A
ashfana
Guest
We had an issue where WAS service was unable to start with error data is invalid
We checked the procmon and we could see that Service is trying to read the apphost.config file and nothing happens after that
4:45:05.6132558 PM svchost.exe 31736 41848 QueryAttributeInformationVolume C:\Windows\System32\inetsrv\config\applicationHost.config SUCCESS FileSystemAttributes: Case Preserved, Case Sensitive, Unicode, ACLs, Compression, Named Streams, EFS, Object IDs, Reparse Points, Sparse Files, Quotas, Transactions, 0x3c00600, MaximumComponentNameLength: 255, FileSystemName: NTFS NT AUTHORITY\SYSTEM 0
4:45:05.6133179 PM svchost.exe 31736 41848 QueryRemoteProtocolInformation C:\Windows\System32\inetsrv\config\applicationHost.config INVALID PARAMETER NT AUTHORITY\SYSTEM 0
4:45:05.6133488 PM svchost.exe 31736 41848 QuerySecurityFile C:\Windows\System32\inetsrv\config\applicationHost.config SUCCESS Information: Attribute NT AUTHORITY\SYSTEM 0
4:45:05.6135904 PM svchost.exe 31736 41848 ReadFile C:\Windows\System32\inetsrv\config\applicationHost.config SUCCESS Offset: 0, Length: 131,072, Priority: Normal NT AUTHORITY\SYSTEM 0
4:45:05.6137492 PM svchost.exe 31736 41848 ReadFile C:\Windows\System32\inetsrv\config\applicationHost.config SUCCESS Offset: 131,072, Length: 95,532 NT AUTHORITY\SYSTEM 0
4:45:05.6140994 PM svchost.exe 31736 41848 CloseFile C:\Windows\System32\inetsrv\config\applicationHost.config SUCCESS NT AUTHORITY\SYSTEM 0
We checked the apphost.config file and understood that we had a null parameter getting added which corrupts the apphost.config file… removing that lines resolved the issue .
C:\WINDOWS\system32>net start WAS
The Windows Process Activation Service service is starting.
The Windows Process Activation Service service could not be started.
A system error has occurred.
System error 13 has occurred.
The data is invalid.
Removing the last line “null” from the same apphost.config I was able to start the WAS service
C:\WINDOWS\system32>net start WAS
The Windows Process Activation Service service is starting.
The Windows Process Activation Service service was started successfully.
so someone/some process is corrupting the apphost by passing null parameter
possible causes which I can think of:
in order to find the actual case ,
Continue reading...
We checked the procmon and we could see that Service is trying to read the apphost.config file and nothing happens after that
4:45:05.6132558 PM svchost.exe 31736 41848 QueryAttributeInformationVolume C:\Windows\System32\inetsrv\config\applicationHost.config SUCCESS FileSystemAttributes: Case Preserved, Case Sensitive, Unicode, ACLs, Compression, Named Streams, EFS, Object IDs, Reparse Points, Sparse Files, Quotas, Transactions, 0x3c00600, MaximumComponentNameLength: 255, FileSystemName: NTFS NT AUTHORITY\SYSTEM 0
4:45:05.6133179 PM svchost.exe 31736 41848 QueryRemoteProtocolInformation C:\Windows\System32\inetsrv\config\applicationHost.config INVALID PARAMETER NT AUTHORITY\SYSTEM 0
4:45:05.6133488 PM svchost.exe 31736 41848 QuerySecurityFile C:\Windows\System32\inetsrv\config\applicationHost.config SUCCESS Information: Attribute NT AUTHORITY\SYSTEM 0
4:45:05.6135904 PM svchost.exe 31736 41848 ReadFile C:\Windows\System32\inetsrv\config\applicationHost.config SUCCESS Offset: 0, Length: 131,072, Priority: Normal NT AUTHORITY\SYSTEM 0
4:45:05.6137492 PM svchost.exe 31736 41848 ReadFile C:\Windows\System32\inetsrv\config\applicationHost.config SUCCESS Offset: 131,072, Length: 95,532 NT AUTHORITY\SYSTEM 0
4:45:05.6140994 PM svchost.exe 31736 41848 CloseFile C:\Windows\System32\inetsrv\config\applicationHost.config SUCCESS NT AUTHORITY\SYSTEM 0
We checked the apphost.config file and understood that we had a null parameter getting added which corrupts the apphost.config file… removing that lines resolved the issue .
C:\WINDOWS\system32>net start WAS
The Windows Process Activation Service service is starting.
The Windows Process Activation Service service could not be started.
A system error has occurred.
System error 13 has occurred.
The data is invalid.
Removing the last line “null” from the same apphost.config I was able to start the WAS service
C:\WINDOWS\system32>net start WAS
The Windows Process Activation Service service is starting.
The Windows Process Activation Service service was started successfully.
so someone/some process is corrupting the apphost by passing null parameter
possible causes which I can think of:
- if apphost is on shared config or network share there can be disk corruption leading to this kind of issue
- i have also seen some scenarios like this when the disk gets corrupted, memory level corruptions etc can lead to config file corruption
- some scanning software /AV scanning the config folder corrupts it
in order to find the actual case ,
- we need procmon with filter set to apphost.config path to see who is touching those files
- and file level auditing for config folder
- ensure AV is not scanning IIS files/config files
Continue reading...