Wednesday, September 9, 2009

KB968389 LSASS Reboots

Recently we had an issue with an Exchange server constantly rebooting. The symptoms were extremely indicative of virus infection. Terminations of LSASS.exe, timed reboots, and permission revocations, were all occurring, and so we were immediately assuming Sasser/Blaster.

It then began to seemingly cause issues with domain communication. Upon checking the system properties, the domain registered as *Unknown* and it was nearly impossible to perform any action as all permissions had been stripped (we were using a domain account so this sort of made sense).

After having a local tech bounce the box and login with the KVM, the issue seemed resolved for these domain level issues, and we never saw them again. The original LSASS issues and reboots continued, however. Not wanting to waste any more time, we gave PSS a call. They informed us that a patch we had installed, KB968389, was likely causing the issue. Despite passing our patch testing and being installed on numerous other environments, MS told us that they have been informed of other sites experiencing the same issue. Removing the patch resolved the issue.

In summary.. KB968389 = Bad if you like a stable environment

1 comment:

Margaret said...

The same thing happened to us after installing all the August security updates. I had to remove them all (not knowing which one did it) and last week started putting them back one or two at a time. I got the rebooting again tonight after installing 968389 and 971032.