none
windows server 2012 异常重启lsass.exe schannel.dll模块故障

    问题

  • <?xml version="1.0" encoding="UTF-16"?>
    <WERReportMetadata>
    	<OSVersionInformation>
    		<WindowsNTVersion>6.2</WindowsNTVersion>
    		<Build>9200 </Build>
    		<Product>(0x7): Windows Server 2012 Standard</Product>
    		<Edition>ServerStandard</Edition>
    		<BuildString>9200.16384.amd64fre.win8_rtm.120725-1247</BuildString>
    		<Revision>Unknown</Revision>
    		<Flavor>Multiprocessor Free</Flavor>
    		<Architecture>X64</Architecture>
    		<LCID>2052</LCID>
    	</OSVersionInformation>
    	<ProcessInformation>
    		<Pid>616</Pid>
    		<ImageName>lsass.exe</ImageName>
    		<CmdLineSignature>00000000</CmdLineSignature>
    		<Uptime>1036406881</Uptime>
    		<ProcessVmInformation>
    			<PeakVirtualSize>45723648</PeakVirtualSize>
    			<VirtualSize>44126208</VirtualSize>
    			<PageFaultCount>24982</PageFaultCount>
    			<PeakWorkingSetSize>13295616</PeakWorkingSetSize>
    			<WorkingSetSize>13287424</WorkingSetSize>
    			<QuotaPeakPagedPoolUsage>102512</QuotaPeakPagedPoolUsage>
    			<QuotaPagedPoolUsage>102288</QuotaPagedPoolUsage>
    			<QuotaPeakNonPagedPoolUsage>26672</QuotaPeakNonPagedPoolUsage>
    			<QuotaNonPagedPoolUsage>23584</QuotaNonPagedPoolUsage>
    			<PagefileUsage>5992448</PagefileUsage>
    			<PeakPagefileUsage>6160384</PeakPagefileUsage>
    			<PrivateUsage>5992448</PrivateUsage>
    		</ProcessVmInformation>
    		<ParentProcess>
    			<ProcessInformation>
    				<Pid>516</Pid>
    				<ImageName>wininit.exe</ImageName>
    				<CmdLineSignature>00000000</CmdLineSignature>
    				<Uptime>1036408086</Uptime>
    				<ProcessVmInformation>
    					<PeakVirtualSize>61292544</PeakVirtualSize>
    					<VirtualSize>59162624</VirtualSize>
    					<PageFaultCount>1293</PageFaultCount>
    					<PeakWorkingSetSize>4071424</PeakWorkingSetSize>
    					<WorkingSetSize>4022272</WorkingSetSize>
    					<QuotaPeakPagedPoolUsage>122896</QuotaPeakPagedPoolUsage>
    					<QuotaPagedPoolUsage>121392</QuotaPagedPoolUsage>
    					<QuotaPeakNonPagedPoolUsage>10432</QuotaPeakNonPagedPoolUsage>
    					<QuotaNonPagedPoolUsage>8384</QuotaNonPagedPoolUsage>
    					<PagefileUsage>991232</PagefileUsage>
    					<PeakPagefileUsage>1236992</PeakPagefileUsage>
    					<PrivateUsage>991232</PrivateUsage>
    				</ProcessVmInformation>
    			</ProcessInformation>
    		</ParentProcess>
    	</ProcessInformation>
    	<ProblemSignatures>
    		<EventType>BEX64</EventType>
    		<Parameter0>lsass.exe</Parameter0>
    		<Parameter1>6.2.9200.16384</Parameter1>
    		<Parameter2>50108ab2</Parameter2>
    		<Parameter3>schannel.DLL</Parameter3>
    		<Parameter4>6.2.9200.16384</Parameter4>
    		<Parameter5>5010892c</Parameter5>
    		<Parameter6>0000000000049057</Parameter6>
    		<Parameter7>c0000409</Parameter7>
    		<Parameter8>0000000000000003</Parameter8>
    	</ProblemSignatures>
    	<DynamicSignatures>
    		<Parameter1>6.2.9200.2.0.0.272.7</Parameter1>
    		<Parameter2>2052</Parameter2>
    		<Parameter22>c564</Parameter22>
    		<Parameter23>c5641952795533b9b9231118b0667531</Parameter23>
    		<Parameter24>1172</Parameter24>
    		<Parameter25>11723e5d375c4c2a15c8fa5a1a1f09e1</Parameter25>
    	</DynamicSignatures>
    	<SystemInformation>
    		<MID>5E0DADC7-9CFF-49B5-ADA7-0A57253ED57E</MID>
    		<SystemManufacturer>HP</SystemManufacturer>
    		<SystemProductName>ProLiant DL388p Gen8</SystemProductName>
    		<BIOSVersion>P70</BIOSVersion>
    		<OSInstallDate>1347545146</OSInstallDate>
    	</SystemInformation>
    	<DAMInformation>
    	</DAMInformation>
    	<Integrator>
    		<Flags>80000000</Flags>
    		<SuspensionTimeDelta>NULL</SuspensionTimeDelta>
    		<ExemptionTimeDelta>NULL</ExemptionTimeDelta>
    	</Integrator>
    </WERReportMetadata>

    之前发现过两三次,很突然的就重启了。这次特意收集了下,windbg结果如下:

    Microsoft (R) Windows Debugger Version 10.0.10586.567 AMD64
    Copyright (c) Microsoft Corporation. All rights reserved.
    
    
    Loading Dump File [C:\Users\anyy\Desktop\20170214\WER849D.tmp.dmp]
    User Mini Triage Dump File: Only registers, stack and portions of memory are available
    --------------------------------
      The user dump currently examined is a triage dump. Consequently, only a subset of debugger
      functionality will be available. If needed, please collect a minidump or a heap dump.
          To create a mini user dump use the command: .dump /m <filename>
          To create a full user dump use the command: .dump /ma <filename>
    
      Triage dumps have certain values on the stack and in the register contexts overwritten with
      pattern 0xAAAAAAAA. If you see this value
          1. the original value was not NULL
          2. the original value was not a direct pointer to a loaded or unloaded image
          3. the original value did not point to an object whose VFT points to a loaded or
             unloaded image (indirect pointer)
          4. the original value did not point to the stack itself or any memory area added to
             the dump (TEB, PEB, memory for CLR stackwalk or exceptions, etc.)
          5. the original value was not a valid handle value
    --------------------------------
    
    
    ************* Symbol Path validation summary **************
    Response                         Time (ms)     Location
    Deferred                                       SRV*c:\mysymbol* http://msdl.microsoft.com/download/symbols
    Symbol search path is: SRV*c:\mysymbol* http://msdl.microsoft.com/download/symbols
    Executable search path is: 
    Windows 8 Version 9200 MP (4 procs) Free x64
    Product: Server, suite: TerminalServer SingleUserTS
    Built by: 6.2.9200.16384 (win8_rtm.120725-1247)
    Machine Name:
    Debug session time: Tue Feb 14 14:46:32.000 2017 (UTC + 8:00)
    System Uptime: 11 days 23:53:40.401
    Process Uptime: 11 days 23:53:30.000
    ...............................................................
    Loading unloaded module list
    .
    This dump file has an exception of interest stored in it.
    The stored exception information can be accessed via .ecxr.
    (268.15d4): Security check failure or stack buffer overrun - code c0000409 (first/second chance not available)
    schannel!_chkstk+0x5c8d:
    000007fe`bc269057 cd29            int     29h
    0:005> !vanalyze -v
    No export vanalyze found
    0:005> !vanalyze -v
    No export vanalyze found
    0:005> !analyze -v
    *******************************************************************************
    *                                                                             *
    *                        Exception Analysis                                   *
    *                                                                             *
    *******************************************************************************
    
    
    DUMP_CLASS: 2
    
    DUMP_QUALIFIER: 400
    
    CONTEXT:  (.ecxr)
    rax=000000ef2b8ee600 rbx=000000ef2b8ee5f0 rcx=0000000000000003
    rdx=000000ef2c9edc60 rsi=0000000000000224 rdi=000000ef2c9604a0
    rip=000007febc269057 rsp=000000ef2be9de50 rbp=000000ef2c9edb00
     r8=00000000000000af  r9=0000000000000000 r10=0000000000000000
    r11=0000000000000246 r12=0000000000000002 r13=0000000000000000
    r14=000000ef2b81fbb0 r15=0000000000004874
    iopl=0         nv up ei pl nz na po nc
    cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000206
    schannel!_chkstk+0x5c8d:
    000007fe`bc269057 cd29            int     29h
    Resetting default scope
    
    FAULTING_IP: 
    schannel!_chkstk+5c8d
    000007fe`bc269057 cd29            int     29h
    
    EXCEPTION_RECORD:  (.exr -1)
    ExceptionAddress: 000007febc269057 (schannel!_chkstk+0x0000000000005c8d)
       ExceptionCode: c0000409 (Security check failure or stack buffer overrun)
      ExceptionFlags: 00000001
    NumberParameters: 1
       Parameter[0]: 0000000000000003
    Subcode: 0x3 FAST_FAIL_CORRUPT_LIST_ENTRY
    
    PROCESS_NAME:  lsass.exe
    
    ERROR_CODE: (NTSTATUS) 0xc0000409 - <Unable to get error code text>
    
    EXCEPTION_CODE: (NTSTATUS) 0xc0000409 - <Unable to get error code text>
    
    EXCEPTION_CODE_STR:  c0000409
    
    EXCEPTION_PARAMETER1:  0000000000000003
    
    WATSON_BKT_PROCSTAMP:  50108ab2
    
    WATSON_BKT_PROCVER:  6.2.9200.16384
    
    WATSON_BKT_MODULE:  schannel.dll
    
    WATSON_BKT_MODSTAMP:  5010892c
    
    WATSON_BKT_MODOFFSET:  49057
    
    WATSON_BKT_MODVER:  6.2.9200.16384
    
    MODULE_VER_PRODUCT:  Microsoft? Windows? Operating System
    
    BUILD_VERSION_STRING:  6.2.9200.16384 (win8_rtm.120725-1247)
    
    MODLIST_WITH_TSCHKSUM_HASH:  e90930dd401b73fa10e9b246cb4f414daa423444
    
    MODLIST_SHA1_HASH:  a8e81b64c88dd20988d9a3b4c8d8a98f760d1931
    
    NTGLOBALFLAG:  0
    
    PRODUCT_TYPE:  3
    
    SUITE_MASK:  272
    
    DUMP_FLAGS:  102c6
    
    DUMP_TYPE:  1
    
    APP:  lsass.exe
    
    ANALYSIS_SESSION_HOST:  ANYY-PC
    
    ANALYSIS_SESSION_TIME:  02-15-2017 09:09:57.0951
    
    ANALYSIS_VERSION: 10.0.10586.567 amd64fre
    
    THREAD_ATTRIBUTES: 
    OS_LOCALE:  CHS
    
    PROBLEM_CLASSES: 
    
    
    
    LIST_ENTRY_CORRUPT
        Tid    [0x0]
        Frame  [0x00]
        Failure Bucketing
    
    
    
    CRITICAL_PROCESS_FAULT
        Tid    [0x0]
        Frame  [0x00]
    
    
    BUGCHECK_STR:  CRITICAL_PROCESS_FAULT_LIST_ENTRY_CORRUPT
    
    DEFAULT_BUCKET_ID:  CRITICAL_PROCESS_FAULT_LIST_ENTRY_CORRUPT
    
    LAST_CONTROL_TRANSFER:  from 000007febc22742f to 000007febc269057
    
    STACK_TEXT:  
    000000ef`2be9de50 000007fe`bc22742f : 000000ef`2ca218c0 000000ef`2ca218c0 000000ef`2be9e129 000000ef`2be9e129 : schannel!_chkstk+0x5c8d
    000000ef`2be9e060 000007fe`bc8ccde3 : 000000ef`2c9e1d20 00000000`00000000 aaaaaaaa`aaaaaaaa aaaaaaaa`aaaaaaaa : schannel!SpInitLsaModeContext+0x492
    000000ef`2be9e150 000007fe`bc8cc4b4 : 000000ef`2be9e770 000000ef`2be9e760 000000ef`2be9e3d0 aaaaaaaa`aaaaaaaa : lsasrv!WLsaInitContext+0x493
    000000ef`2be9e290 000007fe`bca01643 : aaaaaaaa`aaaaaaaa 000000ef`2be9e9d0 000000ef`2be9e739 000007fe`bdcadc01 : lsasrv!SspiExProcessSecurityContext+0x4f4
    000000ef`2be9e6a0 000007fe`bdc92005 : aaaaaaaa`aaaaaaaa aaaaaaaa`aaaaaaaa aaaaaaaa`aaaaaaaa aaaaaaaa`aaaaaaaa : sspisrv!SspirProcessSecurityContext+0x1d3
    000000ef`2be9e7f0 000007fe`bdca76c0 : 000007fe`bca03c82 000000ef`2be9eca0 00000000`00000000 00000000`00000000 : rpcrt4!Invoke+0x65
    000000ef`2be9e8c0 000007fe`bdca8a9d : 000007f7`6ac52510 000007f7`6ac52410 000000ef`2be9ef20 aaaaaaaa`aaaaaaaa : rpcrt4!NdrStubCall2+0x33c
    000000ef`2be9eef0 000007fe`bdc922a4 : aaaaaaaa`aaaaaaaa aaaaaaaa`aaaaaaaa aaaaaaaa`aaaaaaaa aaaaaaaa`aaaaaaaa : rpcrt4!NdrServerCall2+0x1d
    000000ef`2be9ef20 000007fe`bdc921bd : aaaaaaaa`aaaaaaaa 000000ef`2be9f070 000000ef`2be9f160 000007fe`bfd35780 : rpcrt4!DispatchToStubInCNoAvrf+0x14
    000000ef`2be9ef70 000007fe`bdc92db3 : 00000000`00000000 00000000`00000000 00000000`00000000 aaaaaaaa`aaaaaaaa : rpcrt4!RPC_INTERFACE::DispatchToStubWorker+0x17d
    000000ef`2be9f110 000007fe`bdc929fc : 000000ef`2be9f310 aaaaaaaa`aaaaaaaa 00000000`00000000 aaaaaaaa`aaaaaaaa : rpcrt4!LRPC_SCALL::DispatchRequest+0x91e
    000000ef`2be9f210 000007fe`bdc927ad : aaaaaaaa`aaaaaaaa aaaaaaaa`aaaaaaaa 00000000`00000000 00000000`00000000 : rpcrt4!LRPC_SCALL::HandleRequest+0x7d2
    000000ef`2be9f360 000007fe`bdc9160b : 00000000`00000000 000000ef`2bc4caa8 00000000`00000000 00000000`00000000 : rpcrt4!LRPC_ADDRESS::ProcessIO+0x17bb
    000000ef`2be9f4d0 000007fe`bfd3c52b : 000000ef`2bc4caa8 00000000`00000000 00000000`00000000 00000000`00000000 : rpcrt4!LrpcIoComplete+0x97
    000000ef`2be9f560 000007fe`bfd38576 : 00000000`00000004 aaaaaaaa`aaaaaaaa aaaaaaaa`aaaaaaaa 00000000`00000000 : ntdll!TppAlpcpExecuteCallback+0x21b
    000000ef`2be9f680 000007fe`bf7b167e : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!TppWorkerThread+0x388
    000000ef`2be9f920 000007fe`bfd4c3f1 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : kernel32!BaseThreadInitThunk+0x1a
    000000ef`2be9f950 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x1d
    
    
    THREAD_SHA1_HASH_MOD_FUNC:  2656803a2fc9e6e1be65025e0afc514b5f5038a6
    
    THREAD_SHA1_HASH_MOD_FUNC_OFFSET:  37b6ae8125ea166c43e705987be1d4d218781a6e
    
    THREAD_SHA1_HASH_MOD:  e0c71a366f2f3999556ec7defde7e8f668225d57
    
    FOLLOWUP_IP: 
    schannel!SpInitLsaModeContext+492
    000007fe`bc22742f 8bd8            mov     ebx,eax
    
    FAULT_INSTR_CODE:  c085d88b
    
    SYMBOL_STACK_INDEX:  1
    
    SYMBOL_NAME:  schannel!SpInitLsaModeContext+492
    
    FOLLOWUP_NAME:  MachineOwner
    
    MODULE_NAME: schannel
    
    IMAGE_NAME:  schannel.dll
    
    DEBUG_FLR_IMAGE_TIMESTAMP:  5010892c
    
    STACK_COMMAND:  .ecxr ; kb
    
    BUCKET_ID:  CRITICAL_PROCESS_FAULT_LIST_ENTRY_CORRUPT_schannel!SpInitLsaModeContext+492
    
    PRIMARY_PROBLEM_CLASS:  CRITICAL_PROCESS_FAULT_LIST_ENTRY_CORRUPT_schannel!SpInitLsaModeContext+492
    
    BUCKET_ID_OFFSET:  492
    
    BUCKET_ID_MODULE_STR:  schannel
    
    BUCKET_ID_MODTIMEDATESTAMP:  5010892c
    
    BUCKET_ID_MODCHECKSUM:  6b927
    
    BUCKET_ID_MODVER_STR:  6.2.9200.16384
    
    BUCKET_ID_PREFIX_STR:  CRITICAL_PROCESS_FAULT_LIST_ENTRY_CORRUPT_
    
    FAILURE_PROBLEM_CLASS:  CRITICAL_PROCESS_FAULT_LIST_ENTRY_CORRUPT
    
    FAILURE_EXCEPTION_CODE:  c0000409
    
    FAILURE_IMAGE_NAME:  schannel.dll
    
    FAILURE_FUNCTION_NAME:  SpInitLsaModeContext
    
    BUCKET_ID_FUNCTION_STR:  SpInitLsaModeContext
    
    FAILURE_SYMBOL_NAME:  schannel.dll!SpInitLsaModeContext
    
    FAILURE_BUCKET_ID:  CRITICAL_PROCESS_FAULT_LIST_ENTRY_CORRUPT_c0000409_schannel.dll!SpInitLsaModeContext
    
    WATSON_STAGEONE_URL:  http://watson.microsoft.com/StageOne/lsass.exe/6.2.9200.16384/50108ab2/schannel.dll/6.2.9200.16384/5010892c/c0000409/00049057.htm?Retriage=1
    
    TARGET_TIME:  2017-02-14T06:46:32.000Z
    
    OSBUILD:  9200
    
    OSSERVICEPACK:  16384
    
    SERVICEPACK_NUMBER: 0
    
    OS_REVISION: 0
    
    OSPLATFORM_TYPE:  x64
    
    OSNAME:  Windows 8
    
    OSEDITION:  Windows 8 Server TerminalServer SingleUserTS
    
    USER_LCID:  0
    
    OSBUILD_TIMESTAMP:  2012-07-26 10:15:22
    
    BUILDDATESTAMP_STR:  120725-1247
    
    BUILDLAB_STR:  win8_rtm
    
    BUILDOSVER_STR:  6.2.9200.16384
    
    ANALYSIS_SESSION_ELAPSED_TIME: 4d7
    
    ANALYSIS_SOURCE:  UM
    
    FAILURE_ID_HASH_STRING:  um:critical_process_fault_list_entry_corrupt_c0000409_schannel.dll!spinitlsamodecontext
    
    FAILURE_ID_HASH:  {ed4a3117-7f48-62e2-691c-5a30866df4b3}
    
    Followup:     MachineOwner
    ---------
    

    2017年2月15日 1:14

全部回复

  • 在微软官网找到一个完全对应的问题,
    详见链接
    https://support.microsoft.com/zh-cn/help/2952379/windows-server-2012-restarts-unexpectedly-and-application-error-1000-is-logged-in-the-application-log

    Cause
    This problem occurs because Domain Controllers do not handle some security context correctly. lsass.exe refers to a NULL pointer if no memory is allocated for the pOutput->pBuffers[0].pvBuffer function or if the ASC_REQ_ALLOCATE_MEMORY flag is set to request LSA to allocate memory.

    但愿能解决,晚上下班后试试
    2017年2月15日 9:00
  • 您好,

    KB 2952379中所提供的hotfix是否有帮助呢?

    建议您通过Windows Update检查并且安装重要的Windows Update/Hotfix,确保系统安装了最新的更新,这将有助于解决一些已知问题,并且提高系统的性能。

    如果问题发生之前有过更改操作,例如安装/更换硬件,安装/更新软件/驱动等,可以尝试撤销操作,然后确认问题是否再次发生。

    此外,dump文件的分析已经超出该论坛的支持范围,如果您需要相关的技术支持,建议您通过电话联系Microsoft Customer Support and Services以获取相关的技术支持:
    400 820 3800 或者 800 820 3800

    Best Regards,
    Eve Wang

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    2017年2月16日 9:21
    版主
  • 您好!

    请问现在情况如何?

    如果您需要我们的继续协助,您可以随时在该帖下回复。

    Best Regards,
    Eve Wang

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    2017年2月27日 3:14
    版主