ISA Error 14075


One of these days, I received a call stating that the Firewall service at one of the customers had gone down. The server is running on a windows 2003 sp2 with ISA 2006 Sp1.
Also installed on the same server is Surfcontrol. How did it start, well one of the administrator restarted the service !

Event id: 14057.
the source is Mocrosoft Firewall.
Description:
The firewall services stopped because an application filter module C:\windows\system32\alockout.dll generated an exception code c00000005 in address 710DBE2C. when function complexAsyncIO was called. To remove recently installed application filters and restart the service.

well I was not so sure whether surf control needed to implement alockout.dll, I was pretty sure that it would not. so I asked the site Admin to figure out any changes were made,.. none to his knowledge.

The administrator had restored from a backup, complete system state. no way to audit who had installed them, no forensic evidence there ( not a good practice to be followed ). asked the administrator to rename it back to alockout.dll, once done asked to run the regsvr32 / u alockout.dll, it said that the file failed to register. It was fine as long as we could find the registry entry.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\

Windows AppInit_DLLs

deleted the appinit. and asked to delete the file. ISA seems to be working.