Category: IIS

IIS logs 500.19 if a client drops connection while loading the website

Ned Leave a comment

HTTP status and sub-status codes provide valuable information about the issues users come across. One of the code pairs is 500.19 which means “Configuration data is invalid“. However, IIS may show this pair incorrectly if a user drops connection before the browser loads the website completely.

The error message from the Failed Request Tracing log is below. Please note that this error appears during the execution of the Dynamic Compression module.

HttpStatus: 500

HttpReason: Internal Server Error

HttpSubStatus: 19

ErrorCode: An operation was attempted on a non existent network connection (0x800704cd)

What happens when a client drops connection
Error log when the client drops connection

Steps to reproduce this issue:

  • The client goes to the URL
  • The page starts loading
  • The client drops the connection before the page is fully loaded (disconnects the wireless or turn off the device)

For a scenario in which 500.19 error appear because of an invalid configuration data, check this post out.

What happens if the user drops connection?

The expected behavior for IIS to log one of these code pairs: 200.0.995, 200.0.64, 206.0.995 or 206.0.64 (The last part of the codes is sc_win32_status. It is 64 or 995 in these pairs). However, in this case, IIS logs 500.19.64. clearly:

2019-01-17 02:06:34 W3SVC535435 web32 192.168.1.150 GET /address/ - 80 - 200.10.110.10 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:29.0) +Gecko/20120101+Firefox/29.0 - domain.com 500 19 64 678298 200 411

In the record above, the size of the data loaded is 678298 bytes. The page size is about 1 MB. It means that the user dropped the connection after the browser loaded about 70% of the data.

In addition to IIS logs, it is a good idea to check HTTPERR logs as well. IIS saves logs for the activities happened in kernel-mode. In this case, HTTPERR file shows “Connection_Dropped”. However, this could be misleading because if there is a record in IIS logs, HTTPERR should have a record for that request. Pay extra attention to see if the timestamp matches the date/time of the issue. Read the next section for details.

2019-01-17 06:48:55 15.45.65.25 36971 192.168.1.150 443 HTTP/1.1 POST /index.html - 400 51 Connection_Dropped hsn-core+ASP.NET+Core

“Zombie” connections

I would like to open a parenthesis before going forward with the issue details and the solution. There is a very similar scenario to the issue I mentioned above (The client drops connection while page is loading). Microsoft well documented this scenario.

When a client drops the connection before getting the full response, this connection is called a “zombie connection”. IIS (more specifically, HTTP.SYS) doesn’t drop these connections right away. It waits for the timeout value (120 seconds by default). If the response is still not completed, It drops the connection. In this case, It is expected to see a 500 error along with the 64 code in sc_win32_status column.

The Http.sys driver adds the “zombie connection” to a list. Because the original connection object is still available, the original connection object information can be included in the logging information when the request is completed. If the response is completed before the time-out value that is used by the Http.sys driver is reached, no information is logged in the Httperr.log file. Instead, the status code is logged in the IIS log. For example, an “HTTP 200-OK” status code is logged in the IIS log when the request succeeds.

Microsoft Support

Solution for the incorrect 500.19 logs

It is a bug in the Dynamic Compression module. This module throws 500 error for any failure. I am hoping that a patch is developed to address this issue soon.

If the incorrect logs are causing serious issues, you can disable Dynamic Compression so that IIS logs accurate error codes. However, please note that disabling Dynamic Compression increases the bandwidth usage and response times.

If you are receiving “Internal Server Error” in your WordPress blog, here is the solution.

Fixed ERROR_INTERNET_SEC_CERT_REVOKED

Ned Leave a comment

Users and servers communicate via unencrypted messages unless the website owners use SSL certificates. A valid SSL certificate ensures that communication is secure. Therefore, someone who intercepts packages in the network cannot read the data. Certificates are useful and easy to configure most of the time. However, in some cases, the connection may become unprotected and you may see the error message ERROR_INTERNET_SEC_CERT_REVOKED or ERR_CERT_REVOKED.

I came across “certificate has been revoked” message in a website hosted at GoDaddy. Everything was fine and SSL certificate was valid. One day, I visited the site and saw this annoying warning page in Chrome and Edge.

ERROR_INTERNET_SEC_CERT_REVOKED in Microsoft Edge

Here is the full error message Microsoft Edge browser displays when the website has a revoked certificate:

This site is not secure

This might mean that someone’s trying to fool you or steal any info you send to the server. You should close this site immediately.

This website’s security certificate has been revoked, so you can’t go there at this time.

Error Code: ERROR_INTERNET_SEC_CERT_REVOKED


ERROR_INTERNET_SEC_CERT_REVOKED error in Edge

ERR_CERT_REVOKED error in Google Chrome

Chrome displays a slightly different error message but it mentiones the same problem: A revoked certificate.

Your connection is not private

Attackers might be trying to steal your information from domain.com (for example, passwords, messages, or credit cards). Learn more

NET::ERR_CERT_REVOKED

ERR_CERT_REVOKED and ERROR_INTERNET_SEC_CERT_REVOKED

If you see ” Your connection to this site is not fully secure” message in your browser’s URL bar, check this post out.

Internet Explorer and Mozilla Firefox show similar warning pages as well. Let’s see why this issue happens and how to fix it.

The root cause of the “certificate has been revoked” error

When a browser accesses to a website that uses SSL certificate, it needs to check if the certificate is valid. There are two ways of checking the validation of an SSL certificate:

  • Using Certificate Revocation Lists (CRLs). The browser downloads a list of all the certificates that were revoked from . If the website you are visiting in this list, you receive a warning.
  • Query by using Online Certificate Status Protocol (QCSP). The browser queries the certificate of the website you visit. It is faster and more popular. Many browsers give this method priority.

If the website’s certificate appears in a CRL or QCSP query returns “invalid” message, then the browser display ERROR_INTERNET_SEC_CERT_REVOKED or ERR_CERT_REVOKED message. It doesn’t always mean that the certificate is revoked. The reason behind might be a network or DNS issue that is preventing your computer to access to the CRL list providers.

How to fix revoked certificate issues on client side?

You can explicitly configure your browser not to check certificate revocation. This solves the issue on that client but as you guess, the issue will remain for other clients.

In order to disable certificate revocation check for Internet Explorer, follow the steps below.

  1. Open Internet Explorer
  2. In the Tools menu, select Internet Options
  3. Go to the Advanced tab. Scroll down to the Security section
  4. Uncheck Check for server certificate revocation option
  5. Click OK
Certificate revocation setting in Internet Explorer for ERROR_INTERNET_SEC_CERT_REVOKED error

For other browsers, there are similar settings. For example, in Firefox, you can force the usage of OCSP for checking certificate revocation value.

OCSP setting in Firefox

After changing these settings, remove the CRL and OCSP caches by runing the commands below in the Command Prompt (Source):

certutil -urlcache CRL delete
certutil -urlcache OCSP delete

How to fix revoked certificate issues on server side?

It is the best idea to fix certificate revocation issues in your server or hosting provider. Start with making sure of the validity of the certificate. SSL Checker is one of the popular tools to view SSL certificate details.

Compare the certificate serial number and expiration date with the data of the certificate you installed in your web server or hosting control panel. In many cases, I saw that the server uses an old or invalid certificate.

If you are working with a hosting provider, it is possible that you didn’t install the certificate for that particular website. Even if you have a UCC certificate that covers your entire hosting plan, you may still need to install SSL certificate for each of the websites you want to protect. If you are working with GoDaddy, use this article to do this installation.

Do you see “TLS fatal error code 20” code? Here is how to fix it.

0xc0000005 exception code causes w3wp.exe crashes

Ned Leave a comment

Microsoft IIS (Internet Information Server) uses worker processes to handle requests coming from clients. Worker process is actually an instance of the w3wp.exe file. If w3wp.exe crashes, It means your users won’t get service for a short time until the process starts up again. Exception codes 0xc0000005 and 0xe0434352 are some of the most common causes of w3wp.exe crashes. Let’s see what you can do if you see these exception codes in Event Viewer.

Here are the exception descriptions from Event Viewer. Pay attention to the “Faulting module name” values. It may point out the root cause right away.

Event ID: 4096

An unhandled win32 exception occurred in w3wp.exe [3080]. Just-In-Time debugging this exception failed with the following error: Debugger could not be started because no user is logged on.

Check the documentation index for ‘Just-in-time debugging, errors’ for more information.

Event ID: 1000

Faulting application name: w3wp.exe, version: 10.0.14393.0, time stamp: 0x57899b8a

Faulting module name: KERNELBASE.dll, version: 10.0.14393.2608, time stamp: 0x5bd1340d

Exception code: 0xe0434352

Event ID: 1000

Faulting application name: w3wp.exe, version: 10.0.14393.0, time stamp: 0x57899b8a

Faulting module name: OraOps12.dll, version: 2.121.1.0, time stamp: 0x52002676

Exception code: 0xc0000005

w3wp.exe crashes with exception code 0xc0000005

Solution for 0xc0000005 and 0xe0434352 exceptions

Looking at the logs above, we see two exception codes which give clues about the root cause:

  • Exception code 0xc0000005: This error code translates into ERROR_ACCESS_DENIED (Source).
    • The main suspect is the file permissions. Make sure the application pool identity of your application pool has read and write permissions on the website’s folder (Related topic 1, related topic 2).
    • Other suspect is the Antivirus software. Check the Antivirus logs to see if there is any record indicating the file access block. Try temporarily disabling any antivirus software and monitor the system. Additionally, HIPS (intrusion prevention system) may cause this error as well.
    • Look for clues based on the faulting module name. In my case, it is OraOps12.dll which is a part of Oracle Data Access Components (ODAC). Upgrading or repairing the corresponding module may fix the issue.
  • Exception code 0xe0434352: CLR (Common Language Runtime) uses this generic exception code when there is an internal issue in the application. When the application throws System.NullReferenceException or System.ArgumentException error, CLR records exception code 0xe0434352 in the background.
    • It is not straightforward to solve these kind of issues because the root cause is not clear. I would recommend debugging the application in Visual Studio to get more details about the issue. If you don’t have access to the source code, you can use DebugDiag or WinDbg to for further analysis (A related topic).
    • If you are using AppFabric, check out this post for the steps to fix this exception: AppFabric Caching Service crash

Are you seeing the exception code 0xc0000374? Here is the solution: w3wp.exe crashes every 5 minutes with error code 0xc0000374