Article ID: 938482 - Last Review: October 11, 2007 - Revision: 1.2

The Lsass.exe process may stop responding on a Windows Server 2003-based computer or on a Windows XP-based computer that is in an Active Directory domain environment

View products that this article applies to.
System TipThis article applies to a different operating system than the one you are using. Article content that may not be relevant to you is disabled.
Expand all | Collapse all

SYMPTOMS

In an Active Directory domain environment, the Lsass.exe process may stop responding on a Microsoft Windows Server 2003-based computer or on a Microsoft Windows XP-based computer.

In this situation, you receive the following error message:
System Shutdown - The system is shutting down. Please save all work in progress and log off. Any unsaved changes will be lost.

This shutdown was initiated by NT AUTHORITY\SYSTEM. Shutdown will begin in <number> seconds.

Shutdown message: The system process 'C:\WINDOWS\system32\lsass.exe' terminated unexpectedly with status code <error code>. The system will now shut down and restart.
Additionally, the following event is logged in the Application log:

Event Type: Information
Event Source: Application Error
Event Category: (100)
Event ID: 1004
Description:
Reporting queued error: faulting application lsass.exe, version <version number>, faulting module ipsecsvc.dll, version 5.2.3790.3959, fault address <memory address>.

This problem may occur if the following conditions are true:
  • Some Internet Protocol Security (Ipsec) policies are configured to help secure network communication.
  • Security settings are customized for all Group Policy objects (GPOs) that are applied to domain computers. Specifically, the Everyone group and the Authenticated Users group do not have permission to access any GPO. All other groups, such as the Domain Users group and the Domain Computers group, have permission to access the GPOs.
  • On Windows Server 2003-based computers, Windows Server 2003 Service Pack 2 is installed.
  • On Windows XP-based computers, a hotfix is installed. This hotfix has a file version that is either later than or equal to the file version that is described in the following Microsoft Knowledge Base article:
    895406  (http://support.microsoft.com/kb/895406/ ) All policies on a Windows XP-based computer are refreshed when you enable an IPsec policy
Back to the top

CAUSE

This problem occurs because the Ipsec module (IPSecsvc.dll) generates an error when the Everyone group and the Authenticated Users group do not have the Read permission and the Apply Policy permission to access any GPO.
Back to the top

WORKAROUND

To work around this problem, make sure that the Authenticated Users group has the Read permission and the Apply Policy permission to access at least one GPO that is applied to domain computers. To do this, grant the Authenticated Users group the Read permission and the Apply Policy permission to the default domain policy.
Back to the top

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
Back to the top
APPLIES TO
  • Microsoft Windows Server 2003 Service Pack 2, when used with:
    • Microsoft Windows Server 2003, Standard Edition (32-bit x86)
    • Microsoft Windows Server 2003, Web Edition
    • Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
    • Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
    • Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
    • Microsoft Windows Server 2003, Datacenter Edition for Itanium-Based Systems
    • Microsoft Windows Server 2003, Standard x64 Edition
    • Microsoft Windows Server 2003, Enterprise x64 Edition
    • Microsoft Windows Server 2003, Datacenter x64 Edition
  • Microsoft Windows XP Service Pack 2, when used with:
    • Microsoft Windows XP Professional
Back to the top
Keywords: 
kberrmsg kbtshoot kbprb kbexpertiseinter KB938482
Back to the top