have any solution of the issue. Every one day after these DCs get rebooted due to lsass.exe crashing. If anyone can help on the critical issue.
- Edited by Deb_bose Friday, December 8, 2017 8:04 PM
Friday, December 8, 2017 7:54 PM

All replies

0

Sign in to vote

This one might help.

https://support.microsoft.com/en-us/help/3038261/lsass-exe-crashes-and-system-shuts-down-automatically-on-a-windows-ser

Regards, Dave Patrick ....
Microsoft Certified Professional
Microsoft MVP [Windows Server] Datacenter Management

Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

Friday, December 8, 2017 8:02 PM
0

Sign in to vote

Thanks for your information. But this issue is mentioned for

Faulting module path: C:\Windows\system32\kerberos.DLL and my case is for esent.dll failure.

is it some how relate the said issue.

Friday, December 8, 2017 8:08 PM
0

Sign in to vote

Could be. You could check if KB2998097 has been installed or also call in to microsoft product support.

https://support.microsoft.com/en-us/gp/contactus81?Audience=Commercial&SegNo=5&wa=wsignin1.0

Regards, Dave Patrick ....
Microsoft Certified Professional
Microsoft MVP [Windows Server] Datacenter Management

Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

Friday, December 8, 2017 8:14 PM
0

Sign in to vote
Hi,

Please run “sfc /scannow” and DISM.EXE to check/repair system files.

Besides, please run “DCDiag” to check AD state on your DCs.

Best Regards,
Eve Wang

Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.
- Edited by Eve WangMicrosoft contingent staff Tuesday, December 12, 2017 8:55 AM
Tuesday, December 12, 2017 8:54 AM

Hi,

All tested and no error found with sfc /scannow command.

DCDiag could not able to found any significant error to show.

In last 7 days what we found that restart is getting increased among the DCs. In 7 days 3 times the DCs got restarted and in the same time. Very strange.

Through procdump crash dump has been generated on lsass process and the brief analysis of dmp file as follows.

Error

In lsass_dump.dmp the assembly instruction at esent!ErrSORTFirst+a3 in C:\Windows\System32\esent.dll from Microsoft Corporation has caused an access violation exception (0xC0000005) when trying to read from memory location 0x00000002 on thread 24

Please follow up with the vendor Microsoft Corporation for C:\Windows\System32\esent.dll

Can anybody give me any proper solution of the critical problem.

Sunday, December 31, 2017 11:43 AM

0

Sign in to vote
Can anybody give me any proper solution of the critical problem.

Might try a new one as a test. If you have multiple DCs I'd use dcdiag / repadmin tools to verify health before starting. Then I'd stand up the new guest, patch it fully, license it, join existing domain, add active directory domain services, promote it also making it a GC (recommended), transfer FSMO roles over (optional), transfer pdc emulator role (optional), use dcdiag / repadmin tools to verify health, when all is good you can decommission / demote old one.

Regards, Dave Patrick ....
Microsoft Certified Professional
Microsoft MVP [Windows Server] Datacenter Management

Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.
- Proposed as answer by Eve WangMicrosoft contingent staff Tuesday, January 2, 2018 5:55 AM
Sunday, December 31, 2017 2:12 PM
0

Sign in to vote

Hi,

How things are going there on this issue?

Please let me know if you would like further assistance.

Best Regards,
Eve Wang
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

Tuesday, January 2, 2018 5:55 AM
0

Sign in to vote

Among 4 DCs 3 DCs are new and one DC is old one. Now the problem started in one new DC and lastly affected old good DC on which all the FSMO roles are kept now.

The new thing happened on this domain is that few months back the DFL and FFL has been upgraded 2003 to 2012R2 for this domain/forest.

No replication error found, no FRS or directory service error log found.

Now the affected increased to 3 DCs. Only one good DC left. Can't really understand were is the issue.

Attaching below few frequent error logs found in the DC events...

Huge numbers of netlogon error. one sample is given below.

======================================================

Log Name: System
Source: NETLOGON
Event ID: 5722
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: computernameFQDN
Description:
The session setup from the computer computername failed to authenticate. The name(s) of the account(s) referenced in the security database is computername$. The following error occurred:
Access is denied.

-----------------------------------------------------------------------------------------------------------------------

Log Name: System
Source: NETLOGON
Event ID: 5807
Task Category: None
Level: Warning
Keywords: Classic
User: N/A
Computer: DC_FQDN_Name
Description:
During the past 4.25 hours there have been 151 connections to this Domain Controller from client machines whose IP addresses don't map to any of the existing sites in the enterprise. Those clients, therefore, have undefined sites and may connect to any Domain Controller including those that are in far distant locations from the clients. A client's site is determined by the mapping of its subnet to one of the existing sites. To move the above clients to one of the sites, please consider creating subnet object(s) covering the above IP addresses with mapping to one of the existing sites. The names and IP addresses of the clients in question have been logged on this computer in the following log file '%SystemRoot%\debug\netlogon.log' and, potentially, in the log file '%SystemRoot%\debug\netlogon.bak' created if the former log becomes full. The log(s) may contain additional unrelated debugging information. To filter out the needed information, please search for lines which contain text 'NO_CLIENT_SITE:'. The first word after this string is the client name and the second word is the client IP address. The maximum size of the log(s) is controlled by the following registry DWORD value 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\LogFileMaxSize'; the default is 20000000 bytes. The current maximum size is 20000000 bytes. To set a different maximum size, create the above registry value and set the desired maximum size in bytes.

=======================================================

As per the last log, it was found that there was many new subnet which has not been added in adsiteservice. Now they will be added by tomorrow. But do you think that this can be the reason of lsass crash because anyhow these clients whose subnet has not been listed they can reach to any of the DC by the help of proper DNS query so there should not have anything to point on NO_CLIENT_SITE.

Am I correct or really it matters. Please anyone give any fruitful answers.

Tuesday, January 2, 2018 6:50 PM
0

Sign in to vote

I have mentioned the scenario at first quote. Please have a look that.

Env is single domain and single forest having 4 DCs. Few months back DFL and FFL upgrade has been performed along with DCs OS upgrade(except one DC). After 1 month(approx) upgrade one newly built DC start restarting with lsass.exe crashing and initiating DC restart by wininit process.

I have already mentioned few error logs. However giving few more which I found relevant and got in DCs event viewer. Now this issue are spreading on other DCs. At present moment only one health DC exist which does get restarted due to lsass crash. Env have approx 10000 users and computers with many AD integrated apps.

Events:
Log Name: System
Source: User32
Date: 2018-01-02 11:01:46
Event ID: 1074
Task Category: None
Level: Information
Keywords: Classic
User: SYSTEM
Computer: DC_Name
Description:
The process wininit.exe has initiated the restart of computer DC_Name on behalf of user for the following reason: No title for this reason could be found
Reason Code: 0x50006
Shutdown Type: restart
Comment: The system process 'C:\Windows\system32\lsass.exe' terminated unexpectedly with status code -1073741819. The system will now shut down and restart.

Log Name: Application
Source: Microsoft-Windows-Wininit
Date: 2018-01-02 11:01:46
Event ID: 1015
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: DC_Name
Description:
A critical system process, C:\Windows\system32\lsass.exe, failed with status code c0000005. The machine must now be restarted.

Log Name: Application
Source: Windows Error Reporting
Date: 2018-01-02 11:01:46
Event ID: 1001
Task Category: None
Level: Information
Keywords: Classic
User: N/A
Computer: DC_Name
Description:
Fault bucket , type 0
Event Name: APPCRASH
Response: Not available
Cab Id: 0

Problem signature:
P1: lsass.exe
P2: 6.3.9600.17415
P3: 545042fe
P4: ESENT.dll
P5: 6.3.9600.18429
P6: 579cdff7
P7: c0000005
P8: 00000000000dd82f
P9:
P10:

Attached files:

These files may be available here:
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_lsass.exe_f9ff765873e24ce75ef94730698aff2cfbdeef8f_0c1f8dbe_087866bd

Analysis symbol:
Rechecking for solution: 0
Report Id: effadc02-efa3-11e7-80f2-cc46d6c06181
Report Status: 0
Hashed bucket:

Log Name: Application
Source: Application Error
Date: 2018-01-02 11:01:45
Event ID: 1000
Task Category: (100)
Level: Error
Keywords: Classic
User: N/A
Computer: DC_Name
Description:
Faulting application name: lsass.exe, version: 6.3.9600.17415, time stamp: 0x545042fe
Faulting module name: ESENT.dll, version: 6.3.9600.18429, time stamp: 0x579cdff7
Exception code: 0xc0000005
Fault offset: 0x00000000000dd82f
Faulting process id: 0x2b0
Faulting application start time: 0x01d3822067c8bed7
Faulting application path: C:\Windows\system32\lsass.exe
Faulting module path: C:\Windows\system32\ESENT.dll
Report Id: effadc02-efa3-11e7-80f2-cc46d6c06181
Faulting package full name:
Faulting package-relative application ID:

-----------------------------------------------------------------------------------------------------------------

Following is the .wer file details which creates in error reporting folder when lsass is crashing.
Version=1
EventType=APPCRASH
EventTime=131593609054867485
ReportType=2
Consent=1
ReportIdentifier=effadc03-efa3-11e7-80f2-cc46d6c06181
IntegratorReportIdentifier=effadc02-efa3-11e7-80f2-cc46d6c06181
NsAppName=lsass.exe
Response.type=4
Sig[0].Name=Application Name
Sig[0].Value=lsass.exe
Sig[1].Name=Application Version
Sig[1].Value=6.3.9600.17415
Sig[2].Name=Application Timestamp
Sig[2].Value=545042fe
Sig[3].Name=Fault Module Name
Sig[3].Value=ESENT.dll
Sig[4].Name=Fault Module Version
Sig[4].Value=6.3.9600.18429
Sig[5].Name=Fault Module Timestamp
Sig[5].Value=579cdff7
Sig[6].Name=Exception Code
Sig[6].Value=c0000005
Sig[7].Name=Exception Offset
Sig[7].Value=00000000000dd82f
DynamicSig[1].Name=OS Version
DynamicSig[1].Value=6.3.9600.2.0.0.272.7
DynamicSig[2].Name=Locale ID
DynamicSig[2].Value=1053
DynamicSig[22].Name=Additional Information 1
DynamicSig[22].Value=fe9d
DynamicSig[23].Name=Additional Information 2
DynamicSig[23].Value=fe9d6c70ff1af8e04a906c7e1170a9ee
DynamicSig[24].Name=Additional Information 3
DynamicSig[24].Value=9429
DynamicSig[25].Name=Additional Information 4
DynamicSig[25].Value=9429331c9d762061143decbf1eeee645
UI[2]=C:\Windows\system32\lsass.exe
UI[5]=Check online for a solution (recommended)
UI[6]=Check for a solution later (recommended)
UI[7]=Close
UI[8]=Local Security Authority Process stopped working and was closed
UI[9]=A problem caused the application to stop working correctly. Windows will notify you if a solution is available.
UI[10]=&Close
LoadedModule[0]=C:\Windows\system32\lsass.exe
LoadedModule[1]=C:\Windows\SYSTEM32\ntdll.dll
LoadedModule[2]=C:\Windows\system32\KERNEL32.DLL
LoadedModule[3]=C:\Windows\system32\KERNELBASE.dll
LoadedModule[4]=C:\Windows\system32\RPCRT4.dll
LoadedModule[5]=C:\Windows\system32\SspiSrv.dll
LoadedModule[6]=C:\Windows\system32\SspiCli.dll
LoadedModule[7]=C:\Windows\SYSTEM32\sechost.dll
LoadedModule[8]=C:\Windows\system32\lsasrv.dll
LoadedModule[9]=C:\Windows\system32\msvcrt.dll
LoadedModule[10]=C:\Windows\system32\WS2_32.dll
LoadedModule[11]=C:\Windows\SYSTEM32\cfgmgr32.dll
LoadedModule[12]=C:\Windows\system32\MSASN1.dll
LoadedModule[13]=C:\Windows\system32\NSI.dll
LoadedModule[14]=C:\Windows\SYSTEM32\samsrv.dll
LoadedModule[15]=C:\Windows\system32\bcrypt.dll
LoadedModule[16]=C:\Windows\system32\ncrypt.dll
LoadedModule[17]=C:\Windows\system32\NTASN1.dll
LoadedModule[18]=C:\Windows\system32\lsadb.dll
LoadedModule[19]=C:\Windows\system32\DSPARSE.dll
LoadedModule[20]=C:\Windows\system32\ADVAPI32.dll
LoadedModule[21]=C:\Windows\system32\CRYPTBASE.DLL
LoadedModule[22]=C:\Windows\system32\bcryptPrimitives.dll
LoadedModule[23]=C:\Windows\system32\msprivs.DLL
LoadedModule[24]=C:\Windows\SYSTEM32\netjoin.dll
LoadedModule[25]=C:\Windows\system32\negoexts.DLL
LoadedModule[26]=C:\Windows\system32\cryptdll.dll
LoadedModule[27]=C:\Windows\system32\kerberos.DLL
LoadedModule[28]=C:\Windows\system32\CRYPTSP.dll
LoadedModule[29]=C:\Windows\system32\mswsock.dll
LoadedModule[30]=C:\Windows\system32\msv1_0.DLL
LoadedModule[31]=C:\Windows\system32\netlogon.DLL
LoadedModule[32]=C:\Windows\system32\DNSAPI.dll
LoadedModule[33]=C:\Windows\system32\logoncli.dll
LoadedModule[34]=C:\Windows\SYSTEM32\powrprof.dll
LoadedModule[35]=C:\Windows\system32\USERENV.dll
LoadedModule[36]=C:\Windows\system32\profapi.dll
LoadedModule[37]=C:\Windows\system32\tspkg.DLL
LoadedModule[38]=C:\Windows\system32\pku2u.DLL
LoadedModule[39]=C:\Windows\system32\wdigest.DLL
LoadedModule[40]=C:\Windows\system32\rsaenh.dll
LoadedModule[41]=C:\Windows\system32\schannel.DLL
LoadedModule[42]=C:\Windows\system32\CRYPT32.dll
LoadedModule[43]=C:\Windows\system32\efslsaext.dll
LoadedModule[44]=C:\Windows\system32\dpapisrv.dll
LoadedModule[45]=C:\Windows\system32\ntdsa.dll
LoadedModule[46]=C:\Windows\system32\bcd.dll
LoadedModule[47]=C:\Windows\SYSTEM32\winsta.dll
LoadedModule[48]=C:\Windows\system32\ntdsai.dll
LoadedModule[49]=C:\Windows\system32\AUTHZ.dll
LoadedModule[50]=C:\Windows\system32\IPHLPAPI.DLL
LoadedModule[51]=C:\Windows\system32\WLDAP32.dll
LoadedModule[52]=C:\Windows\system32\NTDSKCC.dll
LoadedModule[53]=C:\Windows\system32\ntdsbsrv.dll
LoadedModule[54]=C:\Windows\system32\NTDSAPI.dll
LoadedModule[55]=C:\Windows\system32\NTDSATQ.dll
LoadedModule[56]=C:\Windows\system32\ESENT.dll
LoadedModule[57]=C:\Windows\system32\VERSION.dll
LoadedModule[58]=C:\Windows\system32\KdsCli.dll
LoadedModule[59]=C:\Windows\system32\DSROLESRV.dll
LoadedModule[60]=C:\Windows\system32\SYSNTFY.dll
LoadedModule[61]=C:\Windows\system32\WINNSI.DLL
LoadedModule[62]=C:\Windows\system32\W32TOPL.dll
LoadedModule[63]=C:\Windows\system32\VSSAPI.DLL
LoadedModule[64]=C:\Windows\system32\wevtapi.dll
LoadedModule[65]=C:\Windows\system32\OLEAUT32.dll
LoadedModule[66]=C:\Windows\SYSTEM32\combase.dll
LoadedModule[67]=C:\Windows\system32\WDSCORE.dll
LoadedModule[68]=C:\Windows\system32\VssTrace.DLL
LoadedModule[69]=C:\Windows\system32\DSROLE.dll
LoadedModule[70]=C:\Windows\system32\ntdsmsg.dll
LoadedModule[71]=C:\Windows\system32\netutils.dll
LoadedModule[72]=C:\Windows\system32\KDCPW.DLL
LoadedModule[73]=C:\Windows\system32\rassfm.DLL
LoadedModule[74]=C:\Windows\system32\scecli.DLL
LoadedModule[75]=C:\Windows\system32\wkscli.dll
LoadedModule[76]=C:\Windows\system32\kdcsvc.dll
LoadedModule[77]=C:\Windows\System32\rasadhlp.dll
LoadedModule[78]=C:\Windows\System32\fwpuclnt.dll
LoadedModule[79]=C:\Windows\system32\dssenh.dll
LoadedModule[80]=C:\Windows\SYSTEM32\gpapi.dll
LoadedModule[81]=C:\Windows\System32\cryptnet.dll
LoadedModule[82]=C:\Windows\system32\pwdssp.dll
LoadedModule[83]=C:\Windows\system32\RpcRtRemote.dll
LoadedModule[84]=C:\Windows\system32\rpchttp.dll
LoadedModule[85]=C:\Windows\system32\Secur32.dll
LoadedModule[86]=C:\Windows\system32\pcwum.dll
LoadedModule[87]=C:\Windows\system32\ole32.dll
LoadedModule[88]=C:\Windows\system32\GDI32.dll
LoadedModule[89]=C:\Windows\system32\USER32.dll
LoadedModule[90]=C:\Windows\SYSTEM32\kernel.appcore.dll
LoadedModule[91]=C:\Windows\system32\samcli.dll
LoadedModule[92]=C:\Windows\system32\SAMLIB.dll
LoadedModule[93]=C:\Windows\SYSTEM32\clbcatq.dll
LoadedModule[94]=C:\Windows\system32\es.dll
LoadedModule[95]=C:\Windows\system32\PROPSYS.dll
LoadedModule[96]=C:\Windows\system32\ncryptsslp.dll
LoadedModule[97]=C:\Windows\system32\ncryptprov.dll
LoadedModule[98]=C:\Windows\system32\DPAPI.dll
LoadedModule[99]=C:\Windows\system32\WINBRAND.dll
LoadedModule[100]=C:\Windows\system32\certpoleng.dll
LoadedModule[101]=C:\Windows\system32\srvcli.dll
LoadedModule[102]=C:\Windows\system32\cscapi.dll
LoadedModule[103]=C:\Windows\system32\dhcpcsvc6.DLL
LoadedModule[104]=C:\Windows\system32\dhcpcsvc.DLL
LoadedModule[105]=C:\Windows\system32\keyiso.dll
FriendlyEventName=Stopped working
ConsentKey=APPCRASH
AppName=Local Security Authority Process
AppPath=C:\Windows\system32\lsass.exe
NsPartner=windows
NsGroup=windows8
ApplicationIdentity=8102D8877E41CC9ABDB06D18FC7E6609

Now all the details are here. So please let me know if any solution is there and where is the problem. Or if you can guide me further to look into more deeply.

Tuesday, January 2, 2018 7:40 PM
0

Sign in to vote

To evaluate the computer environment run this whole command in administrative command prompt. The files should automatically collect to the desktop.

Administrative command prompt command to get logs:
copy %SystemRoot%\minidump\*.dmp "%USERPROFILE%\Desktop\"&dxdiag /t %Temp%\dxdiag.txt&copy %Temp%\dxdiag.txt "%USERPROFILE%\Desktop\SFdebugFiles\"&type %SystemRoot%\System32\drivers\etc\hosts >> "%USERPROFILE%\Desktop\hosts.txt"&systeminfo > "%USERPROFILE%\Desktop\systeminfo.txt"&driverquery /v > "%USERPROFILE%\Desktop\drivers.txt" &msinfo32 /nfo "%USERPROFILE%\Desktop\msinfo32.nfo"&wevtutil qe System /f:text > "%USERPROFILE%\Desktop\eventlog.txt"&reg export HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall "%USERPROFILE%\Desktop\uninstall.txt"&reg export "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components" "%USERPROFILE%\Desktop\installed.txt"&net start > "%USERPROFILE%\Desktop\services.txt"&REM wmic startup list full /format:htable >"%USERPROFILE%\Desktop\startup.html"&wmic STARTUP GET Caption, Command, User >"%USERPROFILE%\Desktop\startup.txt"
Files that are created:
*.dmp,
dxdiag.txt,
hosts.txt,
systeminfo.txt,
drivers.txt,
msinfo32.nfo,
eventlog.txt,
uninstall.txt,
installed.txt,
services.txt,
startup.txt

Dxdiag may need to found manually if it is not on the desktop:

In the left lower corner search type: dxdiag > open each page > allow a few minutes for it to load > post a share link into the thread.

Look for a memory dump file:
C:\Windows\MEMORY.DMP

Use file explorer > this PC > local C: drive > right upper corner search enter each of the above to find results.

Tuesday, January 2, 2018 9:34 PM
0

Sign in to vote

Do you think these are relevant with our said issue.

Wednesday, January 3, 2018 9:26 AM
0

Sign in to vote

Is there any clue from anyone.....

Thursday, January 4, 2018 9:03 PM
0

Sign in to vote

If you post the log files they can be troubleshooted

Thursday, January 4, 2018 10:04 PM
0

Sign in to vote

Please let me know which log you want. I have already shared the event logs before(posts).

Saturday, January 6, 2018 10:55 PM
0

Sign in to vote
1) First make sure that English is the default language before collecting the files:

https://www.tenforums.com/tutorials/3813-language-add-remove-change-windows-10-a.html

2) Run this command in an admin command prompt, it'll create some files on the desktop.

3) Select the files, copy them to a zip file and upload the zip.

4) Open administrative command prompt and copy and paste this whole command:

copy %SystemRoot%\minidump\*.dmp "%USERPROFILE%\Desktop\"&dxdiag /t %Temp%\dxdiag.txt&copy %Temp%\dxdiag.txt "%USERPROFILE%\Desktop\SFdebugFiles\"&type %SystemRoot%\System32\drivers\etc\hosts >> "%USERPROFILE%\Desktop\hosts.txt"&systeminfo > "%USERPROFILE%\Desktop\systeminfo.txt"&driverquery /v > "%USERPROFILE%\Desktop\drivers.txt"&wevtutil qe System /f:text > "%USERPROFILE%\Desktop\eventlog.txt"&reg export HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall "%USERPROFILE%\Desktop\uninstall.txt"&reg export "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components" "%USERPROFILE%\Desktop\installed.txt"&net start > "%USERPROFILE%\Desktop\services.txt"&REM wmic startup list full /format:htable >"%USERPROFILE%\Desktop\startup.html"&wmic STARTUP GET Caption, Command, User >"%USERPROFILE%\Desktop\startup.txt" &msinfo32 /nfo "%USERPROFILE%\Desktop\msinfo32.nfo"

5) In addition to the above sometimes the dxdiag file needs to be found manually:

In the left lower corner search type: dxdiag > open each page > allow a few minutes for it to load > save to desktop > post a one drive or drop box share link into the thread.

6) Perform the following steps:

7) open administrative command prompt and type or copy and paste:

8) sfc /scannow

9) dism /online /cleanup-image /scanhealth

10) dism /online /cleanup-image /restorehealth

11) chkdsk /scan

12) When these have completed > right click on the top bar or title bar of the administrative command prompt box > left click on edit then select all > right click on the top bar again > left click on edit then copy > paste into the thread
- Edited by questionsformicrosoftproducts Sunday, January 7, 2018 3:22 AM
Sunday, January 7, 2018 3:22 AM
0

Sign in to vote
Dear Friends,

Today I will share the solution of the issue mentioned above. It is truly a critical problem in anyone's environment.

As per me, this lsass crash issue in windows 2012R2 domain controller is a bug. This solution is as of now stop-gap solution however few days later MS will release permanent solution for the same.

Symptom: lsass.exe terminated unexpectedly with status code -1073741819

Lsass process gets overloaded and cannot handles the drivers related to it. The process got crashed and wininit forced the system to reboot.

Errors:

Log Name:      Application

Source:        Microsoft-Windows-Wininit

Date:          7.12.2017 17:45:52

Event ID:      1015

Task Category: None

Level:         Error

Keywords:     Classic

User:          N/A

Computer:      DC Name

Description:

A critical system process, C:\Windows\system32\lsass.exe, failed with status code c0000005. The machine must now be restarted.

Log Name:      Application

Source:        Application Error

Date:          7.12.2017 17:45:51

Event ID:      1000

Task Category: (100)

Level:         Error

Keywords:      Classic

User:          N/A

Computer:      DC Name

Description:

Faulting application name: lsass.exe, version: 6.3.9600.17415, time stamp: 0x545042fe

Faulting module name: ESENT.dll, version: 6.3.9600.18429, time stamp: 0x579cdff7

Exception code: 0xc0000005

Fault offset: 0x00000000000dd82f

Faulting process id: 0x26c

Faulting application start time: 0x01d36f32c70ab77a

Faulting application path: C:\Windows\system32\lsass.exe

Faulting module path: C:\Windows\system32\ESENT.dll

Report Id: 1548c42a-db6e-11e7-8102-005056843270

Faulting package full name:

Faulting package-relative application ID:

Log Name:      System

Source:        User32

Date:

Event ID:      1074

Task Category: None

Level:         Information

Keywords:      Classic

User:          SYSTEM

Computer:      DC Name

Description:

The process wininit.exe has initiated the restart of computer DC_Name on behalf of user for the following reason: No title for this reason could be found.

Reason Code: 0x50006

Shutdown Type: restart

Comment: The system process 'C:\Windows\system32\lsass.exe' terminated unexpectedly with status code -1073741819. The system will now shut down and restart.

Resolution:

The Lsass process could not able handle huge LDAP queries and forced to crash. After increasing the MaxTempTableSize parameter value of LDAP queries was handled properly by LSASS.EXE

Provided the following action plan:

The goal is to increase the Increase MaxTempTableSize up to a maximum of 100000 on the LDAP query settings so that DC can resolve

Provided the following action plan:

The goal is to increase the Increase MaxTempTableSize up to a maximum of 100000 on the LDAP settings as per: https://support.microsoft.com/en-us/help/315071/how-to-view-and-set-ldap-policy-in-active-directory-by-using-ntdsutil
Viewing current policy settings:

At the Ntdsutil.exe command prompt, type LDAP policies, and then press ENTER.
At the LDAP policy command prompt, type connections, and then press ENTER.
At the server connection command prompt, type connect to server DNS name of server, and then press ENTER. You want to connect to the server that you are currently working with.
At the server connection command prompt, type q, and then press ENTER to return to the previous menu.
At the LDAP policy command prompt, type Show Values, and then press ENTER.

Modifying policy settings

At the Ntdsutil.exe command prompt, type LDAP policies, and then press ENTER.
At the LDAP policy command prompt, type Set setting to variable (For example: Set MaxTempTableSize to 100000), and then press ENTER.

In my Environment this solved the issue
Sunday, February 11, 2018 3:39 PM

Products

Resources

Solutions

Updates

Trials

Related Sites

Training

Certifications

Other resources

Support options

More support

Not an IT pro?

Asked by:

The process wininit.exe has initiated the restart of computer on behalf of user for the following :reason No title for this reason could be found Reason Code: 0x50006. The system process 'C:\Windows\system32\lsass.exe' terminated unexpectedly with statu

Question

All replies