Re: Faulting application services.exe... faulting module esent.dll.. Help!

[Samiholt]

Same problem here (WinXP/SP2).

My laptop was removed from domain to workgroup without network
connetion to the server. This is the error reason: at the moment gpo
(domain policy has effect to the local account policy) does not work
well and system shutdown/esent.dll errors occur and events 1202 and
1000.

Solution: restore WinXP default local policies (copy group policy
folder) or join a computer back to the domain and remove it again (must
be connected to the server).

Sami Holtta, MCSA

 

[Samiholt]

Btw, sometimes you cannot find a group policy folder, because when yo
create an Local GPO at the first time, you create this hidden folder
%SystemRoot%\SYSTEM32\GroupPolicy.

You can also add a DisableGPO DWORD 1 Value in registry.

Sami Holtta, MCS


-
Samihol

 

[T0MAS]

I have solved same problem with crashing services.exe.

User on bussiness trip removed his notebook from domain.
He reports problem with error message :
Title of window : Services and Controller app
in error message: Error signature szAppName: Services.exe .....
in event log was event 1000 Faulting application services.exe, version 5.1.2600.2180, faulting module esent.dll, version 5.1.2600.2180, fault address 0x0002334c.
After clicking on Close button apears automatic shutdown counter and in 30 seconds system was restarted.
This same behaviour repeated several times.
In evet log I found misc. events with probably related with this problem:

The Group Policy client-side extension Security failed to execute (event 1085)
Faulting application services.exe
Security policies were propagated with warning. 0x428 (event 1202)

in winlogon.log (I have enabled debug for that purpose) I found:
----Configure Group Membership...
Configure Administrators.
Error 1332: No mapping between account names and security IDs was done.
Error occurred during lookup of all accounts.

It was seems that some domain policy that contains Restricted group feature remains on notebook and periodically in moment when policy was refreshed caused error with services.exe. I knew that when notebook was removed from domain then domain policy cannot applied to non-member computer.
I made several actions : I again joined notebook to domain(then restart) and again I removed it and problem occured again and again. I disabled background policy refresh, I set refresh interval to max value 45 days and nothing helps. When automatic shutdown apears I stoped it every time by command shutdown /a.
Every time I found in winlogon.log that some policy tryed manage membership in groups and ends with error because probably did not have access to domain (notebook was removed from domain).

I have tryed to check consistency od secedit.sdb by esentutl /g %windir%\Security\Database\Secedit.sdb and all was OK.
Excuse my english.
After that i crossed my mind that it may not caused by deffective remained domain policy but it may caused by local group policy which contain domain accounts (SIDs). Thats my deduction.
After that I moved c:\WINDOWS\security\Database\secedit.sdb and c:\WINDOWS\security\*edb* and c:\WINDOWS\security\*.log to backup folder and after restart local group policy was reseted and after that user confirmed that error never apears and all works fine.

In my case (case of one of my users) problem with crashing services.exe and periodical restarts was solved by reseting local group policy (by removing database and related files).

When I begin solving of this problem I spent to much time with searching similar problem on Internet but I din't found equal. This page was not usefull exactly in my cause but everytime when I searching on Inet by using misc. search engines I everytime get this page therefore I decided to write my solution here.
I have writed in this my article too much informations because each user searching this problem on Internet with miscelaneous with keywords and therefore I writed so much (for search engines too).

I hope that same case may happen to someone and my story may helps him.

Admin from Slovak Republic (Slovakia not Slovenia)

 

[Jasen Kolev]

Thaks

Thaks a lot You have save me lot of time.

 

[Jeff Vandervoort]

We're seeing the same thing here; I can confirm the results. And since Tomas
posted a reply here, I thought I should too!

Tomas' workaround worked for me, too, but while it fixes the ESENT.DLL
crash, it has side effects you need to be aware of. If there are other
security policies in GPO, they will not be removed when the computer is
removed from the domain. The SceCli and Userenv errors will continue
(although the SceCli one will change a bit).

The only complete solution I know of is not to use Restricted Groups that
have domain accounts among their members in a GPO that is in scope for a
computer that will be removed from a domain. Fortunately, that was an option
for us in this case, with only modest hardship. I haven't done this, yet,
but will likely substitute a startup script that adds the group for me and
the hardship will disappear; I don't care if the group doesn't get removed
when the machine is removed from the domain.

On a related note, I opened a Microsoft PSS incident for this. They have
reproduced the behavior in their lab. PSS carefully avoided giving me any
information about whether they intended to develop a fix; hopefully they
will. This strikes me as a significant bug.

 

[Guest]

How do I move those files? The system says they are locked and in safe mode
they are gone?

We're seeing the same thing here; I can confirm the results. And since Tomas
posted a reply here, I thought I should too!

Tomas' workaround worked for me, too, but while it fixes the ESENT.DLL
crash, it has side effects you need to be aware of. If there are other
security policies in GPO, they will not be removed when the computer is
removed from the domain. The SceCli and Userenv errors will continue
(although the SceCli one will change a bit).

The only complete solution I know of is not to use Restricted Groups that
have domain accounts among their members in a GPO that is in scope for a
computer that will be removed from a domain. Fortunately, that was an option
for us in this case, with only modest hardship. I haven't done this, yet,
but will likely substitute a startup script that adds the group for me and
the hardship will disappear; I don't care if the group doesn't get removed
when the machine is removed from the domain.

On a related note, I opened a Microsoft PSS incident for this. They have
reproduced the behavior in their lab. PSS carefully avoided giving me any
information about whether they intended to develop a fix; hopefully they
will. This strikes me as a significant bug.

 

[Jeff Vandervoort]

That didn't happen on my test system, but I don't like that workaround
anyway...too many side-effects. So I've only done it on one system, just to
confirm PSS's results.

My suggestion is to create a Startup Script that adds the Restricted Groups
to the local SAM instead of using the AD Restricted Groups feature.

Also, an update for all lurkers...make sure to append your "me too" message
to this thread and keep it alive. I just received a call from MS PSS and
they are evaluating the cost-effectiveness of fixing this issue. The guy I
spoke to was skeptical that it affected many people...his reasoning was,
"How many people disjoin a computer from a domain?". My client has a good
reason to do so...how about you? I've given the Google Search URL for this
thread to them and have reason to believe it's being monitored. I'm going to
forward it again to the PSS contact who's preparing the business case for
fixing it. So keep posting, folks!

--
Jeff Vandervoort
JRVsystems

How do I move those files? The system says they are locked and in safe
mode
they are gone?

 

[Guest]

I am soo glad I found this post!!!!

I too am having the exact same problem. I had users that were disjoined from
the Domain when we opened up an outstation. After all my searching for a
problem I was convinced it had to be something specific with the "other"
network they are now on. I am going to start wading through your fixes and
see where I get.

There was definately a business reason for removing the computers from the
Domain and I would DEFINATELY call this a BUG...

Thanks again!

 

[Jeff Vandervoort]

Well, my "grass roots" campaign has failed. Only 1 "me too". Whether that
had anything to do with the outcome or not, I don't know, but the response I
just received from Microsoft is that they have no current plans to fix this
bug. It has been submitted as a change request for future consideration.

Folks, it's official: We're on our own. Good luck!

 

[Jeff Vandervoort]

And, at this writing at least, the bug still does not appear to be
documented on Microsoft's Knowledge Base. I've requested that it be
added...for whatever that's worth.

 

[rfrendreiss]

Thanks for all of your responses. I am getting this error too on a
laptop that was removed from the domain. There is a need to be able to
remove yourself from one domain and add to another, especially if you
travel to different companies and do consulting work. I have to change
my domain constantly. Perhaps Microsoft could change their app to allow
multiple domain connection configuration.... Oh well. Anyway thanks
for the fix ideas. I have tried them and am waiting to see if I still
get this message. Hopefully Microsoft will decide to put a fix out
there for this.

 

[Thomas Wendell]

You could try NetSwitcher?
http://www.netswitcher.com/


--
******************************************************
Most learned on these newsgroups
Tumppi, Helsinki, FINLAND
(translations from/to FI not always accurate)
******************************************************

 

[rfrendreiss]

Hmm, well that's just too simple. Thanks, I think I will try that!

 

[Mickeybyte]

"me too"
Have had the same problem.
Fixed it by using the procedure Thomas has explained.
I indeed still get some errors in eventlog, but system does not crash anymore.

MS, start making your fix now, it's a CRASH for goodness sake!

Greetz,
Mickeybyte

 

[trezor]

Problem with Services and Controller app

Hi,
I have same problems with Services And Controller app, and SceCli 0x428, a Userenv warning.

But I want to have PC in Domain. After gpupdate /force in event viewer are scecli and userenv error.

I did everything what you mentioned above, but it is still occur. What can I do ? I really don't know.

Could somebody help me?

TOMAS could you write me a email to : (e-mail address removed)

I am from Slovakia too, and I need your help.

Dufam ze sa mi niekto ozve.

 

[RayB]

I just came across this thread and I wanted to confirm that we are seeing the exact same issues on several of our laptops. Hopefully Microsoft is still monitoring activity as I agree with the concensus here that this should be treated as a bug.

I have yet to try any of the solutions provided but I will do some testing as well as some searching for easier solutions for cases where assigning restricted groups with domain users on systems that may leave the domain is unavoidable. If I find anything new I'll post here.

 

[Guest]

Sami, How specifically do you default local policies? I can not join
back to the domain. Thanks for all your help

To restore default IPSec policies
http://www.microsoft.com/resources/...l/proddocs/en-us/ipsec_pol_edit.mspx?mfr=true
To start the IP Security Policies snap-in
http://www.microsoft.com/resources/...l/proddocs/en-us/ipsec_pol_edit.mspx?mfr=true
"Event ID: 7000" or "Event ID: 7013" Error Message When You Attempt to Start
a Service
http://support.microsoft.com/kb/314357
Hope this help.
nass

 

[jaunito76]

Thanks

TOMAS,

Thanks for the advice. I have a laptop that was previously connected to a domain that I no longer have access to due to distance and it seemed to crash about 3 times a day with the same errors reported above. I rebooted in safe mode with the command prompt and moved the files that you recommended and I have not hand any problems since, even when hibernating as this was the biggest culprit for sending my computer into esent.dll messes. Thanks for the help, I've been looking for this for a few months now and this is really great to finally have it fixed.

Cheers
jaunito76

 

[Murdoch07]

Faulting application services.exe, version 5.1.2600.2180, faulting module esent.dll

me too...
still having these issues in 2008... way to go Microsoft! is Thomas' fix still the best option?

 

[Henno]

Here's another "me too".

My symptoms were Services and Controller App crashes several times a day and the system restarts that followed. Eventviewer was plagued with this:
Faulting application services.exe, version 5.1.2600.2180, faulting module esent.dll, version 5.1.2600.2780, fault address 0x0001baec.


This all started several months ago after converting all the workstations to "dummy" Remote Desktop terminals and starting to use new servers in a central server farm. I got this problem on every workstation that I disjoined from now non-existant domain.

At first, I didn't find where or why the errors were coming. It looked like a worm infection even though AV scanners showed green, so I spent many-many hours reinstalling Windowses on those boxes.

After even more hours of googling I came to a conclusion that the cause of the problem is related to the registry branch "HKLM\Software\Microsoft\Windows\CurrentVersion\Group Policy". I deleted all keys that had values with data containing the old domain controller name and this cured the workstations and saved me from re-installing.

HTH