N
naimco
Guest
We have a user base of around 1200 machines, ever week we average about 700 crash occurring on half of our computers. Of the Outlook crashes, 75% are of the exception type C0000005 ( access violation). here is sample of the crash details :
From the users perspective the crashes occur randomly, something when they are not even using their computers. Email drafts are sometimes lost in the process.
From an event log perspective, the 75% of the C0000005 crashes occur then the Group Policy client is syncing policy. As a control, we completely disabled the gpsvc service on a few machine = No group policy. which is radical config change but on those machines No more Outlook crashing.
Using a different group of PCs we are disabling User and Computer processing of a few GPO Preference extensions for which we see Processing start - complete activity in milliseconds prior or after the crash here is an example :
I merged the App fault event ID 1000 with the Group Policy log to get synced view of the crashing.
11/28/2019 3:54:16 PM 5320 Information Microsoft-Windows-GroupPolicy Checking for Group Policy client extension...
11/28/2019 3:54:16 PM 5320 Information Microsoft-Windows-GroupPolicy Service configuration update to standalone...
11/28/2019 3:54:16 PM 5320 Information Microsoft-Windows-GroupPolicy Finished checking for non-system extensions.
11/28/2019 3:54:16 PM 4016 Information Microsoft-Windows-GroupPolicy Starting Registry Extension Processing. ...
11/28/2019 3:54:17 PM 5016 Information Microsoft-Windows-GroupPolicy Completed Registry Extension Processing in...
11/28/2019 3:54:17 PM 4016 Information Microsoft-Windows-GroupPolicy Starting Group Policy Local Users and Grou...
11/28/2019 3:54:17 PM 1000 Error Application Error Faulting application name: OUTLOOK.EXE, ve...
11/28/2019 3:54:22 PM 1085 Warning Microsoft-Windows-GroupPolicy Windows failed to apply the Group Policy L...
11/28/2019 3:54:22 PM 7016 Error Microsoft-Windows-GroupPolicy Completed Group Policy Local Users and Gro...
11/28/2019 3:54:22 PM 4016 Information Microsoft-Windows-GroupPolicy Starting Group Policy Folders Extension Pr...
11/28/2019 3:54:27 PM 1085 Warning Microsoft-Windows-GroupPolicy Windows failed to apply the Group Policy F...
11/28/2019 3:54:27 PM 7016 Error Microsoft-Windows-GroupPolicy Completed Group Policy Folders Extension P...
11/28/2019 3:54:27 PM 4016 Information Microsoft-Windows-GroupPolicy Starting Group Policy Files Extension Proc...
11/28/2019 3:54:36 PM 5016 Information Microsoft-Windows-GroupPolicy Completed Group Policy Files Extension Pro...
Modules we have disabled to date : using the Dword, NoUserPolicy, and NoMachinePolicy = 1 keys, as keys are locked with security, do make changes we use psexec as system account.
psexec \\$CmpName -s cmd /c reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B087BE9D-ED37-454f-AF9C-04291E351182}" /v "NoUserPolicy" /t REG_DWORD /d 1 /f 2>$null
..etc
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B087BE9D-ED37-454f-AF9C-04291E351182}" - Registry Processing
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{17D89FEC-5C44-4972-B12D-241CAEF74509} - Local Users and groups
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A3F3E39B-5D83-4940-B954-28315B82F0A8} Folder Options
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{6232C319-91AC-4931-9385-E70C2B099F0E}" - Folders
We are still waiting for crash data to see if the disabling of the GPExtensions above has made an impact.
Anyone else here seeing this pattern ?
Continue reading...
From the users perspective the crashes occur randomly, something when they are not even using their computers. Email drafts are sometimes lost in the process.
From an event log perspective, the 75% of the C0000005 crashes occur then the Group Policy client is syncing policy. As a control, we completely disabled the gpsvc service on a few machine = No group policy. which is radical config change but on those machines No more Outlook crashing.
Using a different group of PCs we are disabling User and Computer processing of a few GPO Preference extensions for which we see Processing start - complete activity in milliseconds prior or after the crash here is an example :
I merged the App fault event ID 1000 with the Group Policy log to get synced view of the crashing.
11/28/2019 3:54:16 PM 5320 Information Microsoft-Windows-GroupPolicy Checking for Group Policy client extension...
11/28/2019 3:54:16 PM 5320 Information Microsoft-Windows-GroupPolicy Service configuration update to standalone...
11/28/2019 3:54:16 PM 5320 Information Microsoft-Windows-GroupPolicy Finished checking for non-system extensions.
11/28/2019 3:54:16 PM 4016 Information Microsoft-Windows-GroupPolicy Starting Registry Extension Processing. ...
11/28/2019 3:54:17 PM 5016 Information Microsoft-Windows-GroupPolicy Completed Registry Extension Processing in...
11/28/2019 3:54:17 PM 4016 Information Microsoft-Windows-GroupPolicy Starting Group Policy Local Users and Grou...
11/28/2019 3:54:17 PM 1000 Error Application Error Faulting application name: OUTLOOK.EXE, ve...
11/28/2019 3:54:22 PM 1085 Warning Microsoft-Windows-GroupPolicy Windows failed to apply the Group Policy L...
11/28/2019 3:54:22 PM 7016 Error Microsoft-Windows-GroupPolicy Completed Group Policy Local Users and Gro...
11/28/2019 3:54:22 PM 4016 Information Microsoft-Windows-GroupPolicy Starting Group Policy Folders Extension Pr...
11/28/2019 3:54:27 PM 1085 Warning Microsoft-Windows-GroupPolicy Windows failed to apply the Group Policy F...
11/28/2019 3:54:27 PM 7016 Error Microsoft-Windows-GroupPolicy Completed Group Policy Folders Extension P...
11/28/2019 3:54:27 PM 4016 Information Microsoft-Windows-GroupPolicy Starting Group Policy Files Extension Proc...
11/28/2019 3:54:36 PM 5016 Information Microsoft-Windows-GroupPolicy Completed Group Policy Files Extension Pro...
Modules we have disabled to date : using the Dword, NoUserPolicy, and NoMachinePolicy = 1 keys, as keys are locked with security, do make changes we use psexec as system account.
psexec \\$CmpName -s cmd /c reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B087BE9D-ED37-454f-AF9C-04291E351182}" /v "NoUserPolicy" /t REG_DWORD /d 1 /f 2>$null
..etc
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B087BE9D-ED37-454f-AF9C-04291E351182}" - Registry Processing
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{17D89FEC-5C44-4972-B12D-241CAEF74509} - Local Users and groups
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A3F3E39B-5D83-4940-B954-28315B82F0A8} Folder Options
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{6232C319-91AC-4931-9385-E70C2B099F0E}" - Folders
We are still waiting for crash data to see if the disabling of the GPExtensions above has made an impact.
Anyone else here seeing this pattern ?
Continue reading...