[German]In Windows 10 20H2 some users may experiencethat the Local Security Authority Subsystem Service file (lsass.exe) crashes in certain constellations. Here is a short overview of what I have seen so far – combined with the question if there are other people affected. Addendum: Root cause known, link to a follow up article added.
History: BSOD in lsass.exe through June 2020 updates
In June 2020, there were issues with the security updates released for Windows 10 version 1809 and later on some machines. There were crashes with blue screens caused by lsass.exe (Local Security Authority Subsystem Service). I had covered this issue in the blog post Windows 10: Juni 2020 Updates causes BSOD in lsass.exe.
The issue was confirmed by Microsoft on the Windows 10 status pages and was later fixed with the cumulative updates of July 14, 2020. My blog post about the bug at that time is quite prominently cast out in search engines, so users affected by lsass.exe crashes are posting comments.
Windows 10 Update KB4577063 fixes an lsass issue
Update KB4577063 for Windows Insider (see Windows 10 Update KB4577063 as Preview for Insider) was released on September 22, 2020 and on October 1, 2020 for Windows 10 2004 in general. Windows 10 2004 and 20H2 use the same updates. In the list of fixed bugs it says:
Addresses an issue that causes an access violation in lsass.exe when a process is started using the runas command in some circumstances.
But it doesn’t fixes the issue mentioned below.
lsass.exe crashes in Windows 10 20H2
Already on 22 October 2020, a user contacted askwoody.com with this forum entry and reported Lsass.exe crashes.
After updating to 20H2, if you try to edit a user’s permissions using Computer Management as soon as you click on “user” to choose the user to edit, the cursor shows “working” and shortly after the system will request to restart.
“A critical system process, C:\WINDOWS\system32\lsass.exe, failed with status code c0000374. The machine must now be restarted”
The system reboots after 1 minute.
The system restart is probably due to the BlueScreen settings. The interesting thing is that Windows 10 has problems with the computer management after the update to version 20H2. The user writes about crashes when adjusting user permissions in the group/user management of the computer administration. In the thread several users confirm this behavior, while others cannot reproduce the problem.
Within my German blog there is this comment from blog reader Roman, who has issues with group management under Windows 10 20H2 because Lsass.exe crashes. Roman writes:
Now there is a new error in the 20H2 update.
lsass.exe crashes e.g. in computer management when you want to list groups, but also in many other constellations.
But with a different error number than in June. This time it is the error c0000374. But with Powershell you can display all groups and also change memberships.
I once tried on my test machine to access the computer management with administrative permissions and then list groups or adjust user account properties. However, my test machine with Windows 10 20H2 (2004 upgrade) has not crashed yet. In another comment, blog reader Malte wrote about Lsass.exe crashes. Malte writes about this:
I also have a problem with lsass. I’m upgrading from 1909 or from 2004, on a VM, after restarting it is not possible to log in. The system reboots after entering username/password.
It is only possible to start the system in safe mode and log in.
This happens on a naked Windows, only VM Ware Tools installed.
The exciting question is whether the update KB4580364 (Windows 10 20H2/2004: Update KB4580364 released) distributed on October 29, 2020 will change this situation? The users affected by the crash can test it. Otherwise the question: Is anyone else affected by the Lsass.exe crashes?
Addendum: More cases
On German site administrator.de I found this post, where an Admin has updated a domain client with Windows 7 to Windows 10 20H2. The attempt to list a user group ends with a BSOD:
A critical system process C:\WINDOWS\system32\lsass.exe failed with status code c0000374. The computer must be restarted.
In the Windows Event Viewer the error is indicated with event id 1015.
In addition, blog reader Ralf M. contacted me via email and wrote (thanks for that):
Tried a total of 7 clients of Windows 10 Pro version 1909 on the weekend to version 20H2. The computers were originally delivered and installed with WIN7 Pro.
Before the update, any existing virus scanners were uninstalled so that they could not interfere with the update process in the first place. A current ISO from MS was loaded, this is easiest to do with Firefox and UserAgentSwitcher:
ISO was then simply mounted on the system and installed as administrator.
Only on 2 of the 7 systems the error with lsass.exe does not occur after the update from 1909 to 20H2, you can easily check this with lusrmgr.msc, select user, add group, when searching for the available local groups the animated search magnifier appears and the system crashes reproducibly.
With the working systems the selection list appears immediately without delay!
All systems are in German, BIOS on the latest available version. All systems have a SSD. Manufacturers are DELL and HP, notebooks and desktops. 4 hardware systems are identical, because they were ordered at the same time.
Of these, 1 system could be successfully updated from 4 to 20H2 without running into the LSASS.exe error.
his is a system that did not update from WIN7 to 1909 > 20H2. Here 1909 came into effect during the first installation. I have the assumption that this error occurs mainly on systems that were updated from WIN7.
When installing Windows 10 20H2 the error does not occur on any of my devices. Also with the installation chain
if the error is not present, once installed on 20H2, you run the risk of the LSASS.exe error.
After the installation all available updates from MS have been installed. The error, if present, remains however.
None of the computers is in a domain.
Stay on the topic, this is still exciting.
There is also a Microsoft Answers forum post, that described that issue. I’ve escalated this thread and informed also @WindowsUpdate and @MSWindowsITPro social media teams from MS about that issue.
PwdFilt.dll from Authasas
A MVP colleague has found a very specific cause (PwdFilt.dll from the third-party provider Authasas) for a sporadically restarting domain controller with the lsass.exe error 0xc0000374 and described it here on October 27, 2020. If necessary, check if this could be the cause.
Addendum: The root cause has been identified by Microsoft – see Windows 10 2004/20H2 lsass.exe crash issue (Oct. 2020) confirmed.
Windows 10 Update KB4577063 as Preview for Insider
Windows 10 Insider Preview KB4577063 released
Windows 10 20H2/2004: Update KB4580364 released
Windows 10 V2004: Update KB4577063 released (Oct. 1, 2020)