询问者
windows server 2012 异常重启lsass.exe schannel.dll模块故障
问题
-
<?xml version="1.0" encoding="UTF-16"?> <WERReportMetadata> <OSVersionInformation> <WindowsNTVersion>6.2</WindowsNTVersion> <Build>9200 </Build> <Product>(0x7): Windows Server 2012 Standard</Product> <Edition>ServerStandard</Edition> <BuildString>9200.16384.amd64fre.win8_rtm.120725-1247</BuildString> <Revision>Unknown</Revision> <Flavor>Multiprocessor Free</Flavor> <Architecture>X64</Architecture> <LCID>2052</LCID> </OSVersionInformation> <ProcessInformation> <Pid>616</Pid> <ImageName>lsass.exe</ImageName> <CmdLineSignature>00000000</CmdLineSignature> <Uptime>1036406881</Uptime> <ProcessVmInformation> <PeakVirtualSize>45723648</PeakVirtualSize> <VirtualSize>44126208</VirtualSize> <PageFaultCount>24982</PageFaultCount> <PeakWorkingSetSize>13295616</PeakWorkingSetSize> <WorkingSetSize>13287424</WorkingSetSize> <QuotaPeakPagedPoolUsage>102512</QuotaPeakPagedPoolUsage> <QuotaPagedPoolUsage>102288</QuotaPagedPoolUsage> <QuotaPeakNonPagedPoolUsage>26672</QuotaPeakNonPagedPoolUsage> <QuotaNonPagedPoolUsage>23584</QuotaNonPagedPoolUsage> <PagefileUsage>5992448</PagefileUsage> <PeakPagefileUsage>6160384</PeakPagefileUsage> <PrivateUsage>5992448</PrivateUsage> </ProcessVmInformation> <ParentProcess> <ProcessInformation> <Pid>516</Pid> <ImageName>wininit.exe</ImageName> <CmdLineSignature>00000000</CmdLineSignature> <Uptime>1036408086</Uptime> <ProcessVmInformation> <PeakVirtualSize>61292544</PeakVirtualSize> <VirtualSize>59162624</VirtualSize> <PageFaultCount>1293</PageFaultCount> <PeakWorkingSetSize>4071424</PeakWorkingSetSize> <WorkingSetSize>4022272</WorkingSetSize> <QuotaPeakPagedPoolUsage>122896</QuotaPeakPagedPoolUsage> <QuotaPagedPoolUsage>121392</QuotaPagedPoolUsage> <QuotaPeakNonPagedPoolUsage>10432</QuotaPeakNonPagedPoolUsage> <QuotaNonPagedPoolUsage>8384</QuotaNonPagedPoolUsage> <PagefileUsage>991232</PagefileUsage> <PeakPagefileUsage>1236992</PeakPagefileUsage> <PrivateUsage>991232</PrivateUsage> </ProcessVmInformation> </ProcessInformation> </ParentProcess> </ProcessInformation> <ProblemSignatures> <EventType>BEX64</EventType> <Parameter0>lsass.exe</Parameter0> <Parameter1>6.2.9200.16384</Parameter1> <Parameter2>50108ab2</Parameter2> <Parameter3>schannel.DLL</Parameter3> <Parameter4>6.2.9200.16384</Parameter4> <Parameter5>5010892c</Parameter5> <Parameter6>0000000000049057</Parameter6> <Parameter7>c0000409</Parameter7> <Parameter8>0000000000000003</Parameter8> </ProblemSignatures> <DynamicSignatures> <Parameter1>6.2.9200.2.0.0.272.7</Parameter1> <Parameter2>2052</Parameter2> <Parameter22>c564</Parameter22> <Parameter23>c5641952795533b9b9231118b0667531</Parameter23> <Parameter24>1172</Parameter24> <Parameter25>11723e5d375c4c2a15c8fa5a1a1f09e1</Parameter25> </DynamicSignatures> <SystemInformation> <MID>5E0DADC7-9CFF-49B5-ADA7-0A57253ED57E</MID> <SystemManufacturer>HP</SystemManufacturer> <SystemProductName>ProLiant DL388p Gen8</SystemProductName> <BIOSVersion>P70</BIOSVersion> <OSInstallDate>1347545146</OSInstallDate> </SystemInformation> <DAMInformation> </DAMInformation> <Integrator> <Flags>80000000</Flags> <SuspensionTimeDelta>NULL</SuspensionTimeDelta> <ExemptionTimeDelta>NULL</ExemptionTimeDelta> </Integrator> </WERReportMetadata>
之前发现过两三次,很突然的就重启了。这次特意收集了下,windbg结果如下:
Microsoft (R) Windows Debugger Version 10.0.10586.567 AMD64 Copyright (c) Microsoft Corporation. All rights reserved. Loading Dump File [C:\Users\anyy\Desktop\20170214\WER849D.tmp.dmp] User Mini Triage Dump File: Only registers, stack and portions of memory are available -------------------------------- The user dump currently examined is a triage dump. Consequently, only a subset of debugger functionality will be available. If needed, please collect a minidump or a heap dump. To create a mini user dump use the command: .dump /m <filename> To create a full user dump use the command: .dump /ma <filename> Triage dumps have certain values on the stack and in the register contexts overwritten with pattern 0xAAAAAAAA. If you see this value 1. the original value was not NULL 2. the original value was not a direct pointer to a loaded or unloaded image 3. the original value did not point to an object whose VFT points to a loaded or unloaded image (indirect pointer) 4. the original value did not point to the stack itself or any memory area added to the dump (TEB, PEB, memory for CLR stackwalk or exceptions, etc.) 5. the original value was not a valid handle value -------------------------------- ************* Symbol Path validation summary ************** Response Time (ms) Location Deferred SRV*c:\mysymbol* http://msdl.microsoft.com/download/symbols Symbol search path is: SRV*c:\mysymbol* http://msdl.microsoft.com/download/symbols Executable search path is: Windows 8 Version 9200 MP (4 procs) Free x64 Product: Server, suite: TerminalServer SingleUserTS Built by: 6.2.9200.16384 (win8_rtm.120725-1247) Machine Name: Debug session time: Tue Feb 14 14:46:32.000 2017 (UTC + 8:00) System Uptime: 11 days 23:53:40.401 Process Uptime: 11 days 23:53:30.000 ............................................................... Loading unloaded module list . This dump file has an exception of interest stored in it. The stored exception information can be accessed via .ecxr. (268.15d4): Security check failure or stack buffer overrun - code c0000409 (first/second chance not available) schannel!_chkstk+0x5c8d: 000007fe`bc269057 cd29 int 29h 0:005> !vanalyze -v No export vanalyze found 0:005> !vanalyze -v No export vanalyze found 0:005> !analyze -v ******************************************************************************* * * * Exception Analysis * * * ******************************************************************************* DUMP_CLASS: 2 DUMP_QUALIFIER: 400 CONTEXT: (.ecxr) rax=000000ef2b8ee600 rbx=000000ef2b8ee5f0 rcx=0000000000000003 rdx=000000ef2c9edc60 rsi=0000000000000224 rdi=000000ef2c9604a0 rip=000007febc269057 rsp=000000ef2be9de50 rbp=000000ef2c9edb00 r8=00000000000000af r9=0000000000000000 r10=0000000000000000 r11=0000000000000246 r12=0000000000000002 r13=0000000000000000 r14=000000ef2b81fbb0 r15=0000000000004874 iopl=0 nv up ei pl nz na po nc cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206 schannel!_chkstk+0x5c8d: 000007fe`bc269057 cd29 int 29h Resetting default scope FAULTING_IP: schannel!_chkstk+5c8d 000007fe`bc269057 cd29 int 29h EXCEPTION_RECORD: (.exr -1) ExceptionAddress: 000007febc269057 (schannel!_chkstk+0x0000000000005c8d) ExceptionCode: c0000409 (Security check failure or stack buffer overrun) ExceptionFlags: 00000001 NumberParameters: 1 Parameter[0]: 0000000000000003 Subcode: 0x3 FAST_FAIL_CORRUPT_LIST_ENTRY PROCESS_NAME: lsass.exe ERROR_CODE: (NTSTATUS) 0xc0000409 - <Unable to get error code text> EXCEPTION_CODE: (NTSTATUS) 0xc0000409 - <Unable to get error code text> EXCEPTION_CODE_STR: c0000409 EXCEPTION_PARAMETER1: 0000000000000003 WATSON_BKT_PROCSTAMP: 50108ab2 WATSON_BKT_PROCVER: 6.2.9200.16384 WATSON_BKT_MODULE: schannel.dll WATSON_BKT_MODSTAMP: 5010892c WATSON_BKT_MODOFFSET: 49057 WATSON_BKT_MODVER: 6.2.9200.16384 MODULE_VER_PRODUCT: Microsoft? Windows? Operating System BUILD_VERSION_STRING: 6.2.9200.16384 (win8_rtm.120725-1247) MODLIST_WITH_TSCHKSUM_HASH: e90930dd401b73fa10e9b246cb4f414daa423444 MODLIST_SHA1_HASH: a8e81b64c88dd20988d9a3b4c8d8a98f760d1931 NTGLOBALFLAG: 0 PRODUCT_TYPE: 3 SUITE_MASK: 272 DUMP_FLAGS: 102c6 DUMP_TYPE: 1 APP: lsass.exe ANALYSIS_SESSION_HOST: ANYY-PC ANALYSIS_SESSION_TIME: 02-15-2017 09:09:57.0951 ANALYSIS_VERSION: 10.0.10586.567 amd64fre THREAD_ATTRIBUTES: OS_LOCALE: CHS PROBLEM_CLASSES: LIST_ENTRY_CORRUPT Tid [0x0] Frame [0x00] Failure Bucketing CRITICAL_PROCESS_FAULT Tid [0x0] Frame [0x00] BUGCHECK_STR: CRITICAL_PROCESS_FAULT_LIST_ENTRY_CORRUPT DEFAULT_BUCKET_ID: CRITICAL_PROCESS_FAULT_LIST_ENTRY_CORRUPT LAST_CONTROL_TRANSFER: from 000007febc22742f to 000007febc269057 STACK_TEXT: 000000ef`2be9de50 000007fe`bc22742f : 000000ef`2ca218c0 000000ef`2ca218c0 000000ef`2be9e129 000000ef`2be9e129 : schannel!_chkstk+0x5c8d 000000ef`2be9e060 000007fe`bc8ccde3 : 000000ef`2c9e1d20 00000000`00000000 aaaaaaaa`aaaaaaaa aaaaaaaa`aaaaaaaa : schannel!SpInitLsaModeContext+0x492 000000ef`2be9e150 000007fe`bc8cc4b4 : 000000ef`2be9e770 000000ef`2be9e760 000000ef`2be9e3d0 aaaaaaaa`aaaaaaaa : lsasrv!WLsaInitContext+0x493 000000ef`2be9e290 000007fe`bca01643 : aaaaaaaa`aaaaaaaa 000000ef`2be9e9d0 000000ef`2be9e739 000007fe`bdcadc01 : lsasrv!SspiExProcessSecurityContext+0x4f4 000000ef`2be9e6a0 000007fe`bdc92005 : aaaaaaaa`aaaaaaaa aaaaaaaa`aaaaaaaa aaaaaaaa`aaaaaaaa aaaaaaaa`aaaaaaaa : sspisrv!SspirProcessSecurityContext+0x1d3 000000ef`2be9e7f0 000007fe`bdca76c0 : 000007fe`bca03c82 000000ef`2be9eca0 00000000`00000000 00000000`00000000 : rpcrt4!Invoke+0x65 000000ef`2be9e8c0 000007fe`bdca8a9d : 000007f7`6ac52510 000007f7`6ac52410 000000ef`2be9ef20 aaaaaaaa`aaaaaaaa : rpcrt4!NdrStubCall2+0x33c 000000ef`2be9eef0 000007fe`bdc922a4 : aaaaaaaa`aaaaaaaa aaaaaaaa`aaaaaaaa aaaaaaaa`aaaaaaaa aaaaaaaa`aaaaaaaa : rpcrt4!NdrServerCall2+0x1d 000000ef`2be9ef20 000007fe`bdc921bd : aaaaaaaa`aaaaaaaa 000000ef`2be9f070 000000ef`2be9f160 000007fe`bfd35780 : rpcrt4!DispatchToStubInCNoAvrf+0x14 000000ef`2be9ef70 000007fe`bdc92db3 : 00000000`00000000 00000000`00000000 00000000`00000000 aaaaaaaa`aaaaaaaa : rpcrt4!RPC_INTERFACE::DispatchToStubWorker+0x17d 000000ef`2be9f110 000007fe`bdc929fc : 000000ef`2be9f310 aaaaaaaa`aaaaaaaa 00000000`00000000 aaaaaaaa`aaaaaaaa : rpcrt4!LRPC_SCALL::DispatchRequest+0x91e 000000ef`2be9f210 000007fe`bdc927ad : aaaaaaaa`aaaaaaaa aaaaaaaa`aaaaaaaa 00000000`00000000 00000000`00000000 : rpcrt4!LRPC_SCALL::HandleRequest+0x7d2 000000ef`2be9f360 000007fe`bdc9160b : 00000000`00000000 000000ef`2bc4caa8 00000000`00000000 00000000`00000000 : rpcrt4!LRPC_ADDRESS::ProcessIO+0x17bb 000000ef`2be9f4d0 000007fe`bfd3c52b : 000000ef`2bc4caa8 00000000`00000000 00000000`00000000 00000000`00000000 : rpcrt4!LrpcIoComplete+0x97 000000ef`2be9f560 000007fe`bfd38576 : 00000000`00000004 aaaaaaaa`aaaaaaaa aaaaaaaa`aaaaaaaa 00000000`00000000 : ntdll!TppAlpcpExecuteCallback+0x21b 000000ef`2be9f680 000007fe`bf7b167e : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!TppWorkerThread+0x388 000000ef`2be9f920 000007fe`bfd4c3f1 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : kernel32!BaseThreadInitThunk+0x1a 000000ef`2be9f950 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x1d THREAD_SHA1_HASH_MOD_FUNC: 2656803a2fc9e6e1be65025e0afc514b5f5038a6 THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 37b6ae8125ea166c43e705987be1d4d218781a6e THREAD_SHA1_HASH_MOD: e0c71a366f2f3999556ec7defde7e8f668225d57 FOLLOWUP_IP: schannel!SpInitLsaModeContext+492 000007fe`bc22742f 8bd8 mov ebx,eax FAULT_INSTR_CODE: c085d88b SYMBOL_STACK_INDEX: 1 SYMBOL_NAME: schannel!SpInitLsaModeContext+492 FOLLOWUP_NAME: MachineOwner MODULE_NAME: schannel IMAGE_NAME: schannel.dll DEBUG_FLR_IMAGE_TIMESTAMP: 5010892c STACK_COMMAND: .ecxr ; kb BUCKET_ID: CRITICAL_PROCESS_FAULT_LIST_ENTRY_CORRUPT_schannel!SpInitLsaModeContext+492 PRIMARY_PROBLEM_CLASS: CRITICAL_PROCESS_FAULT_LIST_ENTRY_CORRUPT_schannel!SpInitLsaModeContext+492 BUCKET_ID_OFFSET: 492 BUCKET_ID_MODULE_STR: schannel BUCKET_ID_MODTIMEDATESTAMP: 5010892c BUCKET_ID_MODCHECKSUM: 6b927 BUCKET_ID_MODVER_STR: 6.2.9200.16384 BUCKET_ID_PREFIX_STR: CRITICAL_PROCESS_FAULT_LIST_ENTRY_CORRUPT_ FAILURE_PROBLEM_CLASS: CRITICAL_PROCESS_FAULT_LIST_ENTRY_CORRUPT FAILURE_EXCEPTION_CODE: c0000409 FAILURE_IMAGE_NAME: schannel.dll FAILURE_FUNCTION_NAME: SpInitLsaModeContext BUCKET_ID_FUNCTION_STR: SpInitLsaModeContext FAILURE_SYMBOL_NAME: schannel.dll!SpInitLsaModeContext FAILURE_BUCKET_ID: CRITICAL_PROCESS_FAULT_LIST_ENTRY_CORRUPT_c0000409_schannel.dll!SpInitLsaModeContext WATSON_STAGEONE_URL: http://watson.microsoft.com/StageOne/lsass.exe/6.2.9200.16384/50108ab2/schannel.dll/6.2.9200.16384/5010892c/c0000409/00049057.htm?Retriage=1 TARGET_TIME: 2017-02-14T06:46:32.000Z OSBUILD: 9200 OSSERVICEPACK: 16384 SERVICEPACK_NUMBER: 0 OS_REVISION: 0 OSPLATFORM_TYPE: x64 OSNAME: Windows 8 OSEDITION: Windows 8 Server TerminalServer SingleUserTS USER_LCID: 0 OSBUILD_TIMESTAMP: 2012-07-26 10:15:22 BUILDDATESTAMP_STR: 120725-1247 BUILDLAB_STR: win8_rtm BUILDOSVER_STR: 6.2.9200.16384 ANALYSIS_SESSION_ELAPSED_TIME: 4d7 ANALYSIS_SOURCE: UM FAILURE_ID_HASH_STRING: um:critical_process_fault_list_entry_corrupt_c0000409_schannel.dll!spinitlsamodecontext FAILURE_ID_HASH: {ed4a3117-7f48-62e2-691c-5a30866df4b3} Followup: MachineOwner ---------
全部回复
-
在微软官网找到一个完全对应的问题,
详见链接
https://support.microsoft.com/zh-cn/help/2952379/windows-server-2012-restarts-unexpectedly-and-application-error-1000-is-logged-in-the-application-log
Cause
This problem occurs because Domain Controllers do not handle some security context correctly. lsass.exe refers to a NULL pointer if no memory is allocated for the pOutput->pBuffers[0].pvBuffer function or if the ASC_REQ_ALLOCATE_MEMORY flag is set to request LSA to allocate memory.
但愿能解决,晚上下班后试试- 已建议为答案 Eve WangMicrosoft contingent staff, Moderator 2017年2月27日 3:15
-
您好,
KB 2952379中所提供的hotfix是否有帮助呢?
建议您通过Windows Update检查并且安装重要的Windows Update/Hotfix,确保系统安装了最新的更新,这将有助于解决一些已知问题,并且提高系统的性能。
如果问题发生之前有过更改操作,例如安装/更换硬件,安装/更新软件/驱动等,可以尝试撤销操作,然后确认问题是否再次发生。
此外,dump文件的分析已经超出该论坛的支持范围,如果您需要相关的技术支持,建议您通过电话联系Microsoft Customer Support and Services以获取相关的技术支持:
400 820 3800 或者 800 820 3800
Best Regards,
Eve WangPlease remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.- 已建议为答案 Eve WangMicrosoft contingent staff, Moderator 2017年2月27日 3:15
-
您好!
请问现在情况如何?
如果您需要我们的继续协助,您可以随时在该帖下回复。
Best Regards,
Eve WangPlease remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.
