JSI Tip 6116. Lsass.exe error occurs after you install the Windows 2000 High Encryption Pack?

When you restart after installing the Windows 2000 High Encryption Pack, you receive:

Lsass.exe - Entry Point Not Found

The procedure entry point EqualDomainSid could not be located in the dynamic link library ADVAPI32.dll.

When you press OK, you receive:

System Shutdown This system is shutting down. Please save all work in progress and log off. Any unsaved changes will be lost. This shutdown was initiated by \

Time before shutdown: 00:00:59


The system process 'C:\WINNT\System32\Lsass.exe' terminated unexpectedly with status code 128. The system will now shut down and restart.

The above error will occur if the following events transpired:

1. You installed the 271976 Hotfix Rollup Package and DID NOT RESTART.

2. You installed the 274172 FIX: Adding Multiple Users to Active Directory Can Cause Memory Leak When Setting Passwords and restarted your computer.

3. You installed the Windows 2000 High Encryption Pack and restarted your computer.

In the above scenario, a mismatched version of Advapi32.dll remains on your disk.

To resolve this issue:

1. Boot the Windows 2000 Recovery Console.

2. Switch to the System32 folder, cd system32.

3. Type ren advapi32.dll advapi32.old and press Enter.

4. Type copy c:\winnt\$ntuninstallq274172$\advapi32.dll and press Enter, where C:\Winnt should be replaced with the drive and folder in which Windows 2000 is installed.

5. Type exit and press Enter.

NOTE: See QChain.exe is a safe way of installing multiple hotfixes with a single reboot.

NOTE: The W32.Sasser.Worm, at SystemRoot%\avserver.exe or SystemRoot%\System32\avserver.exe, and configured to run run via a Value Name at HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run, can cause the LSASS.EXE termination with status code 128. If you are infected:

     - delete the Value Name and close the Registry Editor.
     - Shutdown and restart your computer.
     - Update your antivirus and have it remove the avserver.exe file.
     - Apply the Microsoft Security Bulletin  MS04-011 patch.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.