Microsoft KB Archive/924995

From BetaArchive Wiki

Article ID: 924995

Article Last Modified on 5/25/2007



APPLIES TO

  • Microsoft Windows Server 2003 Service Pack 1
  • Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
  • Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
  • Microsoft Windows Server 2003, Standard Edition (32-bit x86)
  • Microsoft Windows Server 2003, Web Edition



Important This article contains information about how to modify the registry. Make sure to back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows registry


SUMMARY

The Lsass.exe file in Microsoft Windows Server 2003 is being identified as an infected file and is being quarantined by Computer Associates (CA) eTrust Antivirus signature 303.3.30.54. This behavior may cause the computer to display a gray screen when the computer restarts. The computer may appear to stop responding.


SYMPTOMS

When you restart Windows Server 2003, the computer may display a gray screen or may appear to stop responding. The computer may respond to a ping command. However, you cannot access the computer any other way. You may also see a quick warning message about the Win32/Lasssrv.b virus.

CAUSE

This behavior occurs because the Lsass.exe file has been quarantined by Computer Associates eTrust software, even though the file is not actually infected.

CA antivirus signature 303.3.30.54 identifies the Lsass.exe file as a virus. The signature deletes or quarantines the file, depending on client configuration. For more information, visit the following CA Web site:

WORKAROUND

To work around this problem, replace the Lsass.exe file. Use one of the following methods to replace the Lsass.exe file.

Method 1: Start Recovery Console, and then replace the Lsass.exe file

  1. Start Recovery Console, and then type the number that corresponds to the installation that you want.
  2. Type the local Administrator password for the computer.
  3. Type the following command:

    copy c:\windows\system32\dllcache\lsass.exe c:\windows\system32\lsass.exe

    Note If you receive a "File Not Found" error message when you run this command, you must copy the Lsass.exe file from a working computer to a floppy disk. Or, you can extract the file from a service pack and then copy the file to a floppy disk. If you do this, type the following command:

    copy a:\lsass.exe c:\windows\system32\lsass.exe

  4. Restart the computer in Safe Mode.
  5. Disable all the antivirus services. To do this, follow these steps.

    Important These steps may increase your security risk. These steps may also make your computer or your network more vulnerable to attack by malicious users or by malicious software such as viruses. We recommend the process that this article describes to enable programs to operate as they are designed to, or to implement specific program capabilities. Before you make these changes, we recommend that you evaluate the risks that are associated with implementing this process in your particular environment. If you choose to implement this process, take any appropriate additional steps to help protect your system. We recommend that you use this process only if you really require this process.
    1. Click Start, click Run, type msconfig, and then click OK.
    2. Click the Services tab.
    3. Click Hide all Microsoft Services, and then clear all the antivirus services.
  6. Restart the computer, and then update the CA signature. To update the signature, visit the following CA Web site: If the Lsass.exe file does not appear in the Dllcache folder list, you may have to obtain the file by using another method.

Method 2: Use Recovery Console to disable eTrust services

Important These steps may increase your security risk. These steps may also make your computer or your network more vulnerable to attack by malicious users or by malicious software such as viruses. We recommend the process that this article describes to enable programs to operate as they are designed to, or to implement specific program capabilities. Before you make these changes, we recommend that you evaluate the risks that are associated with implementing this process in your particular environment. If you choose to implement this process, take any appropriate additional steps to help protect your system. We recommend that you use this process only if you really require this process.

  1. Start Recovery Console.
  2. Disable the following processes:
    • eTrust Antivirus Job Server
    • eTrust Antivirus Realtime Server
    • eTrust Antivirus RPC Server
    Note If you do not disable these eTrust processes, the Lsass.exe file will be quarantined again.
  3. Copy the Lsass.exe file to the C:\Windows\System32\Dllcache and C:\Windows\System32 folders.
  4. Restart the computer, and then update the CA signature. To update the signature, visit the following CA Web site:

Method 3: Use Windows Preinstallation Environment or a parallel installation on the system to gain access

Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

Note Use this method only if Recovery Console cannot be used.

  1. Determine whether the computer is running Windows Server 2003 Service Pack 1 (SP1) or not. To do this, use one of the following steps. If you have access to Windows Preinstallation Environment (Windows PE), use the first step.
    • Start Windows PE, start Registry Editor, click HKEY_local_machine, and then determine the value of the CSDVersion REG_SZ value under the following Registry subkey:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion

    • Put a parallel installation on the server, start Registry Editor, click HKEY_local_machine, and then determine the value of the CSDVersion REG_SZ value under the following Registry subkey:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion

  2. Extract the Lsass.exe file from a Windows CD, or copy the file from a server that is not experiencing the issue and that is at the same service pack level.

    Note If you performed a parallel installation, you can apply Windows Server 2003 SP1 if it is required, and then copy the Lsass.exe file from the parallel installation.


Keywords: kbtshoot kbprb KB924995