This article is contributed. See the original author and article here.

We had an issue where WAS service was unable to start with  error data is invalid


 

ashfana_4-1625459443840.png


 


 


We checked the procmon and we could see that Service is trying to read the apphost.config file and nothing happens after that


 


 


4:45:05.6132558 PM  svchost.exe      31736  41848  QueryAttributeInformationVolume            C:WindowsSystem32inetsrvconfigapplicationHost.config          SUCCESS            FileSystemAttributes: Case Preserved, Case Sensitive, Unicode, ACLs, Compression, Named Streams, EFS, Object IDs, Reparse Points, Sparse Files, Quotas, Transactions, 0x3c00600, MaximumComponentNameLength: 255, FileSystemName: NTFS     NT AUTHORITYSYSTEM         0


4:45:05.6133179 PM  svchost.exe      31736  41848  QueryRemoteProtocolInformation            C:WindowsSystem32inetsrvconfigapplicationHost.config          INVALID PARAMETER             NT AUTHORITYSYSTEM  0


4:45:05.6133488 PM  svchost.exe      31736  41848  QuerySecurityFile            C:WindowsSystem32inetsrvconfigapplicationHost.config          SUCCESS          Information: Attribute          NT AUTHORITYSYSTEM         0


4:45:05.6135904 PM  svchost.exe      31736  41848  ReadFile            C:WindowsSystem32inetsrvconfigapplicationHost.config          SUCCESS          Offset: 0, Length: 131,072, Priority: Normal       NT AUTHORITYSYSTEM         0


4:45:05.6137492 PM  svchost.exe      31736  41848  ReadFile            C:WindowsSystem32inetsrvconfigapplicationHost.config          SUCCESS          Offset: 131,072, Length: 95,532            NT AUTHORITYSYSTEM         0


4:45:05.6140994 PM  svchost.exe      31736  41848  CloseFile            C:WindowsSystem32inetsrvconfigapplicationHost.config          SUCCESS                      NT AUTHORITYSYSTEM  0


 


We checked the apphost.config file and understood that we had a null parameter getting added which corrupts the apphost.config file… removing that lines resolved the issue .


 

ashfana_5-1625459477954.png


 


C:WINDOWSsystem32>net start WAS


The Windows Process Activation Service service is starting.


The Windows Process Activation Service service could not be started.


 A system error has occurred.


 System error 13 has occurred.


 The data is invalid.


 


Removing the last line “null” from the same apphost.config I was able to start the WAS service


 


C:WINDOWSsystem32>net start WAS


The Windows Process Activation Service service is starting.


The Windows Process Activation Service service was started successfully.


 


 


so someone/some process is corrupting the apphost by passing null parameter


 possible causes which I can think of:



  • if apphost is on shared config or network share there can be disk corruption leading to this kind of issue

  • i have also seen some scenarios like this when the disk gets corrupted, memory level corruptions etc can lead to config file corruption

  • some scanning software /AV scanning the config folder corrupts it


 


in order to find the actual case ,



  • we need procmon with filter set to apphost.config path to see who is touching those files

  • and file level auditing for config folder

  • ensure AV is not scanning IIS files/config files

Brought to you by Dr. Ware, Microsoft Office 365 Silver Partner, Charleston SC.