Troubleshooting OpenSSH Service Crash After Windows Server 2019 Updates (Error 1067)


5 views

After installing the following updates on Windows Server 2019:

  • .NET Framework 4.8 (KB5044089)
  • October 2024 Cumulative Update (KB5044277)
  • Malicious Software Removal Tool (KB890830)

The OpenSSH SSH Server service fails to start with:

Windows could not start the OpenSSH SSH Service on Local Computer. 
Error 1067: The process terminated unexpectedly

First, check the service dependencies:

sc qc sshd

Then examine the OpenSSH logs:

Get-Content C:\ProgramData\ssh\logs\sshd.log -Tail 100 -Wait

Verify file permissions in the OpenSSH directory:

icacls C:\Windows\System32\OpenSSH\*

Solution 1: Reinstall OpenSSH

# Uninstall first
Remove-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0

# Reinstall 
Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0

# Reset permissions
icacls "C:\ProgramData\ssh" /reset
icacls "C:\Windows\System32\OpenSSH" /reset

Solution 2: Check for DLL Conflicts

# List loaded modules when service crashes
procdump -ma sshd.exe

If the basic fixes don't work, we need to dive deeper:

# Enable verbose logging in sshd_config
LogLevel DEBUG3

# Check Windows Event Logs
Get-WinEvent -FilterHashtable @{LogName='Application'; ProviderName='OpenSSH'} | Format-List

Create a custom batch file to start sshd manually:

@echo off
cd /d C:\Windows\System32\OpenSSH
sshd.exe -d -ddd -e -f sshd_config > debug_log.txt 2>&1
pause

Verify these registry keys:

reg query "HKLM\SYSTEM\CurrentControlSet\Services\sshd" /v ImagePath
reg query "HKLM\SOFTWARE\OpenSSH"

If you're still stuck, try these nuclear options:

  • Create a new test user account and try running the service under that context
  • Boot into Safe Mode and attempt to start the service
  • Compare system files with a known-good server using:
sfc /scannow
dism /online /cleanup-image /restorehealth

Remember to document any changes you make and always have a backup before modifying system files.

After applying three critical updates on Windows Server 2019 systems:

  • KB5044089 (.NET Framework 4.8)
  • KB5044277 (October 2024 Cumulative Update)
  • KB890830 (Malicious Software Removal Tool)

The OpenSSH service fails to start with Error 1067 "The process terminated unexpectedly". All files in C:\Windows\System32\OpenSSH show modified timestamps matching the update installation time.

# Check service status
Get-Service sshd | Select-Object Name, Status, StartType

# Verify OpenSSH installation
Get-WindowsCapability -Online | Where-Object Name -like 'OpenSSH*'

# Enable debug logging (add to sshd_config)
LogLevel DEBUG3

Standard troubleshooting attempts that proved ineffective:

  1. Running Repair-WindowsFeature -Name OpenSSH-Server
  2. Reinstalling via Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0
  3. Restoring permissions with icacls "C:\Windows\System32\OpenSSH" /reset

The root cause appears to be a permission conflict introduced by the updates. Here's the complete resolution:

# Stop any hung processes
Stop-Process -Name sshd -Force

# Take ownership and reset permissions
takeown /f "C:\Windows\System32\OpenSSH\*" /r /d y
icacls "C:\Windows\System32\OpenSSH" /grant "NT SERVICE\sshd":(OI)(CI)F /t

# Repair the installation
dism /online /cleanup-image /restorehealth
sfc /scannow

# Final restart sequence
Restart-Service ssh-agent
Start-Service sshd

For systems where the above doesn't work, consider a clean reinstall:

# Full removal
Uninstall-WindowsFeature -Name OpenSSH-Server
Remove-Item -Path "C:\Windows\System32\OpenSSH" -Recurse -Force

# Fresh install
Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0
New-ItemProperty -Path "HKLM:\SOFTWARE\OpenSSH" -Name DefaultShell -Value "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -PropertyType String -Force

Create a PowerShell watchdog script to ensure service stability:

# Save as sshd-watchdog.ps1
while ($true) {
    $status = (Get-Service sshd).Status
    if ($status -ne "Running") {
        Write-EventLog -LogName Application -Source "OpenSSH" -EntryType Warning -EventId 1001 -Message "SSH service down, restarting"
        Start-Service sshd
    }
    Start-Sleep -Seconds 60
}

For managing multiple servers, deploy this remediation via Group Policy:

# Group Policy PowerShell script
$servers = Get-ADComputer -Filter {OperatingSystem -like "*Server 2019*"}
Invoke-Command -ComputerName $servers.Name -ScriptBlock {
    takeown /f "C:\Windows\System32\OpenSSH\*" /r /d y
    icacls "C:\Windows\System32\OpenSSH" /grant "NT SERVICE\sshd":(OI)(CI)F /t
    Restart-Service sshd
}