{"id":128,"date":"2014-07-01T16:00:23","date_gmt":"2014-07-01T20:00:23","guid":{"rendered":"http:\/\/blog.metcorp.org\/?p=128"},"modified":"2014-07-23T21:07:54","modified_gmt":"2014-07-24T01:07:54","slug":"lsass-crashing-cnf-objects-may-be-the-cause","status":"publish","type":"post","link":"https:\/\/adsecurity.org\/?p=128","title":{"rendered":"LSASS Crashing, CNF Objects May Be the Cause"},"content":{"rendered":"<blockquote>\n<h4>What Happens and How Do I Know if I\u2019m Affected?<\/h4>\n<p>When CNF mangled NTDS settings objects are created, the Lsass.exe process may crash and unexpectedly reboot one or more domain controllers. So there is a pretty good chance you\u2019ll know about it. You may not know the root cause of the crash. More specifically though you\u2019ll see the following events in the Application Log which you can look for.<\/p>\n<blockquote><p>Log Name: Application<br \/>\nSource: Application Error<br \/>\nDate: <var>DateTime<\/var><br \/>\nEvent ID: 1000<br \/>\nTask Category: Application Crashing Events<br \/>\nLevel: Error<br \/>\nKeywords: Classic<br \/>\nUser: N\/A<br \/>\nComputer: <var>ComputerName<\/var><br \/>\nDescription:<br \/>\nFaulting application name: lsass.exe, version: 6.1.7601.17725, time stamp: 0x4ec483fc<br \/>\nFaulting module name: ntdll.dll, version: 6.1.7601.18229, time stamp: 0x51fb164a<br \/>\nException code: 0xc0000374<br \/>\nFault offset: 0x00000000000c4102<br \/>\nFaulting process id: 0x1f4<br \/>\nFaulting application start time: 0x01ceb94c671de3dd<br \/>\nFaulting application path: C:\\Windows\\system32\\lsass.exe<br \/>\nFaulting module path: C:\\Windows\\SYSTEM32\\ntdll.dll<br \/>\nReport Id: 80a2cd04-2540-11e3-99e2-441ea1d316a4<br \/>\nFaulting package full name: %14<br \/>\nFaulting package-relative application ID: %15<\/p><\/blockquote>\n<p>And<\/p>\n<blockquote><p>Log Name: Application<br \/>\nSource: Microsoft-Windows-Wininit<br \/>\nDate: <var>DateTime<\/var><br \/>\nEvent ID: 1015<br \/>\nTask Category: None<br \/>\nLevel: Error<br \/>\nKeywords: Classic<br \/>\nUser: N\/A<br \/>\nComputer: <var>ComputerName <\/var><br \/>\nDescription:<br \/>\nA critical system process, C:\\Windows\\system32\\lsass.exe, failed with status code 255. The machine must now be restarted.<\/p><\/blockquote>\n<\/blockquote>\n<p>Read more of the blog post:<\/p>\n<p><a href=\"http:\/\/blogs.technet.com\/b\/askpfeplat\/archive\/2014\/06\/23\/lsass-crashing-cnf-objects-may-be-the-cause.aspx\" target=\"_blank\">http:\/\/blogs.technet.com\/b\/<wbr \/>askpfeplat\/archive\/2014\/06\/23\/<wbr \/>lsass-crashing-cnf-objects-<wbr \/>may-be-the-cause.aspx<\/a><\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>What Happens and How Do I Know if I\u2019m Affected? When CNF mangled NTDS settings objects are created, the Lsass.exe process may crash and unexpectedly reboot one or more domain controllers. So there is a pretty good chance you\u2019ll know about it. You may not know the root cause of the crash. More specifically though &hellip; <\/p>\n<p><a class=\"more-link btn\" href=\"https:\/\/adsecurity.org\/?p=128\">Continue reading<\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[20,50,51,49],"class_list":["post-128","post","type-post","status-publish","format-standard","hentry","category-technical-reference","tag-activedirectory","tag-adconflictobjects","tag-cnf","tag-lsasscrash","item-wrap"],"_links":{"self":[{"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/posts\/128","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/adsecurity.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=128"}],"version-history":[{"count":1,"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/posts\/128\/revisions"}],"predecessor-version":[{"id":129,"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/posts\/128\/revisions\/129"}],"wp:attachment":[{"href":"https:\/\/adsecurity.org\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=128"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/adsecurity.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=128"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/adsecurity.org\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=128"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}