Blogs

SBS 2003 fails to boot (Gray screen after Windows splash screen)

  • Comments 36
  • Likes

This is a pretty rough draft that we wanted to get out to our community as soon as possible so we can help tackle this issue and hopefully save people long hours of troubleshooting. It is aimed at a mid to high IT level, so if you have any doubts and you have a server down, please, do not hesitate in calling your local PSS for support.

 

Also note that the link provided to the third party (Computer Associates) may contain other resolution steps that might be simpler than ours but may require the use of unsupported tools (from our perspective).

 

Our official Microsoft KnowledgeBase article can be found here:

 

KB 924995 - When you restart Windows Server 2003, the computer may display a gray screen or may appear to stop responding
http://support.microsoft.com/kb/924995/en-us

 

MAIN ISSUE:

 

If you restart Windows Small Business Server 2003 the server may boot to a gray screen and appear to be hung.  The server may respond to a ping but you cannot access it any other way. 

 

Please note that there is a secondary issue that will affect your server even after you are able to boot up into normal mode again, this has to do with SSL sites not working, and this is discussed at the bottom of this post.

 

Cause and Resolution:

 

CA Antivirus signatures update 3054 (reported by CA products as 303.3.3054 or 303.3.3.3054) identify lsass.exe as a virus and delete or quarantine the file depending upon client configuration.

 

Link the CA website regarding this issue:

http://supportconnect.ca.com/sc/kb/techdetail.jsp?searchID=TEC405236&docid=405236&bypass=yes&fromscreen=kbresults

 

The issue is that lsass.exe is being identified as infected and quarantined.   We need to recover lsass.exe.   You want to get LSASS.EXE with the SAME Service Pack version that was on the system; we can try copying it from DLLCACHE (if still present) as outlined in the steps below.

 

Try these steps:

 

Please note the following if you have OEM media: You might not able to boot into the recovery console with the OEM media, if this is the case, please use different media to boot up to the recovery console, such as Windows XP SP2 CD.

 

Method 1:

a) Boot to Recovery Console

b) Enter the number for the install you want to log on to.

c) Enter the LOCAL Administrator password for this machine.

d) Enter the following commands:

e) Copy C:\windows\system32\dllcache\lsass.exe  C:\windows\system32\lsass.exe

 

NOTE: If you get a "System cannot find file specified" message when running this command, then it will be necessary to copy LSASS.EXE from a working machine to a floppy disk or to extract it from a Service Pack and place it on a floppy disk. If LSASS.EXE can be copied to a floppy disk; you can then run this command:

Copy A:\lsass.exe C:\windows\system32\lsass.exe )

 

f) Boot to SAFE MODE  

g) Disable all the AntiVirus services (use MSCONFIG; go to the Services tab; click Hide all Microsoft Services; uncheck all the AntiVirus services.)

h) Reboot and update the CA signature 

 

Method 1a:

Alternate steps: - This disables the ETrust services through Recovery Console.

 

a) Start in Recovery Console

b1) Type the following commands:

1) Disable "realtimeservice"

2) Disable "jobservice"

3) Disable "Etrust Rpcservice"

 

(If you don’t disable it, Etrust will delete it again on reboot).

 

e) Copy the lsass.exe to c:\windows\system32\dllcache and c:\windows\system32

 

NOTE: If you get a "System cannot find file specified" message when running this command, then it will be necessary to copy LSASS.EXE from a working machine to a floppy disk or to extract it from a Service Pack and place it on a floppy disk. If LSASS.EXE can be copied to a floppy disk; you can then run this command:

Copy A:\lsass.exe C:\windows\system32\lsass.exe )

 

f) Reboot and update the CA signature.

 

If you are getting ACCESS DENIED when trying to copy from the floppy, do the following commands on the recovery console:

Set allowallpaths = true
Set allowremovablemedia = true

 

If this does not help, sometimes using the XP SP2 recovery console helps (You will need the media). 

 

Don't forget to provide your controller drivers when booting up to the recovery console if needed. You can usually tell you need them if when you get to the recovery console you are not prompted for a Password.

 

Other means of getting the right version of LSASS.EXE:

1.  Extract lsass.exe from a Windows CD (with the appropriate service pack level).

2.  Copy the file from a server that is not experiencing the issue and is at the same SP level.  (lsass.exe is only 13KB in size so it will fit on a floppy)

3.  If you did a parallel installation then you can service pack it if necessary and then copy lsass.exe from the parallel installation.

 

IF RECOVERY CONSOLE CANNOT BE USED, it may be necessary to place a parallel install on the system to get in.

 

Note 2:  If lsass.exe has been removed from c:\windows\system32\dllcache you will need to copy it both c:\windows\system32 and c:\windows\system32\dllcache

 

SECOND ISSUE:

 

OWA and other sites requiring SSL may not start

 

Symptoms: OWA may not start; Any other web site that uses HTTP SSL may fail.

Issue: HTTP SSL service registry key may be missing

Resolution: 

Using regedit, export HKLM\CurrentControlSet\Services\HTTPFilter key from a working server registry and import it to the server experiencing the issue.

After importing the registry key to the server with the problem, you need to check the ImagePath value to make sure it has the proper path (driver lettter + Path) to LSASS.EXE.

Reboot

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
Comments
  • The Official SBS Blog : SBS 2003 fails to boot (Gray screen after Windows splash screen): http://blogs.technet.com/sbs/archive/2006/09/01/453504.aspx...






  • The Official SBS Blog : SBS 2003 fails to boot (Gray screen after Windows splash screen): http://blogs.technet.com/sbs/archive/2006/09/01/453504.aspx...

  • ETrust is misdetecting lsass.exe as Win32/Lassrv.B, leaving servers unbootable. 
    Instructions on...

  • What would you recommend if the boot drives are on a CERC raid array and the recovery console does not recognize them?  

  • Great Timing,  Labor Day weekend.   Thank you.

    Some people will have surprises when they get back from the Holidays

  • You saved my bacon, thanks - the person at CA who did this needs to hang up their boots - far out - your antivirus software kills your server! THANKS AGAIN

  • Thank you for this blog article. You have saved us alot of time!!!

  • CA Antivirus had removed the lsass service and I cannot get into our server. I've been trying for several days now and following some notes posted on various sites including the CA website. The problem is that i cannot get into safe mode.

    Can somebody help.
    Thanks

  • Wayne,
    You need to make sure you press F6 when you start the boot process with the Windows CD to able to get prompted to provide the third party drivers required by your controller. Check with your vendor if you do not have them in a floppy.

    Regards
    The SBS Blog team

  • Hi Owen,
    Check the BLOG post, notice how we try not to go into Safe Mode but rather into ther Recovery Console to be able to get the missing file back.

    Regards,
    The SBS Blog team

  • I have 3 servers with the Gray screen of death I managed to fix one but when using method one item F boot into safe mode the following message is displayed "windows setup cannot run under safe mode. Setup will restart now.

    When I try the other method 1a the services cannnot be found.

    1) Disable "realtimeservice"

    2) Disable "jobservice"

    3) Disable "Etrust Rpcservice"

    The  only services I can find related to CA Vet Etrust are:-

    CAisafe, vet-filt, vet-rec, veteboot,vetefile,vetfddnt,vetmonnt,vetmsgnt

    Oh one other thing I contacted CA support in Australia the support staff informed me that the product was not supported with server 2003. I sent them a copy of the technical note from the CA website and confirmed that someone from CA is supporting the issue you have a technote(Tech405236) on your web site. Support then provided another number the corporate support number. I called that number the support staff from corporate support informed me to call the general support number

    I am going to start a parallel install, rebuild the server and install another anti virus product. I have been using Vet for over 15 years and the support since cybec sold the IP to CA has been terrible.

  • I followed Method one, sure enough files were missing.

    Can now boot to Safe Mode ok.

    Still can't boot in Normal , just getting gray screen with arrow.

  • Oh, I am I glad I found you on Sunday, as I feel for the folks that truly tried to enjoy a well deserved holiday with this one.

    McAfee with the Coffee anyone?

    Thanks SBS Blog.

  • Hi RichM,

    By now most likely your LSASS.EXE is gone again, try going back into ther recovery console, getting the file back in there, and then making sure you are disabling the AV services or else the file will get removed upon reboot into normal mode.

    Regards,
    The SBS Blog team

  • Re: Owen

    CA is correct in stating that they no longer support Vet antivirus on 2003 server. They support it only on workstations. They expect you to use eTrust Corporate edition which comes with both eTrust & Vet engines on 2003 & other servers. The instructions shown here assume you are using the corporate edition which is supported on both workstations & servers