Home
  •  

Worker process serving the application pool is no longer trusted by WAS

Microsoft.Windows.InternetInformationServices.10.0.Worker.process.serving.the.application.pool.is.no.longer.trusted.by.WAS (Rule)

Knowledge Base article:

Summary

Web sites and Web applications depend on the availability of Internet Information Services (IIS) application pools. IIS application pools in turn depend on the Windows Process Activation Service (WAS). If WAS is not running or errors occur during the startup or shutdown of an application pool, Web sites and Web applications may not be available.

Resolutions

Check an untrusted worker process

A worker process has sent some data to the Windows Process Activation Service (WAS) that was not expected. User code may be trying to engage in malicious activity in the worker process and may have taken over the communication pipe. For example, user code may be sending a second process ID to WAS for the worker process, or be sending performance counter numbers that are not in the right form. This could be an attempt to create a buffer overrun in WAS.

To resolve this issue, examine the worker process to see whether it contains suspect user code. Check the loaded modules. If ISAPI or third-party modules are running, contact the vendor of the modules for more information.

Element properties:

TargetMicrosoft.Windows.InternetInformationServices.10.0.ApplicationPool
CategoryAlert
EnabledTrue
Alert GenerateFalse
RemotableTrue

Member Modules:

ID Module Type TypeId RunAs 
DS DataSource Microsoft.Windows.Server.IIS.10.0.WarningAndErrorEventProvider Default
Filter ConditionDetection Microsoft.Windows.InternetInformationServices.10.0.ApplicationPool.EventFilter Default
WA WriteAction Microsoft.Windows.Server.IIS.10.0.GenerateAlertAction.SuppressedByDescription Default

Source Code:

<Rule ID="Microsoft.Windows.InternetInformationServices.10.0.Worker.process.serving.the.application.pool.is.no.longer.trusted.by.WAS" Enabled="true" Target="Microsoft.Windows.InternetInformationServices.10.0.ApplicationPool" ConfirmDelivery="false" Remotable="true" Priority="Normal" DiscardLevel="100">

  <Category>Alert</Category>

  <DataSources>

    <DataSource ID="DS" TypeID="Microsoft.Windows.Server.IIS.10.0.WarningAndErrorEventProvider">

      <LogName>System</LogName>

    </DataSource>

  </DataSources>

  <ConditionDetection ID="Filter" TypeID="Microsoft.Windows.InternetInformationServices.10.0.ApplicationPool.EventFilter">

    <Expression>

      <And>

        <Expression>

          <SimpleExpression>

            <ValueExpression>

              <XPathQuery>EventDisplayNumber</XPathQuery>

            </ValueExpression>

            <Operator>Equal</Operator>

            <ValueExpression>

              <Value>5127</Value>

            </ValueExpression>

          </SimpleExpression>

        </Expression>

        <Expression>

          <SimpleExpression>

            <ValueExpression>

              <XPathQuery Type="String">PublisherName</XPathQuery>

            </ValueExpression>

            <Operator>Equal</Operator>

            <ValueExpression>

              <Value Type="String">Microsoft-Windows-WAS</Value>

            </ValueExpression>

          </SimpleExpression>

        </Expression>

      </And>

    </Expression>

  </ConditionDetection>

  <WriteActions>

    <WriteAction ID="WA" TypeID="Microsoft.Windows.Server.IIS.10.0.GenerateAlertAction.SuppressedByDescription">

      <Priority>1</Priority>

      <Severity>1</Severity>

      <AlertMessageId>$MPElement[Name="Microsoft.Windows.InternetInformationServices.10.0.Worker.process.serving.the.application.pool.is.no.longer.trusted.by.WAS.AlertMessage"]$</AlertMessageId>

    </WriteAction>

  </WriteActions>

</Rule>