Facepalm: IISRESET fails and takes down your entire web server

How to recover from a failed IISRESET

If you are using IISRESET, you know it can fail. 

(check our Reset, Restart and Recycle IIS guide for a much better, zero downtime alternative).

But what you may not know is that when it fails, it often leaves your IIS services in a downed state. Meaning your web server is now permanently down.

You may be using IISRESET as a last resort to fix a website performance issue … but instead you take your entire web server down… Probably not what you intended!

Don’t use IISRESET to fix performance issues … actually fix them instead!

If you are relying on IISRESET to resolve hangs or high CPU, check out our Reset, Restart and Recycle IIS guide for better case-by-case alternatives. 

Then, use LeanSentry to diagnose and actually resolve your performance issues so you don’t have to keep restarting as a bandaid.

IISRESET fails with Access Denied (and leaves IIS stopped)

The most common reason why the command fails to restart IIS services, is the frustrating Access Denied error. This happens even when you are executing IISRESET from an elevated “As Administrator” command line:

IISRESET fails and leaves WAS and W3SVC stopped
IISRESET fails to restart IIS and leaves the WAS and W3SVC services stopped

When this happens, you get this error:

Attempting stop...
Stop attempt failed.

Access denied, you must be an administrator of the remote computer to use this command. Either have your account added to the administrator local group of the remote computer or to the domain administrator global group.

This confusing error is actually due to IISRESET timing out when attempting to stop the Windows Process Activation Service (WAS), which probably happens more than 50% of the time.

This is entirely due to the discrepancy between the IISRESET restart timeout (a short 20 seconds) and the default shutdownTimeLimit for IIS worker processes which is 90 seconds by default. 

So, this happens:

  1. IISRESET tries to stop WAS.
  2. WAS tells all IIS worker processes to stop, and begins to wait up to 90 seconds for each.
  3. Each worker process tries to wait for any executing requests to finish, which may take anywhere from 0 to 90 seconds (because the process will be killed after that).
  4. IISRESET times out waiting for WAS to stop, and tries to kill it.
  5. This throws the “Access Denied” error.
  6. IISRESET reports the error and bails, without trying to restart IIS services!

Seconds later, your WAS and W3SVC services are stopped and your webserver is now down. Any traffic to your website is now getting connection refused:

Site cannot be reached error in Chrome
ERR_CONNECTION_REFUSED in chrome because W3SVC removed your websites bindings when it stopped.

You may attempt a quick fix for that IISRESET command:

IISRESET /TIMEOUT:100

This should do it in 90% of cases, but if WAS does legitimately get hung and fail to stop (we’ve never seen that ourselves, but hey it could happen), you are going to get Access Denied again and the services will be left stopped.

IISRESET NOFORCE is a no-go

We also DON’T recommend the NOFORCE option despite what some Microsoft support content out there suggests, for the same reason … because IISRESET /NOFORCE won’t try to kill the services if they are stuck, and they could get left in a bad state. 

If you use the NOFORCE parameter, you may also get these errors:

There was an error while performing this operation.
The service cannot accept control messages at this time. (2147943461, 80070425)

or:

Restart attempt failed.
The service cannot accept control messages at this time. (2147943461, 80070425)

So, if I absolutely have to give you a better IISRESET command, here it is:

iisreset /stop /timeout:100

taskkill /F /FI "SERVICES eq was"

iisreset /start

This makes sure that if WAS does not stop in the reasonable 100 seconds, we kill its host process (this will be the worst case because we are giving enough time for all apppools to stop). 

We also make sure the services are terminated if they don’t stop, to avoid leaving them in a bad state.

Then, we always re-start the services! That’s the key part.

How to recover when IISRESET fails

Finally, you just ran IISRESET, and it failed. Your server now may be down.

Recover with these commands:

net stop was /yes

taskkill /F /FI "SERVICES eq was"

net start w3svc

The idea here is that, since we don’t exactly know what state the services are in, we’ll just make sure they are stopped, and then start em clean.

Note that we start W3SVC, NOT WAS. This also starts WAS. Sometimes people forget that you need both, so if you just started WAS, you’d still be getting “This site can’t be reached” errors because the web server would not be listening for any incoming requests to your sites.

That’s it. Now that we recovered your server, be sure to never use IISRESET again. Instead, head over to our Reset, Restart and Recycle IIS guide to learn how to restart your websites with zero downtime.

Other IISRESET errors we’ve seen

Restart attempt failed. The IIS Admin Service or the World Wide Web Publishing Service, or a service dependent on them failed to start. The service, or dependent services, may had an error during its startup or may be disabled.

IISRESET may be failing to start some services that depend on WAS or W3SVC. These services may be disabled or not used on the machine.

Instead of this, just start W3SVC directly with net start w3svc

Some support content suggests installing or enabling these dependent services to make IISRESET work, but I think that’s completely backwards. If you don’t use those services, why do you have to enable them just to make a broken command work?

Access denied, you must be an administrator of the remote computer to use this command. Either have your account added to the administrator local group of the remote computer or to the domain administrator global group.

This happens because you are trying to run IISRESET from an non-elevated command line, so it’s blocked by User Access Control (UAC). Run the command from a command line prompt started with “As Administrator” instead.

Leave a Reply

Your email address will not be published.