ElasticSearch Service won't run as Local System

I upgraded my ElasticSearch from 7.3 to 7.5.2 using the MSI, and after the upgrade the ElasticSearch service won't start using the Local System account. I can start it from the command line, and if I change the service to use my account in Services, then it will start just fine.

I'm running it on Windows 2012 R2, and it worked fine before the upgrade. I don't get any good info in the logs. In fact, elasticsearch doesn't even create a log. Has anyone else had this issue?

This is what is logged in the Event Viewer:

Faulting application name: elasticsearch.exe, version: 7.5.2.0, time stamp: 0x5e1f1817
Faulting module name: KERNELBASE.dll, version: 6.3.9600.19425, time stamp: 0x5d26b6e9
Exception code: 0xe0434352
Fault offset: 0x000000000000908c
Faulting process id: 0x1574
Faulting application start time: 0x01d5dcfc36dfb244
Faulting application path: F:\elasticsearch-6.2.2\7.5.2\bin\elasticsearch.exe
Faulting module path: C:\Windows\system32\KERNELBASE.dll
Report Id: 759395a7-48ef-11ea-80c9-005056b67605
Faulting package full name:
Faulting package-relative application ID:

Hi @dshepard - I am suspecting a bug... I did some tests in my own environment and I experienced the same issue with Elasticsearch 7.5.2 (MSI). Can you provide the following to us:

1. Are there any other events related to Elasticsearch in the Event Viewer? (source = Application Error or .Net Runtime)? If yes, can you provide the event details?

2. Run the following command: elasticsearch.exe --debug-env and provide the command results.

3. Can you modify your JAVA_HOME environment variable to point to the bundled JDK folder. For example: C:\Program Files\Elastic\Elasticsearch\7.5.2\jdk. Start the Elasticsearch service. Does this work?

Thank you.

I did switch it to use the bundled JDK folder, but it didn't change anything. Initially when I did the upgrade I was getting a different error using JDE 1.8.0_121, but after I switched to the bundled JDK, I started getting these errors.

For now, I switched the services to run as a local user on those servers, which is working fine.

Here's the full set of Events in the Application Log:

Information: Service1
Service Started Successfully.

Error: Application Error
Faulting application name: elasticsearch.exe, version: 7.5.2.0, time stamp: 0x5e1f1817
Faulting module name: KERNELBASE.dll, version: 6.3.9600.19425, time stamp: 0x5d26b6e9
Exception code: 0xe0434352
Fault offset: 0x000000000000908c
Faulting process id: 0x838
Faulting application start time: 0x01d5dc58e0a8f3d2
Faulting application path: F:\ElasticSearch-6.2.2\7.5.2\bin\elasticsearch.exe
Faulting module path: C:\Windows\system32\KERNELBASE.dll
Report Id: 20d5e974-484c-11ea-80cc-005056b63943
Faulting package full name:
Faulting package-relative application ID:

Info: Windows Error Reporting
Fault bucket , type 0
Event Name: CLR20r3
Response: Not available
Cab Id: 0

Problem signature:
P1: elasticsearch.exe
P2: 7.5.2.0
P3: 5e1f1817
P4: Elastic.ProcessHosts
P5: 1.0.0.0
P6: 5e1f1816
P7: 5b
P8: 24
P9: 4CY0JEX2JKCFD2IPWRSCWFYWSHBZ0QKL
P10:

Attached files:

These files may be available here:
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_elasticsearch.ex_a07a14c56e36fb4d72a69433726b692c05075d5_59bd7216_0ed7aa9b

Analysis symbol:
Rechecking for solution: 0
Report Id: 20d5e974-484c-11ea-80cc-005056b63943
Report Status: 4100
Hashed bucket:

Info: Windows Error Reporting
Fault bucket , type 0
Event Name: CLR20r3
Response: Not available
Cab Id: 0

Problem signature:
P1: elasticsearch.exe
P2: 7.5.2.0
P3: 5e1f1817
P4: Elastic.ProcessHosts
P5: 1.0.0.0
P6: 5e1f1816
P7: 5b
P8: 24
P9: 4CY0JEX2JKCFD2IPWRSCWFYWSHBZ0QKL
P10:

Attached files:

These files may be available here:
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_elasticsearch.ex_a07a14c56e36fb4d72a69433726b692c05075d5_59bd7216_0ed7aa9b

Analysis symbol:
Rechecking for solution: 0
Report Id: 20d5e974-484c-11ea-80cc-005056b63943
Report Status: 0
Hashed bucket:

Error .NET Runtime
Application: elasticsearch.exe
Framework Version: v4.0.30319
Description: The process was terminated due to an unhandled exception.
Exception Info: Elastic.ProcessHosts.Process.StartupException
Stack:
at Elastic.ProcessHosts.Process.ProcessBase.HandleException(System.Exception)
at System.Reactive.Observer1[[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]].OnError(System.Exception) at System.Reactive.Linq.ObservableImpl.AsObservable1+_[[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]].OnError(System.Exception)
at System.Reactive.AutoDetachObserver1[[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]].OnErrorCore(System.Exception) at Elastic.ProcessHosts.Process.ObservableProcess+<>c__DisplayClass22_0.<CreateProcessExitSubscription>b__0(System.Reactive.EventPattern1<System.Object>)
at System.Reactive.AnonymousSafeObserver`1[[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]].OnNext(System.__Canon)
at System.EventHandler.Invoke(System.Object, System.EventArgs)
at System.Diagnostics.Process.RaiseOnExited()
at System.Threading.ExecutionContext.RunInternal(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
at System.Threading._ThreadPoolWaitOrTimerCallback.PerformWaitOrTimerCallback(System.Object, Boolean)

There is no file at the:

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_elasticsearch.ex_a07a14c56e36fb4d72a69433726b692c05075d5_59bd7216_0ed7aa9b Location.

I will try to run the --debug-env command this weekend and post the results.

Thank you @dshepard for the information and feedback provided.

Regarding the following command: elasticsearch.exe --debug-env , please run this in the scenario where you are unable to start the Windows Service.

By default, when you install Elasticsearch as a Windows Service using the MSI, the Windows Service will run under the LocalSystem Account (c.f USELOCALSYSTEM - documentation).

Using the LocalSystem Account (default configuration), can you test the following scenarios:

• Use a different version of Java (not the bundled JDK): are you able to start the Windows Service?
• Use the bundled JDK: are you able to start the Windows Service?

Thank you.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.