lsass.exe application error

Hello and thanks in advance for any advice.
My system was stable when I tried to connect to another wireless unit. My system then froze while trying to connect. When I completed a hard reboot I received the following message: "lsass.exe application error...the application failed to initialize properly (oxc00000006). click ok to terminate the application."
After clicking ok, I get a black screen with a cursor.
This error message also came up when I tried safe mode.

I was successful in getting in with ERD commander on a CD. And I have been able to save most of my data.
However on loading ERD commander, I received the following message: Factory.exe .... failed to install network adapter -- check WINBOM.
In addition I could not complete the system file repair tool as it stopped running when it reached sysmain.sdb. I tried this several times with the same result.
I did go into services and disable "wireless zero configuration," assuming this might have started the whole problem. No change on boot up.

Any advice would be appreciated as I am trying to avoid reformatting my system.

Thanks.

Thinkpad T41, XP Professional- Service Pack 3, 1.7 GHz processor speed, 1022 MB physical memory, up-to-date with microsoft fixes

 

This error is for a corrupt registry entry that you can onlly fix by doing a repair install of your OS or a clean install if the repair does not remedy the issue. I have read on another forum were others have had the same error and tried reg fix's but they have made the machines even more unstable and had to resort to the (easiest fix) repair or clean install of the OS. It is good that you have been able to save your data , I would also suggest running your discs manufacturers diagnostics tool on the drive to make sure that it is not failing.

iain.t :major

 

Thank you for your response.
Do you know the registry line that is an issue?
Is it possible for you to talk me through the line changes?
I have a Registry Editor through ERD Commander that is working.
Thanks.

 

I am sorry but I honestly don't know anything about the way the registry works, I have always shirked away from tampering with it as known my luck I'd render my machine useless :-D:-D.
I will look to see if I can find the reg fix for it but I must warn you.. unless you are very well versed in how to make changes/enhancements in the registry, it is advised that you do not tamper with any setting there!!!

iain.t :major

 

I have been told also that this is caused by a virus that your AV scanner has removed but has left over the registry key, that is what is causing lsass to fail. There is a registry key that needs to be edited. but you can't load windows to get into the registry. you'll need a remote registry editor, like BartPE, or Ultimate Boot CD for Windows. THIS IS SERIOUS STUFF AND CAN F@#$ YOUR COMPUTER, so if you don't have COMPLETE CONFIDENCE that you know how to safely edit the registry, take it to a professional.

Once you gain access to the registry, back it up, then search for AppInit_Dlls. renamed it AppInit_Dlls.old. Then create a new string key named AppInit_Dlls. leave its value blank, empty. Save your registry changes and reboot into safe mode with F8. Once windows loads, install MalwareBytes scanner and do a fullscan. You will need to reboot to kill all viruses, and probably have to run the full scan a second time in normal boot mode (not safe mode).
Malwarebytes (free).....

http://www.malwarebytes.org/products/malwarebytes_free

Good Luck

iain.t :major

 

First, the message from ERD that says "failed to install network adapter -- check WINBOM" is a non-issue. I work with ERD all the time and it simply means that network/internet access will not be available due to the fact that ERD does not recognize the ethernet controller, nor does it have a driver for it. No worries.

Second- ERD also has a System Restore feature that should allow you to "roll back" to a certain date. Personally, I'd pick a date 2-3 days before the problem started.

Third- there is also an Event Viewer in ERD. Maybe you can use that to track down the cause and/or exact date and time of the first 'crash'. The most informative logs in the Event Viewer are the System log and the Application log, but since you have a LSASS.EXE error, maybe take a look at the Security log also. If unsure about any errors listed in any of the logs, feel free to post the info and I/we will do our best to help.

Fourth- if you have a re-install XP Pro disc, you can try a safe repair install as described in this article.

GOOD LUCK!

(BTW - I did some extensive research about your error at the MS Knowledge Base and at the MS TechNet Support Page and found surprisingly little info - basically nothing )

 

Thank you, iaint and dlb for your notes.

dlb,
1) Nice to know the network error is a non-issue. Is there a way to access the network to allow me to update anti-virus tools?
2) I tried the system restore feature and received a message: “no restore points found on this system.” I’m not sure how this can be.
3) All 4 options in the event viewer give me the following error: “error opening event log”
4) I do not have a re-install XP Pro disc

I welcome any other ideas that you might have.

iain.t,
If I had precise instructions for registry access and modification, I would be interested in trying your suggestions. If I fail, can I then reformat the laptop?

Thank you.

 

1- I'm not sure if you could use the network/internet connectivity in ERD to update your AV programs. If you think a virus is the cause of your problems, I suggest creating a "rescue CD" using one of the following downloads:
http://www.majorgeeks.com/AVG_Rescue_CD_for_CD_creation_d6434.html (I haven't used this one personally)
http://www.majorgeeks.com/Kaspersky_Rescue_Disk_d6501.html (I have used this one; it's pretty freekin awesome for removing malware/viruses from non-booting PCs and/or PCs too infected for normal use)
http://dlpro.antivir.com/package/rescue_system/common/en/rescue_system-common-en.iso (again- I've used this also and it's excellent; a how-to video is available here)
http://majorgeeks.com/F-Secure_Rescue_CD_d6628.html (I haven't used this; use the "Author's Site" download link to insure you get newest version)
If unsure as to how to burn a rescue disc, just post (or Google search for "how to burn ISO"). I have never used network/internet connectivity in ERD so I'm not sure how to set it up.

2 & 3- if you're having problems accessing restore points and/or event logs, you likely have a serious Windows corruption problem. I suggest running chkdsk c: /r from the recovery console. Since you don't have a Windows XP CD, you can create a bootable CD with the recovery console using either the info in this article, or use the ISO file downloaded from this direct link. Again, if unsure how to burn an ISO file, just Google "how to burn ISO" or ask here and I/we will provide info.

4- since you don't have an XP install disc, your options are somewhat limited: you cannot perform a safe repair install, nor can you re-format and install Windows clean. This is not a good thing. Using ERD, check the hard drive for other partitions other than "drive C:"; if you have a second partition, it is likely a recovery/restore partition that will allow you to format and re-install XP (but all data will be lost). Alternatively, if the recovery partition isn't there, check drive C: for a folder called i386. If it exists, it is possible to build an XP install disc from it, but it's A LOT of work and NOT easy....

 

dlb,
I successfully burned 2 ISO CDs. Kaspersky & Antivir.
Kaspersky Rescue Disk 10: started out fine as I selected “english” and graphics mode. However that was as far as I got. The following was at the top of the screen when it stalled:
Unable to locate IOAPIC for GSI13 {this line was repeated for GSI8, GSI1, GSI12, GSI6 and GSI7}
Several files were loaded and then it stopped with this line: scanning for scsi_wait_scan…

I executed the Kasper Rescue disk again selecting text mode, but I received the same results.

I then tried the Avira Antivir Rescue CD. This one loaded and so far it has found the following:
1) Alert: [TR/crypt.zpack.gen2] {filename data1.cab was in photoshop elements directory}…trojan horse…
2) Warning: [the files in archive are multiple volume] {filename data11.cab was in photoshop elements directory}
3) Warning: [error reading file] program files/java/jre6/lib/javaws.jar

The most interesting news is the length of time: over 25 hours and it is still running.

What are your thoughts on letting it continue to run?

 

WOW! 25 hours! Uhhhh.... I would cancel it proceed to running chkdsk as I described above in post #8 using steps 2&3. Another thing you might want to try is to run a full diagnostic on your hard drive. You can download the free program from your hard drive maker's web site. Again, you'll be burning an ISO to create a boot CD with the HD tests on it. Run the extended/advanced test. I have a feeling that the hard drive might be failing.

(BTW - when running chkdsk, it is normal for it to take 4 hours or more -I've seen it take 14 hours but that's rare- and it's normal to see the progress percentage in chkdsk actually go backward! It will read "65% completed" and when you check back 20 minutes later it's at "44% completed" -no worries, it's normal- another thing is that chkdsk sometimes looks like it has locked up; it hasn't -I have run chkdsk hundreds of times and NEVER had it lock up, even on very faulty drives; do NOT, EVER stop chkdsk for ANY reason! Do not reboot in mid chkdsk or shut down the PC!)

 

The hard drive is now making continual clicking noices and none of the ISO disks are able to access it. I pulled the hard drive out and used an adapter to try and read it without success.

 

Sorry to say it, but this is a sign of hard drive failure (the clicking noises).