The system process 'C:\Windows\system32\lsass.exe' terminated unexpectedly with status code 255

Hello All

We have a server 2008 R2 HyperV server and during the last few months it started to reboot randomly.

Initially we thought its related to the issue fixed by the following hotfix so we applied it but even with the hotfix it still keeps rebooting.

http://support.microsoft.com/kb/2732595

Unlike what's mentioned in the hotfix , the faulting module is not "ntdll.dll" but "msvcrt.dll".Also came up with the following indication the reboots could be related to KB2871997 but that update is not installed on this system.                                                

Following are the events from system log.

Log Name:      System
Source:        LsaSrv
Date:          2/9/2015 11:58:12 PM
Event ID:      5000
Task Category: None
Level:         Error
Keywords:     
User:          SYSTEM
Computer:      HV2008-Host
Description:
The security package Kerberos generated an exception. The exception information is the data.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="LsaSrv" Guid="{199FE037-2B82-40A9-82AC-E1D46C792B99}" />
    <EventID>5000</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8000000000000000</Keywords>
    <TimeCreated SystemTime="2015-02-10T04:58:12.415529200Z" />
    <EventRecordID>8091130</EventRecordID>
    <Correlation />
    <Execution ProcessID="736" ThreadID="5888" />
    <Channel>System</Channel>
    <Computer>HV2008-Host</Computer>
    <Security UserID="S-1-5-18" />
  </System>
  <EventData>
    <Data Name="Package">Kerberos</Data>
    <Binary>050000C00000000000000000000000001111F6FEFE070000020000000000000000000000000000008EEB1802000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000</Binary>
  </EventData>
</Event>

Log Name:      System
Source:        USER32
Date:          2/9/2015 11:58:24 PM
Event ID:      1074
Task Category: None
Level:         Information
Keywords:      Classic
User:          SYSTEM
Computer:      HV2008-Host
Description:
The process wininit.exe has initiated the restart of computer HV2008-HOST on behalf of user  for the following reason: No title for this reason could be found
 Reason Code: 0x50006
 Shutdown Type: restart
 Comment: The system process 'C:\Windows\system32\lsass.exe' terminated unexpectedly with status code 255.  The system will now shut down and restart.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="USER32" />
    <EventID Qualifiers="32768">1074</EventID>
    <Level>4</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2015-02-10T04:58:24.000000000Z" />
    <EventRecordID>8091132</EventRecordID>
    <Channel>System</Channel>
    <Computer>HV2008-Host</Computer>
    <Security UserID="S-1-5-18" />
  </System>
  <EventData>
    <Data>wininit.exe</Data>
    <Data>HV2008-HOST</Data>
    <Data>No title for this reason could be found</Data>
    <Data>0x50006</Data>
    <Data>restart</Data>
    <Data>The system process 'C:\Windows\system32\lsass.exe' terminated unexpectedly with status code 255.  The system will now shut down and restart.</Data>
    <Data>
    </Data>
    <Binary>06000500000000000000000000000000000000000000000000000000000000000000000000000000</Binary>
  </EventData>
</Event>

Following are the events from Application logs.

Log Name:      Application
Source:        Application Error
Date:          2/9/2015 11:58:14 PM
Event ID:      1000
Task Category: (100)
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      HV2008-Host
Description:
Faulting application name: lsass.exe, version: 6.1.7601.22653, time stamp: 0x534893ed
Faulting module name: msvcrt.dll, version: 7.0.7601.17744, time stamp: 0x4eeb033f
Exception code: 0xc0000005
Fault offset: 0x0000000000001111
Faulting process id: 0x2e0
Faulting application start time: 0x01d03c91dbe5854f
Faulting application path: C:\Windows\system32\lsass.exe
Faulting module path: C:\Windows\system32\msvcrt.dll
Report Id: 6af0ff3d-b0e1-11e4-83ca-0026b9340d61
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Application Error" />
    <EventID Qualifiers="0">1000</EventID>
    <Level>2</Level>
    <Task>100</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2015-02-10T04:58:14.000000000Z" />
    <EventRecordID>267648</EventRecordID>
    <Channel>Application</Channel>
    <Computer>HV2008-Host</Computer>
    <Security />
  </System>
  <EventData>
    <Data>lsass.exe</Data>
    <Data>6.1.7601.22653</Data>
    <Data>534893ed</Data>
    <Data>msvcrt.dll</Data>
    <Data>7.0.7601.17744</Data>
    <Data>4eeb033f</Data>
    <Data>c0000005</Data>
    <Data>0000000000001111</Data>
    <Data>2e0</Data>
    <Data>01d03c91dbe5854f</Data>
    <Data>C:\Windows\system32\lsass.exe</Data>
    <Data>C:\Windows\system32\msvcrt.dll</Data>
    <Data>6af0ff3d-b0e1-11e4-83ca-0026b9340d61</Data>
  </EventData>
</Event>

Log Name:      Application
Source:        Windows Error Reporting
Date:          2/9/2015 11:58:23 PM
Event ID:      1001
Task Category: None
Level:         Information
Keywords:      Classic
User:          N/A
Computer:      HV2008-Host
Description:
Fault bucket , type 0
Event Name: APPCRASH
Response: Not available
Cab Id: 0

Problem signature:
P1: lsass.exe
P2: 6.1.7601.22653
P3: 534893ed
P4: msvcrt.dll
P5: 7.0.7601.17744
P6: 4eeb033f
P7: c0000005
P8: 0000000000001111
P9:
P10:

Attached files:
C:\Windows\Temp\WER5001.tmp.appcompat.txt
C:\Windows\Temp\WER535C.tmp.WERInternalMetadata.xml
C:\Windows\Temp\WER53DA.tmp.hdmp
C:\Windows\Temp\WER6690.tmp.mdmp

These files may be available here:
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_lsass.exe_3c1aa5eeba75bf26fcebc4f54e714efe7b5162a2_cab_20a56871

Analysis symbol:
Rechecking for solution: 0
Report Id: 6af0ff3d-b0e1-11e4-83ca-0026b9340d61
Report Status: 0
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Windows Error Reporting" />
    <EventID Qualifiers="0">1001</EventID>
    <Level>4</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2015-02-10T04:58:23.000000000Z" />
    <EventRecordID>267650</EventRecordID>
    <Channel>Application</Channel>
    <Computer>HV2008-Host</Computer>
    <Security />
  </System>
  <EventData>
    <Data>
    </Data>
    <Data>0</Data>
    <Data>APPCRASH</Data>
    <Data>Not available</Data>
    <Data>0</Data>
    <Data>lsass.exe</Data>
    <Data>6.1.7601.22653</Data>
    <Data>534893ed</Data>
    <Data>msvcrt.dll</Data>
    <Data>7.0.7601.17744</Data>
    <Data>4eeb033f</Data>
    <Data>c0000005</Data>
    <Data>0000000000001111</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>
C:\Windows\Temp\WER5001.tmp.appcompat.txt
C:\Windows\Temp\WER535C.tmp.WERInternalMetadata.xml
C:\Windows\Temp\WER53DA.tmp.hdmp
C:\Windows\Temp\WER6690.tmp.mdmp</Data>
    <Data>C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_lsass.exe_3c1aa5eeba75bf26fcebc4f54e714efe7b5162a2_cab_20a56871</Data>
    <Data>
    </Data>
    <Data>0</Data>
    <Data>6af0ff3d-b0e1-11e4-83ca-0026b9340d61</Data>
    <Data>0</Data>
  </EventData>
</Event>

Log Name:      Application
Source:        Windows Error Reporting
Date:          2/9/2015 11:58:22 PM
Event ID:      1001
Task Category: None
Level:         Information
Keywords:      Classic
User:          N/A
Computer:      HV2008-Host
Description:
Fault bucket , type 0
Event Name: APPCRASH
Response: Not available
Cab Id: 0

Problem signature:
P1: lsass.exe
P2: 6.1.7601.22653
P3: 534893ed
P4: msvcrt.dll
P5: 7.0.7601.17744
P6: 4eeb033f
P7: c0000005
P8: 0000000000001111
P9:
P10:

Attached files:
C:\Windows\Temp\WER5001.tmp.appcompat.txt
C:\Windows\Temp\WER535C.tmp.WERInternalMetadata.xml
C:\Windows\Temp\WER53DA.tmp.hdmp
C:\Windows\Temp\WER6690.tmp.mdmp

These files may be available here:
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_lsass.exe_3c1aa5eeba75bf26fcebc4f54e714efe7b5162a2_cab_20a56871

Analysis symbol:
Rechecking for solution: 0
Report Id: 6af0ff3d-b0e1-11e4-83ca-0026b9340d61
Report Status: 4
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Windows Error Reporting" />
    <EventID Qualifiers="0">1001</EventID>
    <Level>4</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2015-02-10T04:58:22.000000000Z" />
    <EventRecordID>267649</EventRecordID>
    <Channel>Application</Channel>
    <Computer>HV2008-Host</Computer>
    <Security />
  </System>
  <EventData>
    <Data>
    </Data>
    <Data>0</Data>
    <Data>APPCRASH</Data>
    <Data>Not available</Data>
    <Data>0</Data>
    <Data>lsass.exe</Data>
    <Data>6.1.7601.22653</Data>
    <Data>534893ed</Data>
    <Data>msvcrt.dll</Data>
    <Data>7.0.7601.17744</Data>
    <Data>4eeb033f</Data>
    <Data>c0000005</Data>
    <Data>0000000000001111</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>
C:\Windows\Temp\WER5001.tmp.appcompat.txt
C:\Windows\Temp\WER535C.tmp.WERInternalMetadata.xml
C:\Windows\Temp\WER53DA.tmp.hdmp
C:\Windows\Temp\WER6690.tmp.mdmp</Data>
    <Data>C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_lsass.exe_3c1aa5eeba75bf26fcebc4f54e714efe7b5162a2_cab_20a56871</Data>
    <Data>
    </Data>
    <Data>0</Data>
    <Data>6af0ff3d-b0e1-11e4-83ca-0026b9340d61</Data>
    <Data>4</Data>
  </EventData>
</Event>

Would really appreciate if someone can point us to the correct direction on how to get this issue sorted.

Regards,

Dhanushka