lsass System Error Object name not found

[Tony Gravagno]

Of course this has been a common error for the last couple years,
often confused with the Sasser virus, etc.

After all of the diagnostics, clean virus scans, people checking for
dupes of lsass.exe, discussions about the difference between lsass and
Lsass, etc, it seems the popular answer is that the only real solution
to this problem is to reinstall Windows. This doesn't seem right.
Does anyone have any new wisdom on what causes this error, how to
properly diagnose what object it's looking for, or how to provide
whatever it needs to continue processing?

The latest example of this is a laptop where just last night I just
installed the latest MS updates to an otherwise fully working
environment. I have other systems with the same updates and no
problems. This particular system was running AVG with currrent
definitions. After getting the error I removed the drive and scanned
it with Norton AV and shows no errors.

Typical solutions say "go to Start>Run..." when the fundamental
problem is that the system boots to an OK dialog, and when you click
OK the system reboots. There is no Start menu, no command prompt, no
ability to run SC or some other utility.

Given that the hard drive has been removed and I can access the
registry files and its prior backups, is there anything that can be
tweaked in the registry to get it to show what lsass is doing?

Any other suggestions? Again, "full restore" seems to be a rather
incompetent response and I'd rather rule that one out from the get-go.

Thanks!

 

[Gerry Cornell]

Tony

You cannot log on or you experience a long delay on a domain
controller or on a member computer that is running Windows
2000, Windows XP, or Windows Server 2003
http://support.microsoft.com/kb/883268

Is this your problem?

--

Hope this helps.

Gerry
~~~~
FCA
Stourport, England

Enquire, plan and execute
~~~~~~~~~~~~~~~~~~~

 

[Tony Gravagno]

Tony
You cannot log on or you experience a long delay on a domain
controller or on a member computer that is running Windows
2000, Windows XP, or Windows Server 2003
http://support.microsoft.com/kb/883268
Is this your problem?

Yes, that's the problem but the resolution is to run SC at a command
prompt. Like I said, no matter what reboot option is chosen, even any
of the safe mode options, the same error displays and the system
reboots, so if you cant get to a start menu or a DOS prompt that KB
isn't of any use. I sent a note to MS on that earlier today.

 

[Gerry Cornell]

Tony

Can you boot using your Windows XP CD in your
CD drive?

--

Hope this helps.

Gerry
~~~~
FCA
Stourport, England

Enquire, plan and execute
~~~~~~~~~~~~~~~~~~~

 

[Tony Gravagno]

Tony
Can you boot using your Windows XP CD in your
CD drive?

I can boot from CD into the recovery console. Most websites suggest
over-writing the current Windows installation from this point. I'd
prefer to find the real cause and a real solution. Any other ideas?

Though Norton AV said Sasser isn't present, until I get some better
insight I'm going to assume some variant of that virus or a similar
one is in there. I'll continue to look for something funky in the
registry - I'd really like to know specifically what "object name"
lsass can't find. Problem is, recover console is very restrictive
about what it allows you to do. It's like trying to fix a watch with
your hands tied behind your back.

Ongoing Thanks.

 

[Gerry Cornell]

Tony

Try a Repair Install

http://www.michaelstevenstech.com/michaelstevenstech/XPrepairinstall.htm

http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/doug92.mspx

Another option is to run chkdsk
http://support.microsoft.com/kb/307654

If you know the make of your hard drive you could download and run
the manufacturers test utility.

--

Hope this helps.

Gerry
~~~~
FCA
Stourport, England

Enquire, plan and execute
~~~~~~~~~~~~~~~~~~~

 

[Tony Gravagno]

Solution!

It's hard to believe but after so many people have suffered with this
problem for so long, it turns out to be a simple case of registry
corruption which is easy to fix if one knows how. There are no
restores or reinstalls required and I'm amazed that this is what
almost everyone has ended up doing.

Here's a summary of the manual process:
1) Remove the drive and put it into another system. I'll call the
drive in this system X:.
2) Right click on X:\System Volume Information and assign Full
privileges for your current administrator user.
3) Open that path and copy the most "recent" working directory to
\temp\registry\new (it doesn't matter which drive). How do you know
what's recent? The paths are named X:\System Volume
Information\_restore{x-GUID-x}\RPnnn.
Get the most recent RPnnn path from a date when the system was working
- never choose RPnnn from the day on which you discovered corruption.
4) Copy all of the registry files from \WINDOWS\system32\config to
\temp\registry\orig (drive isn't important).
5) Copy the new registry files on top of the original registry files
in config.
6) Replace the drive in the original system and reboot.

I've done this so many times to fix registry corruption that I wrote
scripts to do it for me. My XP boxes get "bit rot" every couple
months, they stop booting properly and have all sorts of weird
behavior until I reset the registry back a day or two. It's a pretty
sad state of the art.

I'm providing the scripts here for posterity.
Notes:
-- Be sure to fix the text wrapping in the instructions below.
-- You must change the drives manually to suit your environment.
-- You must identify your own _restore path and RPnnn directory.
-- Execute repair1.bat as necessary to ensure you have all the
files you need. Execute repair2.bat when you're sure everything is
ready to go.
-- Don't make a mistake.

repair1.bat
rem -------------------------
mkdir f:\temp\registry
mkdir f:\temp\registry\orig
mkdir f:\temp\registry\new
erase /f /q f:\temp\registry\orig\*.*
erase /f /q f:\temp\registry\new\*.*
copy f:\WINDOWS\system32\config\SAM f:\temp\registry\orig
copy f:\WINDOWS\system32\config\default f:\temp\registry\orig
copy f:\WINDOWS\system32\config\SECURITY f:\temp\registry\orig
copy f:\WINDOWS\system32\config\software f:\temp\registry\orig
copy f:\WINDOWS\system32\config\system f:\temp\registry\orig

rem Ensure that the drive letter and RPnnn directory name are correct.
rem You wont see the following paths until permissions are set.
copy "F:\System Volume
Information\_restore{foo-bar}\RP236\snapshot\_REGISTRY_MACHINE_SAM"
f:\temp\registry\new\SAM
copy "F:\System Volume
Information\_restore{foo-bar}\RP236\snapshot\_REGISTRY_USER_.DEFAULT"
f:\temp\registry\new\default
copy "F:\System Volume
Information\_restore{foo-bar}\RP236\snapshot\_REGISTRY_MACHINE_SECURITY"
f:\temp\registry\new\SECURITY
copy "F:\System Volume
Information\_restore{foo-bar}\RP236\snapshot\_REGISTRY_MACHINE_SOFTWARE"
f:\temp\registry\new\software
copy "F:\System Volume
Information\_restore{foo-bar}\RP236\snapshot\_REGISTRY_MACHINE_SYSTEM"
f:\temp\registry\new\system
rem -----------------------


repair2.bat
rem -----------------------
copy f:\temp\registry\new\*.* f:\WINDOWS\system32\config
rem -----------------------

That's it folks. Good luck.