HTTP.SYS / Cryptographic Services / LSASS.EXE deadlock [addendum]

  • Article

NOTE: This issue has been subsequently fixed in KB237901 for Windows Vista/Server 2008 SP2 (x86 and x64). The blog entry is left for reference.

This is a quick update to my previous blog entry https://blogs.technet.com/mrsnrub/archive/2009/11/19/http-sys-cryptographic-services-lsass-exe-deadlock.aspx.

Note that there was a typo (now fixed) in the first release in the Rapid Publishing article I pointed to, in the Resolution section:
”HKLM\CurrentControlSet\Serivces\HTTP”
should have read:
”HKLM\SYSTEM\CurrentControlSet\Services\HTTP”

 

Also, for your convenience I have made a quick & dirty Powershell script to add the dependency to the local registry if it is not present – be aware that you will need to allow the execution of unsigned scripts with “set-executionpolicy RemoteSigned” before trying to run it.

Use this script at your own risk – I’ve tested it very briefly but there is no error checking or backing up of the key/value performed.

Why a Powershell script rather than a .reg file to double-click?
This preserves the DependOnService value in case it is already present and contains data, plus it can be modified to run remotely if needed (by modifying $sComputerName).

 

$sComputerName = '.'

# Check the version of the OS is exactly 6.0, or the workaround does not apply
$oWin32OS = Get-WmiObject -class Win32_OperatingSystem -namespace "root\CIMV2" -computername $sComputerName
$sVerMajor = $oWin32OS.Version[0]
$sVerMinor = $oWin32OS.Version[2]
If (($sVerMajor -ne '6') -or ($sVerMinor -ne '0')) {
Write-Host "This script is intended only for Windows Server 2008 (NT 6.0), aborting."
Exit
}

$sKey = "SYSTEM\\CurrentControlSet\\Services\\HTTP"
$sSvc = "DependOnService"
$sDepend = "CryptSvc"

# Connect to local registry
$reg = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey('LocalMachine', $sComputerName)

# Open HTTP service key
$regKey = $reg.OpenSubKey($sKey, $True)

# Get the current contents of value 'DependOnService', if it exists
$aSvcs = $regKey.GetValue($sSvc)

If ($aSvcs -eq $null) {
# Value does not exist, we need to create it with our 1 dependency
[string[]]$aSvcs = @($sDepend)
$regKey.SetValue($sSvc, $aSvcs, 'MultiString')
}
else
{
# Value does exist, we need to check if the dependency is already set
$bDependencyExists = $False
ForEach ($a in $aSvcs) {
If ($a -eq $sDepend) { $bDependencyExists = $True }
}

  # Only if it is not already present do we add it to the array and update the value
If (!$bDependencyExists) {
$aSvcs += $sDepend
$regKey.SetValue($sSvc, $aSvcs, 'MultiString')
}
}