Yubico Forum
https://forum.yubico.com/

Windows 10 logon - BSOD/forced restart on login failure?
https://forum.yubico.com/viewtopic.php?f=23&t=2355		 Page 1 of 1
Author:  Aditza [ Wed Jun 29, 2016 2:05 pm ]
Post subject:  Windows 10 logon - BSOD/forced restart on login failure?
i tried to set up 2-factor logon on Windows 10 x64 Professional (version 1511 OS Build 10586.420 - latest available from MS Update) and it doesn't quite work:

1. the Yubico installer thinks it's running on Windows 8 x64

2. after enabling 2-factor logons all user accounts on the login screen are showing up doubled.

3. when testing for multiple login failures in a row, the system behaves as if it gets a BSOD-type of restart... the screen shuts down suddenly and the system reboots... looking up things in the system event log shows that the LSASS.exe process is crashing right at the time (or because) of the failed yubikey logins.

message in the event log:The system process 'C:\Windows\system32\lsass.exe' terminated unexpectedly with status code -1073741819. The system will now shut down and restart.

Attachments:
File comment: LSASS crashed after multiple failed login attempts
lsass_crash.png
lsass_crash.png [ 69.5 KiB | Viewed 2418 times ]
File comment: Windows10 - testing login without a yubikey connected - test 1b (doubled login) - stage 2 - yubikey not present
test1b_stage2_no_key_inserted.jpg
test1b_stage2_no_key_inserted.jpg [ 97.58 KiB | Viewed 2418 times ]
File comment: Windows10 - testing login without a yubikey connected - test 1a (original windows login) - stage 2 - no yubikey present
test1a_stage2_no_key_inserted.jpg
test1a_stage2_no_key_inserted.jpg [ 109.07 KiB | Viewed 2418 times ]
Author:  Aditza [ Wed Jun 29, 2016 2:12 pm ]
Post subject:  Re: Windows 10 logon - BSOD/forced restart on login failure?
P.S. (could only attach 3 files to the initial post.. these are the 4th and 5th)

this is how it looks like when all user accounts on the login screen are showing up doubled:
Attachment:
File comment: doubled logons on windows 10
test1a_stage1.jpg
test1a_stage1.jpg [ 76.04 KiB | Viewed 2417 times ]

Attachment:
File comment: doubled logons on windows 10
test1b_stage1_no_key_inserted.jpg
test1b_stage1_no_key_inserted.jpg [ 70.49 KiB | Viewed 2417 times ]
Author:  Aditza [ Wed Jun 29, 2016 2:24 pm ]
Post subject:  Re: Windows 10 logon - BSOD/forced restart on login failure?
note: i'm using a Yubikey 4 with firmware 4.2.7 and HMAC-SHA1 challenge-response is configured to not require touch... but even so.. i'm testing for what happens when the key is NOT connected and the user keeps insisting/trying to login... the firmware should not matter at all in this case since the key is not present.

note 2 - not sure if it matters: the system boots in EFI mode, secure boot mode is enabled, Windows 8+10 WHQL mode is enabled in the bios secure boot configuration.

note 3: some of my tests were with challenge-response set to require touch while connected, but avoiding to touch it on purpose... Win10 crashed anyway even so... i think the screenshot of the event log above might have been one of these "key present but not touched" crashes, as it follows some events related to WudfUsbccidDrv... i'll look into it tomorrow. Anyway, the same type of crash occurred when the key was not connected at all so i don't think it makes a difference.
Author:  Aditza [ Thu Jun 30, 2016 6:26 am ]
Post subject:  Re: Windows 10 logon - BSOD/forced restart on login failure?
found more info about yesterday's crashes:

in the application log:
Code:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
  <Provider Name="Application Error" />
  <EventID Qualifiers="0">1000</EventID>
  <Level>2</Level>
  <Task>100</Task>
  <Keywords>0x80000000000000</Keywords>
  <TimeCreated SystemTime="2016-06-29T11:52:02.869406900Z" />
  <EventRecordID>2190</EventRecordID>
  <Channel>Application</Channel>
  <Computer>-----------deleted-------------</Computer>
  <Security />
  </System>
- <EventData>
  <Data>lsass.exe</Data>
  <Data>10.0.10586.0</Data>
  <Data>5632d7c6</Data>
  <Data>YubiClientAPI.dll</Data>
  <Data>4.1.0.0</Data>
  <Data>56fa33a0</Data>
  <Data>c0000005</Data>
  <Data>0000000000009850</Data>
  <Data>318</Data>
  <Data>01d1d1ee2395dab3</Data>
  <Data>C:\Windows\system32\lsass.exe</Data>
  <Data>C:\Program Files\Yubico\Yubikey Client API\Bin\x64\YubiClientAPI.dll</Data>
  <Data>4aca7058-d3d7-4762-a0ab-af59d29df0fa</Data>
  <Data />
  <Data />
  </EventData>
  </Event>


and another one, a bit later:
Code:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
  <Provider Name="Application Error" />
  <EventID Qualifiers="0">1000</EventID>
  <Level>2</Level>
  <Task>100</Task>
  <Keywords>0x80000000000000</Keywords>
  <TimeCreated SystemTime="2016-06-29T11:54:07.782194900Z" />
  <EventRecordID>2201</EventRecordID>
  <Channel>Application</Channel>
  <Computer>----deleted----</Computer>
  <Security />
  </System>
- <EventData>
  <Data>lsass.exe</Data>
  <Data>10.0.10586.0</Data>
  <Data>5632d7c6</Data>
  <Data>YubiClientAPI.dll</Data>
  <Data>4.1.0.0</Data>
  <Data>56fa33a0</Data>
  <Data>c0000005</Data>
  <Data>0000000000009850</Data>
  <Data>318</Data>
  <Data>01d1d1fce77f4e8d</Data>
  <Data>C:\Windows\system32\lsass.exe</Data>
  <Data>C:\Program Files\Yubico\Yubikey Client API\Bin\x64\YubiClientAPI.dll</Data>
  <Data>6c252247-2704-4f5f-868d-e53b81eb0567</Data>
  <Data />
  <Data />
  </EventData>
  </Event>




and in windows error reports:
Code:
Source
Local Security Authority Process

Summary
Stopped working

Date
‎29.‎06.‎2016 14:52

Status
Report sent

Description
Faulting Application Path:   C:\Windows\System32\lsass.exe

Problem signature
Problem Event Name:   CriticalProcessFault2
Application Name:   lsass.exe
Application Version:   10.0.10586.0
Application Timestamp:   5632d7c6
Fault Module Name:   YubiClientAPI.dll
Fault Module Version:   4.1.0.0
Fault Module Timestamp:   56fa33a0
Exception Code:   c0000005
Exception Offset:   0000000000009850
Exception Data:   00000000
Exception Flags:   0x00000000
OS Version:   10.0.10586.2.0.0.256.48
Locale ID:   1048
Additional Information 1:   239b
Additional Information 2:   239b305196fda349743e699f81a44e44
Additional Information 3:   b014
Additional Information 4:   b0144722e63672165ee5b3aec4b84c5e

Extra information about the problem
Bucket ID:   2fe3be4afcc42abc6dd4526a1211d3d9 (126388077789)



Code:
Source
Local Security Authority Process

Summary
Stopped working

Date
‎29.‎06.‎2016 14:54

Status
Report sent

Description
Faulting Application Path:   C:\Windows\System32\lsass.exe

Problem signature
Problem Event Name:   CriticalProcessFault2
Application Name:   lsass.exe
Application Version:   10.0.10586.0
Application Timestamp:   5632d7c6
Fault Module Name:   YubiClientAPI.dll
Fault Module Version:   4.1.0.0
Fault Module Timestamp:   56fa33a0
Exception Code:   c0000005
Exception Offset:   0000000000009850
Exception Data:   00000000
Exception Flags:   0x00000000
OS Version:   10.0.10586.2.0.0.256.48
Locale ID:   1048
Additional Information 1:   239b
Additional Information 2:   239b305196fda349743e699f81a44e44
Additional Information 3:   b014
Additional Information 4:   b0144722e63672165ee5b3aec4b84c5e

Extra information about the problem
Bucket ID:   2fe3be4afcc42abc6dd4526a1211d3d9 (126388077789)
Page 1 of 1 All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/