Introduction

 

First let’s understand what silent quits means:

 

When a silent exit occurs, the JIT debugger is never invoked because the process itself asked to be terminated. For example, two Win32 Application Programming Interface (API) functions that perform this action are TerminateProcess and ExitProcess.

 

From: http://support.microsoft.com/kb/329629

 

Note: Although this article is for Exchange these functions are Windows (Win32) related.

 

What about graceful shutdown, what is that? That’s simple: a service received an expected command to gracefully stop.

 

The Scenario

 

The scenario of this article was based on a real case where customer had to manually start Firewall Service every day, it was “apparently” quitting every night.  The problem with a silent quitting is that debugger will not catch; therefore there will be no dump file to analyze. Even knowing that we tried to get a dump and of course the result was a 1st chance exception dump, no second chance. Therefore we got useless data.

 

Moving Forward

 

After researching more and more we found out that Telephony Service was set to disable and ISA Server Control depends on Remote Access Connection Manager that depends on Telephony Service:

 

 

Figure 1 – ISA Server Control Dependencies.

 

Looking the System Log, there following sequence of events were showing up:

 

Event Type: Information

Event Source:     Service Control Manager

Event Category:   None

Event ID:   7040

Date:       2/19/2009

Time:       10:09:05 PM

User:       NT AUTHORITY\SYSTEM

Computer:   ISASRVSTD

Description:

The start type of the Telephony service was changed from demand start to disabled.

 

Event Type: Information

Event Source:     Service Control Manager

Event Category:   None

Event ID:   7035

Date:       2/19/2009

Time:       10:09:06 PM

User:       NT AUTHORITY\SYSTEM

Computer:   ISASRVSTD

Description:

The Microsoft Firewall service was successfully sent a stop control.

 

Event Type: Information

Event Source:     Service Control Manager

Event Category:   None

Event ID:   7036

Date:       2/19/2009

Time:       10:09:16 PM

User:       N/A

Computer:   ISASRVSTD

Description:

The Microsoft Firewall service entered the stopped state.

 

Event Type: Information

Event Source:     Service Control Manager

Event Category:   None

Event ID:   7035

Date:       2/19/2009

Time:       10:09:17 PM

User:       NT AUTHORITY\SYSTEM

Computer:   ISASRVSTD

Description:

The Microsoft ISA Server Control service was successfully sent a stop control.

 

Event Type: Information

Event Source:     Service Control Manager

Event Category:   None

Event ID:   7036

Date:       2/19/2009

Time:       10:09:17 PM

User:       N/A

Computer:   ISASRVSTD

Description:

The Microsoft ISA Server Control service entered the stopped state.

 

Event Type: Information

Event Source:     Service Control Manager

Event Category:   None

Event ID:   7035

Date:       2/19/2009

Time:       10:09:18 PM

User:       NT AUTHORITY\SYSTEM

Computer:   ISASRVSTD

Description:

The Remote Access Connection Manager service was successfully sent a stop control.

 

In the application log we got the prove that this was not a silent exit, it was actually a graceful shutdown:

 

Event Type: Information

Event Source:     Microsoft ISA Server Control

Event Category:   None

Event ID:   14181

Date:       2/19/2009

Time:       10:09:16 PM

User:       N/A

Computer:   ISASRVSTD

Description:

The ISA Server Control service was stopped gracefully.

 

Event Type: Information

Event Source:     Microsoft Firewall

Event Category:   None

Event ID:   14182

Date:       2/19/2009

Time:       10:09:05 PM

User:       N/A

Computer:   ISASRVSTD

Description:

The Firewall service was stopped gracefully.

 

Now What?

 

If those services are stopping every night and the administrator needs to manually start those, this leads to a conclusion that something (a process) is stopping it. For a domain joined ISA the first thing you shoul check is Group Policy. A simple thing that can be done without impact the production just to check if ISA Server is receiving any policy is run the command RSOP.MSC. The result for this case was shown in Figure 2:

 

 

Figure 2 – RSOP.MSC result.

 

Bingo !!! Now everything makes sense. What was happen here was that ISA Server was inside of an OU that has a policy which was disabling those services. To fix that we created a new OU, moved ISA Server to this new OU and block inheritance in this OU.

 

Conclusion

 

Sometimes IT administrators using their best of intention disable some services that are considered not necessary from a Windows perspective (attempting to hardening). However, for ISA Server this needs to be carefully done since it can stop Firewall Service which will cause downtime in your Internet access. Before do this, review the article below that has a list of services that ISA Server depends on:

http://technet.microsoft.com/en-us/library/cc302488.aspx