Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

BSOD - AT STARTUP (0xc000021a)


  • Please log in to reply
95 replies to this topic

#1 sippenhaft

sippenhaft

  • Members
  • 114 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Joisey
  • Local time:09:41 AM

Posted 16 December 2016 - 08:38 PM

Hello

 

Out of the "blue" I got a BSOD.

I turned on my computer and it happened. I had done nothing and had no issues for a very long time.

 

I searched the error code and saw it may be a corrupt file at log in screen?

 

I have DONE the following:

1) Attempted Auto Repair - FAILED

2) I was able to get into the computer by using the ADVANCED SETTINGS and DISABLED SIGNATURE ENFORCEMENT

3) Ran SFC.exe (numerous times) and it appears to repair a handful of files and there are NO files it cannot repair.

4) Reboot and same issue.

5) I see Windows updated a bunch over the past few days...maybe that is the issue?

6) When I am in the computer all works fine.

 

So...what could it be or should I try?

Should I run SFC again and reboot after each scan? (I ran scan a few times then rebooted)

In the SrtTrail.txt report there is mention of a corrupt file but it looks like it repairs it:

 

Bugcheck c000021a. Parameters = 0xffffc60100e43210, 0xffffffffc0000428, 0x0, 0x1f5144e0000.
Boot critical file  is corrupt.

Repair action: File repair
Result: Failed. Error code =  0xa
Time taken = 7297 ms

 

I did the SysnativeBSODCollection and have that if you need it.

 

I TRIED to do the perfmon, but it never completed after several minutes.

 

Thoughts or Ideas?

 

Thank you so much

Steve



BC AdBot (Login to Remove)

 


#2 CKing123

CKing123

  • Members
  • 1,463 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:British Columbia, Canada
  • Local time:06:41 AM

Posted 17 December 2016 - 11:43 PM

Hi

 

From the information that you gave, I gleaned a possible cause for this (I will wait for BSOD Experts to weigh in on this):

 

The error code (0xc000021a) suggests that either winlogon.exe or csrss.exe were corrupted, which the Signature Enforcement, a security feature to prevent malware from patching system files, caught. Disabling Signature Enforcement is a temporary fix because it basically is a setting to ignore the corrupted system files rather than BSOD immediately. We don't know whether it is winlogon or csrss that is corrupted from the SrtTrial log alone, but it failed to repair the file:

 

Bugcheck c000021a. Parameters = 0xffffc60100e43210, 0xffffffffc0000428, 0x0, 0x1f5144e0000.

Boot critical file  is corrupt.
 
Repair action: File repair
Result: Failed. Error code =  0xa
Time taken = 7297 ms

In this situation, I would suggest a SFC scan, but since you already ran it and it also failed to repair the files, I would like to take a look at the logs for it. SFC reports everything in the CBS log. In your next reply, could you please attach the C:\Windows\Logs\CBS\CBS.log?

 

Also, since we don't know the general information about your computer, could you also provide us with some basic information of the computer?:

· OS - Windows 8.1, 8, 7, Vista ?

· x86 (32-bit) or x64 ?
· What was original installed OS on system?
· Is the OS an OEM version (came pre-installed on system) or full retail version (YOU purchased it from retailer)?
· Age of system (hardware)
· Age of OS installation - have you re-installed the OS?
 
· CPU
· Video Card
· MotherBoard - (if NOT a laptop)
· Power Supply - brand & wattage (skip if laptop)
 
· System Manufacturer
· Exact model number (if laptop, check label on bottom)
 
· Laptop or Desktop?

 

-CKing


Edited by CKing123, 17 December 2016 - 11:55 PM.

If I am helping you and I don't respond within 2 days, feel free to send me a PM

Sysnative Windows Update Senior Analyst 

Github | Keybase


#3 sippenhaft

sippenhaft
  • Topic Starter

  • Members
  • 114 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Joisey
  • Local time:09:41 AM

Posted 18 December 2016 - 04:08 PM

OK. I am agreeing that is has to do with the login.

 

Windows 10, 64bit, desktop PC...

 

Attached are the following 3 items:

CBS.LOG

SFCDETAILS.txt

System Spec

 

Thank you

Attached Files



#4 CKing123

CKing123

  • Members
  • 1,463 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:British Columbia, Canada
  • Local time:06:41 AM

Posted 19 December 2016 - 02:09 PM

Hi

 

From the CBS logs, no files are reported to be corrupt.

 

Since you mentioned that the problems occurred after Windows Updates. Were the updates interrupted? If that is the case, Windows might be expecting a different version of csrss or WinLogon.

 

-CKing


If I am helping you and I don't respond within 2 days, feel free to send me a PM

Sysnative Windows Update Senior Analyst 

Github | Keybase


#5 sippenhaft

sippenhaft
  • Topic Starter

  • Members
  • 114 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Joisey
  • Local time:09:41 AM

Posted 19 December 2016 - 04:13 PM

There was ONE failed install back on the 9th, (KB3201845) but the it installed successfully on the 10th. This issue started the 16th, after another successful microsoft update (KB3206632).

 

Im still obviously able to get online after  disabling the signature enforcement ....

 

Is there a place I can go to get just those parts of the update? Or what would be my next step to fix it?

 

Maybe a registry thing is broken? Just guessing....


Edited by sippenhaft, 19 December 2016 - 04:14 PM.


#6 usasma

usasma

    Still visually handicapped (avatar is memory developed by my Dad


  • BSOD Kernel Dump Expert
  • 25,089 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southeastern CT, USA
  • Local time:09:41 AM

Posted 20 December 2016 - 05:19 PM

My apologies for the delayed response - I've had a lot of personal things going on, and now I have a cast on my left arm/hand :(

 

I would suggest starting with:

- malware scans, then

- a RESET using the Keep My Files option

 

Here's some free malware scanners:
Could you be infected?  It's possible that malware has corrupted your current protection, so please try a couple of these, independent scans (from this link: https://www.us-cert.gov/ncas/alerts/TA15-286A ).  This is in case your current protection is compromised by malware and giving false results:

 

           F-Secure
           https://www.f-secure.com/en/web/home_global/online-scanner (link is external)

           McAfee
           http://www.mcafee.com/uk/downloads/free-tools/stinger.aspx (link is external)

           Microsoft
           http://www.microsoft.com/security/scanner/en-us/default.aspx (link is external)

           Sophos
           https://www.sophos.com/en-us/products/free-tools/virus-removal-tool.aspx (link is external)

           Trend Micro
           http://housecall.trendmicro.com/ (link is external)

    The above are examples only and do not constitute an exhaustive list. The U.S. Government does not endorse or support any particular product or vendor.

If you do find infections, I'd suggest posting over in the Am I Infected forum to ensure that all the bad stuff has been removed:  http://www.bleepingcomputer.com/forums/f/103/am-i-infected-what-do-i-do/
Please read the pinned topics at the top of the forum for instructions on how to post there.

 


Edited by usasma, 20 December 2016 - 05:21 PM.

My browser caused a flood of traffic, sio my IP address was banned. Hope to fix it soon. Will get back to posting as soon as Im able.

- John  (my website: http://www.carrona.org/ )**If you need a more detailed explanation, please ask for it. I have the Knack. **  If I haven't replied in 48 hours, please send me a message. My eye problems have recently increased and I'm having difficult reading posts. (23 Nov 2017)FYI - I am completely blind in the right eye and ~30% blind in the left eye.<p>If the eye problems get worse suddenly, I may not be able to respond.If that's the case and help is needed, please PM a staff member for assistance.

#7 sippenhaft

sippenhaft
  • Topic Starter

  • Members
  • 114 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Joisey
  • Local time:09:41 AM

Posted 21 December 2016 - 12:19 PM

Hello USAMA

 

I ran virus/mal/spyware scans (F-Secure, Microsoft, AVAST, Malwarebytes, Superantispyware) - ALL NEGATIVE

 

Tried the RESET (keeping my files) - FAILED (There was a problem resetting - no changes made)

...was sort of happy because of the amount of "apps" I would have had to reload LOL!

 

What should we look at next?



#8 CKing123

CKing123

  • Members
  • 1,463 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:British Columbia, Canada
  • Local time:06:41 AM

Posted 21 December 2016 - 12:31 PM

Hi

 

 

 

What should we look at next?

Is the BSOD still occurring?

 

-CKing


If I am helping you and I don't respond within 2 days, feel free to send me a PM

Sysnative Windows Update Senior Analyst 

Github | Keybase


#9 sippenhaft

sippenhaft
  • Topic Starter

  • Members
  • 114 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Joisey
  • Local time:09:41 AM

Posted 21 December 2016 - 02:26 PM

CKing123 - No Christmas miracles. (still can only get in using F7 - Disable Signature Enforcement)

 

Note:

I also ran TDSSKiller - no infections

I opened CCleaner and looked at the registry cleaner and there are 1439 issues. Should I do a FIX ITEMS? I did not as I prefer and value your opinions first.

 

 

ALSO NOTE: I attached a file that I saw in the ADVANCED SETTINGS when restarting. It said:

" E:WINDOWS/system32/Logfiles/Srt/SrtTrail.txt"

 

However...E is my DVD drive...I did find that file on my C drive and attached it. (Bootfile corrupt???)

 

Steve

Attached Files


Edited by sippenhaft, 21 December 2016 - 02:38 PM.


#10 usasma

usasma

    Still visually handicapped (avatar is memory developed by my Dad


  • BSOD Kernel Dump Expert
  • 25,089 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southeastern CT, USA
  • Local time:09:41 AM

Posted 22 December 2016 - 07:18 AM

I'm no good at repairing boot files - and that's what seems to be called for here.
Let's see what CKing123 has to say....


My browser caused a flood of traffic, sio my IP address was banned. Hope to fix it soon. Will get back to posting as soon as Im able.

- John  (my website: http://www.carrona.org/ )**If you need a more detailed explanation, please ask for it. I have the Knack. **  If I haven't replied in 48 hours, please send me a message. My eye problems have recently increased and I'm having difficult reading posts. (23 Nov 2017)FYI - I am completely blind in the right eye and ~30% blind in the left eye.<p>If the eye problems get worse suddenly, I may not be able to respond.If that's the case and help is needed, please PM a staff member for assistance.

#11 sippenhaft

sippenhaft
  • Topic Starter

  • Members
  • 114 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Joisey
  • Local time:09:41 AM

Posted 22 December 2016 - 03:12 PM

OK USASMA, I can wait LOL.

 

NOTE: Malwarebytes came up with roboot64.exe as a PUP today. Looks like a windows file. Just FYI on my situation.



#12 CKing123

CKing123

  • Members
  • 1,463 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:British Columbia, Canada
  • Local time:06:41 AM

Posted 22 December 2016 - 03:18 PM

@usasma, although I have helped users who had boot files corrupted, most of the time, the computer listed the file in the error message, like Winload.exe corrupted, etc

 

Also, if WinLogon and CSRSS are not corrupted, I am suspecting it could be a corrupt boot driver. This is going to be tricky to track down

 

@sippenhaft, let's try to track down the bad driver:

 

Please download Sigcheck tool from here: https://technet.microsoft.com/en-us/sysinternals/bb897441.aspx

Extract the zip file and open the folder where sigcheck is extracted

In that folder, go to File > Open Command Prompt

Copy and paste this command and press Enter:

sigcheck -a -e -s -nobanner C:\Windows\system32\drivers >%UserProfile%\Desktop\Driversig.txt

Now, copy and paste this command:

reg query HKLM\SYSTEM\CurrentControlSet\Services /s | findstr /c:"HKEY_LOCAL_MACHINE" /c:"ImagePath" >%UserProfile%\Desktop\BootDriver.txt

Once these two commands have finished, you should see two files on your Desktop: Driversig.txt and BootDriver.txt

 

Could you please attach both of these files in your next reply?

 

Also, I suggest that you don't use CCleaner's registry cleaners. Registry cleaners are known to cause problems. But you can use other cleaning features of CCleaner :)

 

-CKing


If I am helping you and I don't respond within 2 days, feel free to send me a PM

Sysnative Windows Update Senior Analyst 

Github | Keybase


#13 usasma

usasma

    Still visually handicapped (avatar is memory developed by my Dad


  • BSOD Kernel Dump Expert
  • 25,089 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southeastern CT, USA
  • Local time:09:41 AM

Posted 22 December 2016 - 05:02 PM

Thanks CKing123!


My browser caused a flood of traffic, sio my IP address was banned. Hope to fix it soon. Will get back to posting as soon as Im able.

- John  (my website: http://www.carrona.org/ )**If you need a more detailed explanation, please ask for it. I have the Knack. **  If I haven't replied in 48 hours, please send me a message. My eye problems have recently increased and I'm having difficult reading posts. (23 Nov 2017)FYI - I am completely blind in the right eye and ~30% blind in the left eye.<p>If the eye problems get worse suddenly, I may not be able to respond.If that's the case and help is needed, please PM a staff member for assistance.

#14 sippenhaft

sippenhaft
  • Topic Starter

  • Members
  • 114 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Joisey
  • Local time:09:41 AM

Posted 22 December 2016 - 05:04 PM

Yeah CCLEANER usually I dont do the registry stuff, thats why I asked first! LOL

 

OK. I ran the commands you said. The two files are attached. There were errors in the command prompt:

 

C:\Users\Steve\Desktop\sigcheck>sigcheck -a -e -s -nobanner C:\Windows\system32\drivers >%UserProfile%\Desktop\Driversig.txt

C:\Users\Steve\Desktop\sigcheck>reg query HKLM\SYSTEM\CurrentControlSet\Services /s | findstr /c:"HKEY_LOCAL_MACHINE" /c:"ImagePath" >%UserProfile%\Desktop\BootDriver.txt
FINDSTR: Line 1510 is too long.
FINDSTR: Line 1510 is too long.
FINDSTR: Line 1520 is too long.
FINDSTR: Line 1520 is too long.
FINDSTR: Line 1520 is too long.
FINDSTR: Line 1520 is too long.
FINDSTR: Line 11111 is too long.
FINDSTR: Line 11111 is too long.
FINDSTR: Line 11111 is too long.
FINDSTR: Line 11111 is too long.
FINDSTR: Line 11111 is too long.
FINDSTR: Line 11111 is too long.
FINDSTR: Line 11111 is too long.
FINDSTR: Line 11111 is too long.
FINDSTR: Line 11111 is too long.
FINDSTR: Line 11111 is too long.
FINDSTR: Line 11111 is too long.
FINDSTR: Line 11111 is too long.
FINDSTR: Line 11111 is too long.
FINDSTR: Line 11111 is too long.
FINDSTR: Line 11111 is too long.
FINDSTR: Line 11111 is too long.
FINDSTR: Line 11111 is too long.
FINDSTR: Line 11111 is too long.
FINDSTR: Line 11111 is too long.
FINDSTR: Line 11111 is too long.
FINDSTR: Line 11111 is too long.
FINDSTR: Line 11111 is too long.
FINDSTR: Line 11111 is too long.
FINDSTR: Line 11111 is too long.
FINDSTR: Line 11111 is too long.
FINDSTR: Line 11111 is too long.
FINDSTR: Line 11111 is too long.
FINDSTR: Line 11111 is too long.
FINDSTR: Line 11111 is too long.
FINDSTR: Line 11111 is too long.

C:\Users\Steve\Desktop\sigcheck>

 

 

Hope this helps. :)

Attached Files



#15 CKing123

CKing123

  • Members
  • 1,463 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:British Columbia, Canada
  • Local time:06:41 AM

Posted 22 December 2016 - 10:18 PM

Hi
 
I found the following drivers that are not signed:

Intel
c:\windows\system32\drivers\iagpio.sys
c:\windows\system32\drivers\iai2c.sys
c:\windows\system32\drivers\iaLPSS2i_GPIO2.sys

Microsoft
c:\windows\system32\drivers\IndirectKmd.sys
c:\windows\system32\drivers\mrxsmb10.sys
c:\windows\system32\drivers\RfxVmt.sys
c:\windows\system32\drivers\srv2.sys
c:\windows\system32\drivers\Synth3dVsc.sys
c:\windows\system32\drivers\xboxgip.sys
c:\windows\system32\drivers\en-US\rdpwd.sys.mui
c:\windows\system32\drivers\en-US\tunnel.sys.mui
c:\windows\system32\drivers\UMDF\IddCx.dll
c:\windows\system32\drivers\UMDF\en-US\SensorsCx.dll.mui

Saitek
c:\windows\system32\drivers\SaiBus.sys

Some of these drivers were found on my computer and they all were signed
 
From these corrupt drivers, I am suspecting that you hard disk may be failing. Before we test your hard disk, I suggest you to BACKUP all your data!
 
Once you have backed up your data, check the disk using GSmartControl:
 
S8ANNnz.pngGSmartControl
Follow the instructions below to test your hard drive health with GSmartControl:

  • Extract the content of the GSmartControl .zip archive and execute gsmartcontrol.exe;
  • Identify your drive in the list, and double-click on it to bring up it's window (usually you'll find your drive by it's size or it's brand name);
  • Go in the Perform Tests tab, then select Extended Self-test in the Test type drop-down list and click on Execute (this test can take a few hours to complete);
  • Once the test is over, the results will be displayed at the bottom of the window. Please copy and paste these results in your next reply;
  • Also, go in the Attributes tab and if you have any entries highlighted in red or pink, copy and paste their name in your next reply (or take a screenshot of the GSmartControl window and attach it in your next reply);

info_failing.png

 
 
-CKing


If I am helping you and I don't respond within 2 days, feel free to send me a PM

Sysnative Windows Update Senior Analyst 

Github | Keybase





2 user(s) are reading this topic

0 members, 2 guests, 0 anonymous users