LSASS.EXE - Error 1073741819

  • Thread starter Thread starter 8NsMom
  • Start date Start date
8

8NsMom

Hello,

Windows 2000 Professional SP4. I was fixing some spyware and got a
little to aggressive in blowing away some parts of a registry.

Now I can't boot the machine up in "normal" mode or "safe mode with
networking" (only Safe Mode). Whenever I get the login screen I get a
memory read error which leads to LSASS .EXE with code 1073741819 and
shut down in 60 seconds.

It is NOT the sasser virus as the machine (a) had up to date AVG anti-
virus software and (b) I ran the Sasser removal utlities.

Any insight as to how I can repair?

Thanks!
Please respond to me at "glennb" at "team-sys.com".
 
It is NOT the sasser virus as the machine (a) had up to date AVG anti-
virus software and (b) I ran the Sasser removal utlities.
Click to expand...

The sasser worm and it's friends spread via a boundary condition in the
lsass.exe service; the fact that a virus killer is installed makes no
difference to the vulnerability of the service in question because the
malware in question executes in memory without hitting any disk file,
unless you install the appropriate patch.

If you are not connected to the network when you start up and you STILL
get the problem, then it is worth investigating further, otherwise
download the appropriate software updates elsewhere and install them via
CD. (Or look up the heise.de offline-update kit)
 
Jim - thanks for the reply.

Honestly I think it has more to do with my human error. I am
comfortable in the registry and think I got a little quick with some
of the items I deleted. *I had also run the "LSPfix" tool and perhaps
may have screwed something up that way.* While I didn't delete all
the entries I did delete a couple (can't recall which specifically.)

At any rate I am dumbfounded what to do next. I have tried the Sasser
removal tools anf the machine had already been patched. However I am
not familiar with what you wrote "(Or look up the heise.de offline-
update kit)"... I went to the site but not to fluent in German :-(

I did try a reinstall of W2K but that did not work either. Again when
I am in Safe Mode (no networking support) i can get into the OS. But
when I try it w/Networking or normal boot I first get a dialog box
"LSASS.EXE" with the text "The instruction at 0x77fabeb7 referred
memory at 0x00000007. The memory cannot be read. Click OK to
terminate program. Then when I try to login I get the "System
Shutdown" dialog box the yeilds "The System Proces C:\winnt
\system32\lsasse.exe terminated unexpectedly with status code -
1073741819.".

Any further help is greatly appreciated!
Glenn
 
From: <[email protected]>

| Jim - thanks for the reply.
|
| Honestly I think it has more to do with my human error. I am
| comfortable in the registry and think I got a little quick with some
| of the items I deleted. *I had also run the "LSPfix" tool and perhaps
| may have screwed something up that way.* While I didn't delete all
| the entries I did delete a couple (can't recall which specifically.)
|
| At any rate I am dumbfounded what to do next. I have tried the Sasser
| removal tools anf the machine had already been patched. However I am
| not familiar with what you wrote "(Or look up the heise.de offline-
| update kit)"... I went to the site but not to fluent in German :-(
|
| I did try a reinstall of W2K but that did not work either. Again when
| I am in Safe Mode (no networking support) i can get into the OS. But
| when I try it w/Networking or normal boot I first get a dialog box
| "LSASS.EXE" with the text "The instruction at 0x77fabeb7 referred
| memory at 0x00000007. The memory cannot be read. Click OK to
| terminate program. Then when I try to login I get the "System
| Shutdown" dialog box the yeilds "The System Proces C:\winnt
| \system32\lsasse.exe terminated unexpectedly with status code -
| 1073741819.".
|
| Any further help is greatly appreciated!
| Glenn


Are you using Win2K SP4 and the Post SP4 RollUp ?

Is the following installed ?

Win2K KB835732
http://www.microsoft.com/downloads/...7E-F63A-414C-B3EB-D2342FBB6C00&displaylang=en
 
From: <[email protected]>
Click to expand...
<snip>
At any rate I am dumbfounded what to do next. I have tried the
Sasser
| removal tools anf the machine had already been patched. However I am
| not familiar with what you wrote "(Or look up the heise.de offline-
| update kit)"... I went to the site but not to fluent in German :-(
|
| I did try a reinstall of W2K but that did not work either. Again when
| I am in Safe Mode (no networking support) i can get into the OS. But
| when I try it w/Networking or normal boot I first get a dialog box
| "LSASS.EXE" with the text "The instruction at 0x77fabeb7 referred
| memory at 0x00000007. The memory cannot be read. Click OK to
| terminate program. Then when I try to login I get the "System
| Shutdown" dialog box the yeilds "The System Proces C:\winnt
| \system32\lsasse.exe terminated unexpectedly with status code -
| 1073741819.".
|
| Any further help is greatly appreciated!
| Glenn

Are you using Win2K SP4 and the Post SP4 RollUp ?

Is the following installed ?

Win2K KB835732http://www.microsoft.com/downloads/details.aspx?FamilyId=0692C27E-F63...
Click to expand...

Hi David,

Yes it is installed.
:(

-Glenn
 
|
| Hi David,
|
| Yes it is installed.
| :(
|
| -Glenn

Then it isn't an Internet worm attempting to exploit a buffer overflow condition in the
LSASS module.

I have seen numerous posts now where WinXP and Win2K can generate the below 60 sec. shutdown
meessage and NOT be caused by Internet worm activity. Unfortunately, I have yet to find a
cause and a corrective masure.

NT AUTHORITY\SYSTEM
'c:\windows\system32\lsass.exe' terminated unexpectedly with status code -1073741819

or

NT AUTHORITY\SYSTEM
'c:\winnt\system32\lsass.exe' terminated unexpectedly with status code -1073741819
 
From: <[email protected]>




|
| Hi David,
|
| Yes it is installed.
| :(
|
| -Glenn

Then it isn't an Internet worm attempting to exploit a buffer overflow condition in the
LSASS module.

I have seen numerous posts now where WinXP and Win2K can generate the below 60 sec. shutdown
meessage and NOT be caused by Internet worm activity. Unfortunately, I have yet to find a
cause and a corrective masure.

NT AUTHORITY\SYSTEM
'c:\windows\system32\lsass.exe' terminated unexpectedly with status code -1073741819

or

NT AUTHORITY\SYSTEM
'c:\winnt\system32\lsass.exe' terminated unexpectedly with status code -1073741819
Click to expand...

I do have a little more insight. If the network cable is UNplugged I
can boot into the OS in both the "Normal" and "Safe Mode with
Netwokring". However as soon as I plug the network cable in I get the
error message. I am virtually certain though it is not the sasser
worm.

Thanks!
Glenn
 
I do have a little more insight. If the network cable is UNplugged I
can boot into the OS in both the "Normal" and "Safe Mode with
Netwokring". However as soon as I plug the network cable in I get the
error message. I am virtually certain though it is not the sasser
worm.
Click to expand...

Then if I were in your situation, I'd be plugging a secured system with the
current version of Wireshark installed, and see which system out there is
banging out lots of ARP requests to machines on the subnet that don't exist;
apply an axe to that machine, and then see if the problems on your machine go away.

Jim
 
From: <[email protected]>


|
| I do have a little more insight. If the network cable is UNplugged I
| can boot into the OS in both the "Normal" and "Safe Mode with
| Netwokring". However as soon as I plug the network cable in I get the
| error message. I am virtually certain though it is not the sasser
| worm.
|
| Thanks!
| Glenn

I could have told you ist wasn't the Sasser. That worm is dead. However NUMEROUS other
Internet worms now will exploit the buffer overflow vulnerability in the LSASS module.

What happens when you put this PC behind a SOHO Router using NAT or a SOHO Router using NAT
and a full FireWall implementation ?
 
From: <[email protected]>

|
| I do have a little more insight. If the network cable is UNplugged I
| can boot into the OS in both the "Normal" and "Safe Mode with
| Netwokring". However as soon as I plug the network cable in I get the
| error message. I am virtually certain though it is not the sasser
| worm.
|
| Thanks!
| Glenn

I could have told you ist wasn't the Sasser. That worm is dead. However NUMEROUS other
Internet worms now will exploit the buffer overflow vulnerability in the LSASS module.

What happens when you put this PC behind a SOHO Router using NAT or a SOHO Router using NAT
and a full FireWall implementation ?
Click to expand...

I am sorry I wasn't clear initially that is on a SOHO router using NAT
(but without firewall protection). Other PCs on the same router were
not exhibiting this behaviour.

Anyway I did fix/solve the problem. While I can't pinpoint the
*exact* cure as I did many things, I have a suspicion that I know what
it was that fixed it. I removed all networking components via Add/
Remove, then uninstalled the TCP/IP protocol under the network card.
I did a regclean from there and a fresh reboot (and for good measure a
through virus/malwre scan). Then I added back the TCP/IP to the
network card. Success!

Thanks Jim and Dave for all your help and assistance!

-Glenn
 
Back
Top