Web sites and Web applications depend on the availability of Internet Information Services (IIS) application pools. IIS application pools in turn depend on the Windows Process Activation Service (WAS). If WAS is not running or errors occur during the startup or shutdown of an application pool, Web sites and Web applications may not be available.
Check an untrusted worker process
A worker process has sent some data to the Windows Process Activation Service (WAS) that was not expected. User code may be trying to engage in malicious activity in the worker process and may have taken over the communication pipe. For example, user code may be sending a second process ID to WAS for the worker process, or be sending performance counter numbers that are not in the right form. This could be an attempt to create a buffer overrun in WAS.
To resolve this issue, examine the worker process to see whether it contains suspect user code. Check the loaded modules. If ISAPI or third-party modules are running, contact the vendor of the modules for more information.
Target | Microsoft.Windows.InternetInformationServices.10.0.ApplicationPool |
Category | Alert |
Enabled | True |
Alert Generate | False |
Remotable | True |
ID | Module Type | TypeId | RunAs |
---|---|---|---|
DS | DataSource | Microsoft.Windows.Server.IIS.10.0.WarningAndErrorEventProvider | Default |
Filter | ConditionDetection | Microsoft.Windows.InternetInformationServices.10.0.ApplicationPool.EventFilter | Default |
WA | WriteAction | Microsoft.Windows.Server.IIS.10.0.GenerateAlertAction.SuppressedByDescription | Default |
<Rule ID="Microsoft.Windows.InternetInformationServices.10.0.Worker.process.serving.the.application.pool.is.no.longer.trusted.by.WAS" Enabled="true" Target="Microsoft.Windows.InternetInformationServices.10.0.ApplicationPool" ConfirmDelivery="false" Remotable="true" Priority="Normal" DiscardLevel="100">
<Category>Alert</Category>
<DataSources>
<DataSource ID="DS" TypeID="Microsoft.Windows.Server.IIS.10.0.WarningAndErrorEventProvider">
<LogName>System</LogName>
</DataSource>
</DataSources>
<ConditionDetection ID="Filter" TypeID="Microsoft.Windows.InternetInformationServices.10.0.ApplicationPool.EventFilter">
<Expression>
<And>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery>EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value>5127</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="String">PublisherName</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="String">Microsoft-Windows-WAS</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
</And>
</Expression>
</ConditionDetection>
<WriteActions>
<WriteAction ID="WA" TypeID="Microsoft.Windows.Server.IIS.10.0.GenerateAlertAction.SuppressedByDescription">
<Priority>1</Priority>
<Severity>1</Severity>
<AlertMessageId>$MPElement[Name="Microsoft.Windows.InternetInformationServices.10.0.Worker.process.serving.the.application.pool.is.no.longer.trusted.by.WAS.AlertMessage"]$</AlertMessageId>
</WriteAction>
</WriteActions>
</Rule>