WAS service unable to start with the error 'the data is invalid'

Published Jul 04 2021 10:20 PM 946 Views
Microsoft

We had an issue where WAS service was unable to start with  error data is invalid

 

ashfana_4-1625459443840.png

 

 

We checked the procmon and we could see that Service is trying to read the apphost.config file and nothing happens after that

 

 

4:45:05.6132558 PM  svchost.exe      31736  41848  QueryAttributeInformationVolume            C:\Windows\System32\inetsrv\config\applicationHost.config          SUCCESS            FileSystemAttributes: Case Preserved, Case Sensitive, Unicode, ACLs, Compression, Named Streams, EFS, Object IDs, Reparse Points, Sparse Files, Quotas, Transactions, 0x3c00600, MaximumComponentNameLength: 255, FileSystemName: NTFS     NT AUTHORITY\SYSTEM         0

4:45:05.6133179 PM  svchost.exe      31736  41848  QueryRemoteProtocolInformation            C:\Windows\System32\inetsrv\config\applicationHost.config          INVALID PARAMETER             NT AUTHORITY\SYSTEM  0

4:45:05.6133488 PM  svchost.exe      31736  41848  QuerySecurityFile            C:\Windows\System32\inetsrv\config\applicationHost.config          SUCCESS          Information: Attribute          NT AUTHORITY\SYSTEM         0

4:45:05.6135904 PM  svchost.exe      31736  41848  ReadFile            C:\Windows\System32\inetsrv\config\applicationHost.config          SUCCESS          Offset: 0, Length: 131,072, Priority: Normal       NT AUTHORITY\SYSTEM         0

4:45:05.6137492 PM  svchost.exe      31736  41848  ReadFile            C:\Windows\System32\inetsrv\config\applicationHost.config          SUCCESS          Offset: 131,072, Length: 95,532            NT AUTHORITY\SYSTEM         0

4:45:05.6140994 PM  svchost.exe      31736  41848  CloseFile            C:\Windows\System32\inetsrv\config\applicationHost.config          SUCCESS                      NT AUTHORITY\SYSTEM  0

 

We checked the apphost.config file and understood that we had a null parameter getting added which corrupts the apphost.config file… removing that lines resolved the issue .

 

ashfana_5-1625459477954.png

 

C:\WINDOWS\system32>net start WAS

The Windows Process Activation Service service is starting.

The Windows Process Activation Service service could not be started.

 A system error has occurred.

 System error 13 has occurred.

 The data is invalid.

 

Removing the last line “null” from the same apphost.config I was able to start the WAS service

 

C:\WINDOWS\system32>net start WAS

The Windows Process Activation Service service is starting.

The Windows Process Activation Service service was started successfully.

 

 

so someone/some process is corrupting the apphost by passing null parameter

 possible causes which I can think of:

  • if apphost is on shared config or network share there can be disk corruption leading to this kind of issue
  • i have also seen some scenarios like this when the disk gets corrupted, memory level corruptions etc can lead to config file corruption
  • some scanning software /AV scanning the config folder corrupts it

 

in order to find the actual case ,

  • we need procmon with filter set to apphost.config path to see who is touching those files
  • and file level auditing for config folder
  • ensure AV is not scanning IIS files/config files
%3CLINGO-SUB%20id%3D%22lingo-sub-2515007%22%20slang%3D%22en-US%22%3EWAS%20service%20unable%20to%20start%20with%20the%20error%20'the%20data%20is%20invalid'%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2515007%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20had%20an%20issue%20where%20WAS%20service%20was%20unable%20to%20start%20with%26nbsp%3B%20error%20data%20is%20invalid%3C%2FP%3E%0A%3CDIV%20id%3D%22lia-teaserTinyMceEditorashfana_2%22%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22ashfana_4-1625459443840.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F293432iC6736592337AB9F9%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22ashfana_4-1625459443840.png%22%20alt%3D%22ashfana_4-1625459443840.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%20checked%20the%20procmon%20and%20we%20could%20see%20that%20Service%20is%20trying%20to%20read%20the%20apphost.config%20file%20and%20nothing%20happens%20after%20that%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E4%3A45%3A05.6132558%20PM%26nbsp%3B%20svchost.exe%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%2031736%26nbsp%3B%2041848%26nbsp%3B%20QueryAttributeInformationVolume%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20C%3A%5CWindows%5CSystem32%5Cinetsrv%5Cconfig%5CapplicationHost.config%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20SUCCESS%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20FileSystemAttributes%3A%20Case%20Preserved%2C%20Case%20Sensitive%2C%20Unicode%2C%20ACLs%2C%20Compression%2C%20Named%20Streams%2C%20EFS%2C%20Object%20IDs%2C%20Reparse%20Points%2C%20Sparse%20Files%2C%20Quotas%2C%20Transactions%2C%200x3c00600%2C%20MaximumComponentNameLength%3A%20255%2C%20FileSystemName%3A%20NTFS%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20NT%20AUTHORITY%5CSYSTEM%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%200%3C%2FP%3E%0A%3CP%3E4%3A45%3A05.6133179%20PM%26nbsp%3B%20svchost.exe%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%2031736%26nbsp%3B%2041848%26nbsp%3B%20QueryRemoteProtocolInformation%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20C%3A%5CWindows%5CSystem32%5Cinetsrv%5Cconfig%5CapplicationHost.config%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20INVALID%20PARAMETER%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20NT%20AUTHORITY%5CSYSTEM%26nbsp%3B%200%3C%2FP%3E%0A%3CP%3E4%3A45%3A05.6133488%20PM%26nbsp%3B%20svchost.exe%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%2031736%26nbsp%3B%2041848%26nbsp%3B%20QuerySecurityFile%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20C%3A%5CWindows%5CSystem32%5Cinetsrv%5Cconfig%5CapplicationHost.config%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20SUCCESS%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20Information%3A%20Attribute%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20NT%20AUTHORITY%5CSYSTEM%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%200%3C%2FP%3E%0A%3CP%3E4%3A45%3A05.6135904%20PM%26nbsp%3B%20svchost.exe%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%2031736%26nbsp%3B%2041848%26nbsp%3B%20ReadFile%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20C%3A%5CWindows%5CSystem32%5Cinetsrv%5Cconfig%5CapplicationHost.config%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20SUCCESS%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20Offset%3A%200%2C%20Length%3A%20131%2C072%2C%20Priority%3A%20Normal%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20NT%20AUTHORITY%5CSYSTEM%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%200%3C%2FP%3E%0A%3CP%3E4%3A45%3A05.6137492%20PM%26nbsp%3B%20svchost.exe%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%2031736%26nbsp%3B%2041848%26nbsp%3B%20ReadFile%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20C%3A%5CWindows%5CSystem32%5Cinetsrv%5Cconfig%5CapplicationHost.config%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20SUCCESS%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20Offset%3A%20131%2C072%2C%20Length%3A%2095%2C532%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20NT%20AUTHORITY%5CSYSTEM%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%200%3C%2FP%3E%0A%3CP%3E4%3A45%3A05.6140994%20PM%26nbsp%3B%20svchost.exe%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%2031736%26nbsp%3B%2041848%26nbsp%3B%20CloseFile%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20C%3A%5CWindows%5CSystem32%5Cinetsrv%5Cconfig%5CapplicationHost.config%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20SUCCESS%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20NT%20AUTHORITY%5CSYSTEM%26nbsp%3B%200%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%20checked%20the%20apphost.config%20file%20and%20understood%20that%20we%20had%20a%20null%20parameter%20getting%20added%20which%20corrupts%20the%20apphost.config%20file%E2%80%A6%20removing%20that%20lines%20resolved%20the%20issue%20.%3C%2FP%3E%0A%3CDIV%20id%3D%22lia-teaserTinyMceEditorashfana_3%22%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22ashfana_5-1625459477954.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F293433iF15543CC312F9B04%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22ashfana_5-1625459477954.png%22%20alt%3D%22ashfana_5-1625459477954.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EC%3A%5CWINDOWS%5Csystem32%26gt%3Bnet%20start%20WAS%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EThe%20Windows%20Process%20Activation%20Service%20service%20is%20starting.%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EThe%20Windows%20Process%20Activation%20Service%20service%20could%20not%20be%20started.%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%26nbsp%3BA%20system%20error%20has%20occurred.%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%26nbsp%3BSystem%20error%2013%20has%20occurred.%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%26nbsp%3BThe%20data%20is%20invalid.%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ERemoving%20the%20last%20line%20%E2%80%9Cnull%E2%80%9D%20from%20the%20same%20apphost.config%20I%20was%20able%20to%20start%20the%20WAS%20service%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EC%3A%5CWINDOWS%5Csystem32%26gt%3Bnet%20start%20WAS%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EThe%20Windows%20Process%20Activation%20Service%20service%20is%20starting.%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EThe%20Windows%20Process%20Activation%20Service%20service%20was%20started%20successfully.%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Eso%20someone%2Fsome%20process%20is%20corrupting%20the%20apphost%20by%20passing%20null%20parameter%3C%2FP%3E%0A%3CP%3E%26nbsp%3Bpossible%20causes%20which%20I%20can%20think%20of%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3Eif%20apphost%20is%20on%20shared%20config%20or%20network%20share%20there%20can%20be%20disk%20corruption%20leading%20to%20this%20kind%20of%20issue%3C%2FLI%3E%0A%3CLI%3Ei%20have%20also%20seen%20some%20scenarios%20like%20this%20when%20the%20disk%20gets%20corrupted%2C%20memory%20level%20corruptions%20etc%20can%20lead%20to%20config%20file%20corruption%3C%2FLI%3E%0A%3CLI%3Esome%20scanning%20software%20%2FAV%20scanning%20the%20config%20folder%20corrupts%20it%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3Ein%20order%20to%20find%20the%20actual%20case%20%2C%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3Ewe%20need%20procmon%20with%20filter%20set%20to%20apphost.config%20path%20to%20see%20who%20is%20touching%20those%20files%3C%2FLI%3E%0A%3CLI%3Eand%20file%20level%20auditing%20for%20config%20folder%3C%2FLI%3E%0A%3CLI%3Eensure%20AV%20is%20not%20scanning%20IIS%20files%2Fconfig%20files%3C%2FLI%3E%0A%3C%2FUL%3E%3C%2FLINGO-BODY%3E
Co-Authors
Version history
Last update:
‎Jul 04 2021 10:20 PM
Updated by: