Password Change Causes Server Reboot (Possible lsass / acronis error)

[RCorbet]

We are currently experiencing a problem with one of our Windows 2003 servers.

The server is a new machine, a Dell PowerEdge 1850. It has the Dell Factory install of Windows 2003 on it. The server is also running MSSQL 2000, ColdFusion MX 6.1 and Plesk 7.5.

When a user logs in through Terminal Service (Administration mode) and changes their password, the machine is rebooted. (Windows Security, Change Password, Enter current and new passwords, then server reboots. The server dones’t

The following error is shown on screen:

The system is shutting down. Please save all work in progress and log off. Any unsaved changes will be lost. This shutdown was initiated by NT AUTHORTY\SYSTEM. Shutdown will begin in 58 seconds. Shutdown message: The system process ‘C:\windows\system32\lsass.exe’ terminated unexpectedly with status code -1073740972. The system will now shut down and restart.

The following items can also be found in the Application error log around this time:

Event ID: 1004
Reporting queued error: faulting application winlogon.exe, version 0.0.0.0, faulting module msgina.dll, version 5.2.3790.0, fault address 0x000118e6.

Event ID: 1004
Reporting queued error: faulting application lsass.exe, version 5.2.3790.0, faulting module ntdll.dll, version 5.2.3790.0, fault address 0x0003c10b.

Event ID: 1000
Faulting application , version 0.0.0.0, faulting module msgina.dll, version 5.2.3790.0, fault address 0x000118e6.

Event ID: 1015
A critical system process, C:\WINDOWS\system32\lsass.exe, failed with status code c0000354. The machine must now be restarted.

Event ID: 1000
Faulting application lsass.exe, version 5.2.3790.0, faulting module ntdll.dll, version 5.2.3790.0, fault address 0x0003c10b.

Errors in System Error Log:

Event ID: 26
Application popup: System Shutdown : The system is shutting down. Please save all work in progress and log off. Any unsaved changes will be lost. This shutdown was initiated by NT AUTHORITY\SYSTEM. Shutdown will begin in 58 seconds. Shutdown message: The system process 'C:\WINDOWS\system32\lsass.exe' terminated unexpectedly with status code -1073740972. The system will now shut down and restart..

Event ID: 1074
The process winlogon.exe has initiated the restart of computer KRYTON on behalf of user for the following reason: No title for this reason could be found
Reason Code: 0x50006
Shutdown Type: restart
Comment: The system process 'C:\WINDOWS\system32\lsass.exe' terminated unexpectedly with status code -1073740972. The system will now shut down and restart.

Event ID: 5000
The security package ACRONIS_RELOGON_AUTHENTICATION_PACKAGE generated an exception. The exception information is the data.


I have looked at a few MS KB articles, that seem to be similar, but not exactly the same as the problem that we are experiencing:

http://support.microsoft.com/default.aspx?scid=kb;en-us;818080

I know that a lost of LSASS.exe reboots are caused by the SASSER virus. I’ve scanned our machine with AV software, and also run the removal tool from Symantec – the machine has shown to be clean of this virus.

We are running Plesk 7.5 for windows on the machine http://www.sw-soft.com/en/products/plesk75win/ which seems to have installed some Acronis software – I wonder as that is the first thing to show in the error logs if that is the source of the problem?

Has anyone else experienced this problem? Can anyone offer any suggestions for a resolution to this problem.

Thank you for your help.

Kind regards,

Roland

 

[ColorPrint]

If you're not using trial Acronis software, try to uninstall it

 

[RCorbet]

Unfortunately, it is the version that was installed by Plesk - which I think is the trial copy. I've looked in the Start Menu, and also under add/remove programs, but there doesn't seem any way to remove it.

I have also tried stopping the two Acronis services that appear to be running, but this has not solved the problem.

 

[ColorPrint]

Originally posted by RCorbet
Unfortunately, it is the version that was installed by Plesk - which I think is the trial copy. I've looked in the Start Menu, and also under add/remove programs, but there doesn't seem any way to remove it.

I have also tried stopping the two Acronis services that appear to be running, but this has not solved the problem.

Run Plesk setup again and change components

 

[RCorbet]

I went into Add/Remove programs and selected "change" on the Plesk install. I then removed the acronis backup software, and rebooted an instructed by the removal.

Unfortunately, this doesn't seem to have performed a clean removal, as there is still an acronis service present in the services MMC. (I disabled this so that it doesn't run though)

The password change still causes the machine to reboot, and the first item that seems to fail in the event log is still the ACRONIS_RELOGON_AUTHENTICATION_PACKAGE.

Is this an integral part of Plesk?

 

[RCorbet]

Hi,

We seem to have tracked this bug down to the trial install of Acronis Enterprise Server that is installed with Plesk. Once installed, the problem with LSASS seems to be permanent, and uninstalling the Acronis software doesn't seem to work (it seems to leave things behind such as services, and the LSASS problem!)

We have tested a variety of things to track down the problem and believe it is down to the Acronis software.

To replicate the problem:

1. Take a clean copy of Windows Server 2003 Standard (fully patched).
2. Download the trial version of Acronis True Image Enterprise Server from: http://www1.acronis.com/enterprise/download/ATIESWin/
3. Install the Acronis Software.
4.Go and try to change your password (user belonging to the admin group) when using Remote Desktop (Use windows security from the start menu).
5. The machine will then be forced to reboot by an LSASS problem.

I'll try and see if anyone else is experiencing this problem with Acronis by posting to the Acronis forums. In the meantime, however, I think it would be best to avoid installing the Acronis option when installing Plesk. We're probably going to have to do a clean install on our deployed server in order to ensure that Acronis doesn't contaminate the machine!

 

[RCorbet]

I've posted the problem we've been able to recreate over at the Acronis forums.

If anyone wants to check progress, check out the link:

http://www.wilderssecurity.com/showthread.php?t=73952

Cheers,

Roland

 

[gljiva]

plesk w/ acroinis installed, same behavior during password change using rdp. Same behaviour remains after acronis is uninstalled and services stoped.

 

[systron]

LSASS.exe Causing reboots

Mine Also causing reboots, Any Solutions? As Last MS Solution is OS Reload ? Hope MS`ians are not teased ??

 

[gljiva]

only solution was to reinstall (OS) and than to install plesk w/o acronis.

 

[erenner]

hi,

is the only solution to reinstall OS and plesk?
we have encountered the same problem as rcorbet described.
i think the same situation occurs if the password change is applied via local logon.
please help
thanks & regards,
er

 

[korence]

Nice post for password change. However, the more I know before for password change is how to use the tool-Windows Password Key to change Windows password. This tool has helped me login locked Windows 8 computer without password. Since it removed the password that I forgot. Maybe you can click here to learn more about Windows Password Key.

 

[PAWLO]

hi,

is the only solution to reinstall OS and plesk?
we have encountered the same problem as rcorbet described.
i think the same situation occurs if the password change is applied via local logon.
please help
thanks & regards,
er

When a user logs in through Terminal Service (Administration mode) and changes their password, the machine is rebooted. (Windows Security, Change Password, Enter current and new passwords, then server reboots. The server dones’t

 

[hatyrafi]

I went into Add/ and selected "change" on the Plesk install. I then removed the acronis backup software, and rebooted an instructed by the removal.

Unfortunately, this doesn't seem to have performed a clean removal, as there is still an acronis service present in the services MMC. (I disabled this so that it doesn't run though)

The password change still causes the machine to reboot, and the first item that seems to fail in the event log is still the ACRONIS_RELOGON_AUTHENTICATION_PACKAGE.

Is this an integral part o auto clicker word unscrambler jumble solver f Plesk?

Unfortunately, it is the version that was installed by Plesk - which I think is the trial copy. I've looked in the Start Menu, and also under add/remove programs, but there doesn't seem any way to remove it.