Windows 10 20H2: lsass.exe crashes (Oct. 2020)

[German]In Windows 10 20H2 some users may experiencethat the Local Security Authority Subsystem Service file (lsass.exe) crashes in certain constellations. Here is a short overview of what I have seen so far – combined with the question if there are other people affected. Addendum: Root cause known, link to a follow up article added.


Advertising

History:  BSOD in lsass.exe through June 2020 updates

In June 2020, there were issues with the security updates released for Windows 10 version 1809 and later on some machines. There were crashes with blue screens caused by lsass.exe (Local Security Authority Subsystem Service). I had covered this issue in the blog post Windows 10: Juni 2020 Updates causes BSOD in lsass.exe.

The issue was confirmed by Microsoft on the Windows 10 status pages and was later fixed with the cumulative updates of July 14, 2020. My blog post about the bug at that time is quite prominently cast out in search engines, so users affected by lsass.exe crashes are posting comments.

Windows 10 Update KB4577063 fixes an lsass issue

Update KB4577063 for Windows Insider (see Windows 10 Update KB4577063 as Preview for Insider) was released on September 22, 2020 and on October 1, 2020 for Windows 10 2004 in general. Windows 10 2004 and 20H2 use the same updates. In the list of fixed bugs it says:

Addresses an issue that causes an access violation in lsass.exe when a process is started using the runas command in some circumstances.

But it doesn’t fixes the issue mentioned below.

lsass.exe crashes in Windows 10 20H2

Already on 22 October 2020, a user contacted askwoody.com with this forum entry and reported Lsass.exe crashes.


Advertising

After updating to 20H2, if you try to edit a user’s permissions using Computer Management as soon as you click on “user” to choose the user to edit, the cursor shows “working” and shortly after the system will request to restart.

“A critical system process, C:\WINDOWS\system32\lsass.exe, failed with status code c0000374. The machine must now be restarted”

The system reboots after 1 minute.

The system restart is probably due to the BlueScreen settings. The interesting thing is that Windows 10 has problems with the computer management after the update to version 20H2. The user writes about crashes when adjusting user permissions in the group/user management of the computer administration. In the thread several users confirm this behavior, while others cannot reproduce the problem.

Within my German blog there is this comment from blog reader Roman, who has issues with group management under Windows 10 20H2 because Lsass.exe crashes. Roman writes:

Now there is a new error in the 20H2 update.
lsass.exe crashes e.g. in computer management when you want to list groups, but also in many other constellations.
But with a different error number than in June. This time it is the error c0000374. But with Powershell you can display all groups and also change memberships.

I once tried on my test machine to access the computer management with administrative permissions and then list groups or adjust user account properties. However, my test machine with Windows 10 20H2 (2004 upgrade) has not crashed yet. In another comment, blog reader Malte wrote about Lsass.exe crashes. Malte writes about this:

I also have a problem with lsass. I’m upgrading from 1909 or from 2004, on a VM, after restarting it is not possible to log in. The system reboots after entering username/password.
It is only possible to start the system in safe mode and log in.

This happens on a naked Windows, only VM Ware Tools installed.

The exciting question is whether the update KB4580364 (Windows 10 20H2/2004: Update KB4580364 released) distributed on October 29, 2020 will change this situation? The users affected by the crash can test it. Otherwise the question: Is anyone else affected by the Lsass.exe crashes?

Addendum: More cases

On German site administrator.de I found this post, where an Admin has updated a domain client with Windows 7 to Windows 10 20H2. The attempt to list a user group ends with a BSOD:

A critical system process C:\WINDOWS\system32\lsass.exe failed with status code c0000374. The computer must be restarted.

In the Windows Event Viewer the error is indicated with event id 1015.

In addition, blog reader Ralf M. contacted me via email and wrote (thanks for that):

Tried a total of 7 clients of Windows 10 Pro version 1909 on the weekend to version 20H2. The computers were originally delivered and installed with WIN7 Pro.

Before the update, any existing virus scanners were uninstalled so that they could not interfere with the update process in the first place. A current ISO from MS was loaded, this is easiest to do with Firefox and UserAgentSwitcher:

https://www.microsoft.com/de-de/software-download/windows10ISO

ISO was then simply mounted on the system and installed as administrator.

Only on 2 of the 7 systems the error with lsass.exe does not occur after the update from 1909 to 20H2, you can easily check this with lusrmgr.msc, select user, add group, when searching for the available local groups the animated search magnifier appears and the system crashes reproducibly.

With the working systems the selection list appears immediately without delay!

All systems are in German, BIOS on the latest available version. All systems have a SSD. Manufacturers are DELL and HP, notebooks and desktops. 4 hardware systems are identical, because they were ordered at the same time.

Of these, 1 system could be successfully updated from 4 to 20H2 without running into the LSASS.exe error.

his is a system that did not update from WIN7 to 1909 > 20H2. Here 1909 came into effect during the first installation.  I have the assumption that this error occurs mainly on systems that were updated from WIN7.

When installing Windows 10 20H2 the error does not occur on any of my devices. Also with the installation chain

WIN7>1909>2004

if the error is not present, once installed on 20H2, you run the risk of the LSASS.exe error.

After the installation all available updates from MS have been installed. The error, if present, remains however.
None of the computers is in a domain.

Stay on the topic, this is still exciting.

There is also a Microsoft Answers forum post, that described that issue. I’ve escalated this thread and informed also @WindowsUpdate and @MSWindowsITPro social media teams from MS about that issue.

PwdFilt.dll from Authasas

A MVP colleague has found a very specific cause (PwdFilt.dll from the third-party provider Authasas) for a sporadically restarting domain controller with the lsass.exe error 0xc0000374 and described it here on October 27, 2020. If necessary, check if this could be the cause.

Addendum: The root cause has been identified by Microsoft – see Windows 10 2004/20H2 lsass.exe crash issue (Oct. 2020) confirmed.

Similar articles:
Windows 10 Update KB4577063 as Preview for Insider
Windows 10 Insider Preview KB4577063 released
Windows 10 20H2/2004: Update KB4580364 released
Windows 10 V2004: Update KB4577063 released (Oct. 1, 2020)


Advertising


This entry was posted in issue, Windows and tagged , . Bookmark the permalink.

6 Responses to Windows 10 20H2: lsass.exe crashes (Oct. 2020)

  1. Lucky says:

    Hello, i have the same bug. Upgraded from the previous oktober update (1903 i think) and this bug appears when i start the gui of Kaspersky total security 21. The system says it will restart in one minute. Also i can triger it when i want to see the groups in my system. It then says it cant reach the rpc server and also the your pc will restart in one minute.
    Started my system in safe mode and when i click groups i get the same problem.
    Installed all the updated (also the 29 october update) but the problem is still there.

    This is the message i get in the logging (dutch)

    Het proces wininit.exe heeft het opnieuw opstarten van computer XXXXX namens gebruiker geïnitialiseerd om de volgende reden: Er is geen titel voor deze reden gevonden
    Code: 0x50006
    Type afsluiting: opnieuw opstarten
    Opmerking: Het systeemproces ‘C:\WINDOWS\system32\lsass.exe’ is onverwacht afgesloten met statuscode -1073740940. Het systeem wordt afgesloten en opnieuw opgestart.

  2. Seth says:

    Did you have the guest account renamed with GP on any of the affected systems prior to updating to 20H2?

  3. Dan Laskowski says:

    I am upgrading a Fujitsu laptop from Windows 7 professional to 20H2 and I am getting the lsass.exe errors. Critical error 1015 pointing to lsass.exe with C00000005 error. I ran the sfc /scannow and cleared a few errors, a second pass showed no errors. The time to fail is from pretty quick after logging in to several minutes. All updates, cummulative and quality are applied.

  4. Advertising

  5. Daniel K Laskowski says:

    More information: as I checked and rechecked everything, errors and reasons for a reboot were all over the place. I checked the sfc /scannow again and something called DSIM? and verified the drviers. After many reboots and no particular pattern to the reasons [except lsass often being the faulting app] I found myself unable to reboot the laptop. After three attempts to reboot [it said there was a driver issue] it offered to rebuild my laptop without bringing over the installed programs. I am presently trying to install all my old programs and so far, no problems with rebooting.

  6. Hans Verduyckt says:

    eventtracReplied on November 5, 2020
    LSASS crashes on 20H2 devices if built-in accounts in the local SAM account database were renamed on the OS being in-place upgraded to 20H2.

    Events known to trigger the LSASS crash and “shutdown in one minute” dialog include

    accessing the sign-in options page in Settings

    or

    the users folders in the computer management or local users and groups mmc snap-ins

    The next Windows Update will prevent completely avoid this issue when down-level devices are in-place upgraded to 20H2 using updated 20H2 media

    The same update will prevent LSASS from crashing on devices that have already upgraded to 20H2

Leave a Reply

Your email address will not be published. Required fields are marked *