lsass.exe, failed with status code c0000417 on DISA STIG'd Server Resulting from "EnPasFltV2" Password Filter

If you're working with a Windows Server 2012/2012 R2 server that has had DISA Security Technical Implementation Guide (STIG) mitigations implemented and attempting to promote that server to a domain controller, you will very likely encounter an error that forces the server to reboot automatically.

If you see "A critical system process, C:\Windows\system32\lsass.exe, failed with status code c0000417" in your System log, it has been my experience that the password filter required by STIG ID: WN12-GE-000009 (Rule ID: SV-52104r1_rule, Vuln ID: V-1131) is the cause.

Crucial Step: To successfully provision a pre-STIG'd image as a domain controller, this password filter must be temporarily disabled.

To Disable the Password Filter:

  1. Open the Registry Editor (regedit.exe).
  2. Navigate to: HKLM\System\CurrentControlSet\Control\LSA
  3. Locate the Notification Packages value.
  4. Remove EnPasFltV2x86 and/or EnPasFltV2x64 from the list.
  5. Restart the server.

In a related note, very little documentation is available about the compatibility of "EnPasFltV2" with Windows Server 2012 R2. Do not assume that this password filter module is stable or compatible just because it is a STIG requirement. Using it alongside other tools, such as Microsoft LAPS, has been known to cause similar LSASS termination loops.

Reference: For more on password filter development and LSA notification packages, see the Microsoft Developer Documentation.

Labels: , , , , , ,

Author’s Note: This article reflects my personal professional experience and opinions. While my insights are informed by my professional history, these views are my own and do not represent the official position of my former employer.

About the Author: Jacob Marks is an engineering leader with over 20 years of experience, including a decade at Amazon Web Services (AWS) where he led teams in EC2 Core Platform and the development of the AWS Payment Cryptography service.

Labels

.NET .NET 10 .NET 3.5 Active Directory AD DS Adoption AI AI coding AI Ethics AI Hype Alerts Amazon Cognito Amazon DLM Amazon Q Anthropic AppDomain Architecture Artificial Intelligence Asia Pacific Sydney ASP.net ASPxGridView Audit Readiness Auto Recovery Automation AWS AWS Certified AWS Lambda AWS Payment Cryptography AWS SDK AWS Security Specialty Azure Azure DevOps Server Backup BIG-IP C# Career Growth Cartes Bancaires CB Certificate Bundle Certification Claude Cloud Cloud Certification Cloud Hosting Cloud Security CloudWatch CLR Content Query Cost Optimization Credentials CyberChef Database Defense Industry Deloitte Developer Tools Developers DevEx DevExpress DevOps DISA Disk Space DISM Distributed Systems DoD DoD CC SRG DUKPT EBS EC2 Engineering Engineering Leadership Engineering Management EnPasFltV2 Enterprise Event Receiver Exam F5 Federal IT FedRAMP Fintech FISMA GAC Generative AI GitHub gMSA GovCloud Government Compliance GridView Hardware Security Modules HSM IAM Identity Management IIS Infra Infrastructure as Code IT Tools Jacob Marks JavaScript jQuery Lambda Leadership Linqpad LLM lsass.exe LTM Memory Optimization Mentorship Microsoft Migration Multi-Region Keys NACL Native AOT Network Architecture Networking NIST ODBC Open Source Payment Cryptography Payments PCI Compliance Performance Platform Platform Architecture Power Tools PowerShell Python re:Invent Reachability Analyzer Redshift Relationships List Replace Root Volume SAA-C00 SAP-C00 Security Security Group Serverless SES SharePoint SharePoint 2010 Site Reliability SMTP Snapshot Software Engineering Solutions Architect Solutions Architect Professional SP 2007 SPAWAR SSL STIG Storage Strategy Sydney SysAdmin Team Foundation Server Team Utilities Tech Industry Technical Depth Technology TFS Tools Troubleshooting Upgrade Visual Studio VPC VPC Flow Logs Web Development WebPart WinDirStat Windows Server Windows Server 2025 WinForms