One of my hosted lab environments ran into series of issues, and after unplanned maintenance there were multiple problems to resolve. The below error with a faulting ntdll.dll module was something I recall seeing many years ago with a Microsoft Operations Manager (MOM) deployment where the MOM agent simply would not start. On every single attempt to start the service it would crash with the error below.
In this case the same symptoms are present, the difference being that it is the Microsoft Defender for Identity sensor service which is having an issue. The same EventID 1000 was logged stating that the faulting module was ntdll.dll – this is shown below.
The contents of the EventID are included below for the search engines.
Log Name: Application
Source: Application Error
Date: 2/7/2021 6:12:30 PM
Event ID: 1000
Task Category: (100)
Faulting application name: Microsoft.Tri.Sensor.exe, version: 2.139.13882.52407, time stamp: 0xb84ce010
Faulting module name: ntdll.dll, version: 6.3.9600.19678, time stamp: 0x5e82c88a
Exception code: 0xc00000fd
Fault offset: 0x0000000000053a10
Faulting process id: 0xe60
Faulting application start time: 0x01d6fdbe6b084ea3
Faulting application path: C:\Program Files\Azure Advanced Threat Protection Sensor\2.139.13882.52407\Microsoft.Tri.Sensor.exe
Faulting module path: C:\Windows\SYSTEM32\ntdll.dll
To resolve this issue we need to address underlying issues with the integrity of the OS. In short:
- Chkdsk to verify the file system
- Clean up the servicing store
- Verify the integrity of the system files
In the below screenshot you can see that the OS had experienced some issues and repair was required.
A verbose write up of each of these steps is in this post: