Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win7, BSOD 21a, SFC fails, Windows update vs MalwareBytes


  • Please log in to reply
48 replies to this topic

#1 egrek

egrek

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:11:03 AM

Posted 11 January 2017 - 12:56 AM

Long time reader, first time poster...
 
I have a Windows 7 install that has been non-functional since early 2015. Unfortunately, it has some licensed software on it which would be a major pain (or impossible) to reinstall on a new Windows image. I believe the problem started after MalwareBytes interferred with a Windows Update.
On boot, it BSODs with code c000021a {Fatal System Error} The session Manager failed to create protected prefixes system process terminated unexpectedly with a status of 0xc000003a (0x00000000 0x00000000). - it instantly reboots.
This happens in regular, safe, and last known good boot modes.
I can boot to an Administrator command line from the HD Recovery mode, or from a Paragon HD Manager boot CD.
From either of those, running SFC as follows gives this result:
 
SFC /scannow /offbootdir=c:\ /offwindir=c:\windows
Beginning system scan. This process will take some time.
Windows Resource Protection found corrupt files but was unable to fix some of them.
Details are included in the CBS.log windows\Logs\CBS\CBS.log. For example c:\Windows\Logs\CBS\CBS.log
 
However, no CBS.log file is actually created. It seems like SFC is dying it starts to write the log.
I found an article from May 2015, which says there were some dysfunctional Windows Updates which broke SFC in this way. http://www.infoworld.com/article/2926179/microsoft-windows/microsoft-confirms-patch-kb-3022345-breaks-sfc-scannow.html
 
The article doesn't suggest how to recover from this situation - since I guess most people who hit it still had a bootable system they could roll-back or forward on.
Repair suggestions welcome.
 
OS: Windows 7 x64 Ultimate
OEM version, installed by me.
System built in 2014. OS never reinstalled.
CPU: i7
GPU: Nvidia GTX 560
MB: Gigabyte UD something
PS: Corsair AX860
Built by me.
CHKDSK: runs clean.
I'll work on running the other FAQ-recommended tools while I wait for replies to this.
 
Thank you in advance.

 



BC AdBot (Login to Remove)

 


#2 usasma

usasma

    Still visually handicapped (avatar is memory developed by my Dad


  • BSOD Kernel Dump Expert
  • 25,091 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southeastern CT, USA
  • Local time:12:03 PM

Posted 11 January 2017 - 03:27 PM

While I'm not familiar with the CBS logs, I thought there was an option ot specify where the logs were saved to.

If booting to a recovery type OS, then the CBS log would likely be saved in the X: drive (where most bootable OS's start from).

 

I would suggest booting with a disk such as the Ultimate Boot CD

Then locate the MalwareBytes drivers and rename them from .sys to .BAD (keep track of what you're renamed so you can rename them back in case this works)

Then attempt to boot again.


Edited by usasma, 11 January 2017 - 03:28 PM.

My browser caused a flood of traffic, sio my IP address was banned. Hope to fix it soon. Will get back to posting as soon as Im able.

- John  (my website: http://www.carrona.org/ )**If you need a more detailed explanation, please ask for it. I have the Knack. **  If I haven't replied in 48 hours, please send me a message. My eye problems have recently increased and I'm having difficult reading posts. (23 Nov 2017)FYI - I am completely blind in the right eye and ~30% blind in the left eye.<p>If the eye problems get worse suddenly, I may not be able to respond.If that's the case and help is needed, please PM a staff member for assistance.

#3 egrek

egrek
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:11:03 AM

Posted 12 January 2017 - 08:36 AM

Hi usasma,

 

No, SFC doesn't give you an option to save the logs. If I boot from CD, the boot volume is X:, running SFC without /offline options has it check X:, and write CBS logs to X:. If I use the /offline options to point it at C:, I get nothing output on either X: or C:, so I'm pretty sure it dies before logging anything.

 

I have no reason to think the Malwarebytes drivers have anything to do with not booting. The text I've found for that bluescreen points to corruption in winlogon or crss. If there's another way to check and/or repair those while SFC is not working, I'd appreciate a pointer to it.

 

While I'm not familiar with the CBS logs, I thought there was an option ot specify where the logs were saved to.

If booting to a recovery type OS, then the CBS log would likely be saved in the X: drive (where most bootable OS's start from).

 

I would suggest booting with a disk such as the Ultimate Boot CD

Then locate the MalwareBytes drivers and rename them from .sys to .BAD (keep track of what you're renamed so you can rename them back in case this works)

Then attempt to boot again.



#4 bwv848

bwv848

    Bleepin' Owl


  • BSOD Kernel Dump Expert
  • 3,027 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:92.96 million miles away from the sun
  • Local time:12:03 PM

Posted 12 January 2017 - 07:58 PM

Have you tried disabling Driver Signature Enforcement in the Advanced Boot Options menu?


If I do not reply in three days, please message me.
 
BC BSOD Posting Instructions | Carrona BSOD Index | Driver Reference Table (DRT)


#5 egrek

egrek
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:11:03 AM

Posted 14 January 2017 - 11:17 PM

Hi bwv,

 

I had not expected that to help, as 'files are corrupted', and 'just ignore the signatures' didn't sound like a fix - but thank you - major progress...

 

Disabling Driver Signature Enforcement has allowed me to boot, in full (not safe) mode!

 

I've applied the rollup patches, and latest Windws Updates. I've run SFC, and now have a CBS log file I can process with SFCfix I expect.

 

The patches/updates did not fix the booting problem yet though - it still gives BSOD code 21a on boot if I don't disable signature checking.

 

Being able to boot the OS makes it possible to use a wider variety of analysis tools to figure out this last bit though. I'll post again after figuring out what I can from the CBS log. Other suggestions still welcome of course.

 

Have you tried disabling Driver Signature Enforcement in the Advanced Boot Options menu?



#6 bwv848

bwv848

    Bleepin' Owl


  • BSOD Kernel Dump Expert
  • 3,027 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:92.96 million miles away from the sun
  • Local time:12:03 PM

Posted 14 January 2017 - 11:25 PM

I'm glad to hear that. Unfortunately, this is not a permanent fix, as you already know. There is an ongoing thread here with a gentleman experiencing the same BSOD as you are — I suggest you read it. Right now, I suggest you back-up all your files, if you have not done so already. Then run these commands in an elevated command prompt.

sfc /SCANFILE=C:\Windows\System32\csrss.exe

sfc /SCANFILE=C:\Windows\System32\winlogon.exe

What's the output of the commands? If possible run a full SFC scan and post the CBS log.

 

Thanks. :)


If I do not reply in three days, please message me.
 
BC BSOD Posting Instructions | Carrona BSOD Index | Driver Reference Table (DRT)


#7 egrek

egrek
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:11:03 AM

Posted 15 January 2017 - 01:36 PM

I will read that thread now.  Meanwhile:

 

The SFC commands you suggested (quite reasonable, based on other comments I've read about BSOD 21a), comes back clean. The full CBS.log points to:

 

CORRUPT: C:\Windows\winsxs\amd64_microsoft-windows-r..-commandline-editor_31bf3856ad364e35_6.1.7600.16385_none_8d8925a444607f8c\reg.exe

 

I see a similar problem in another thread here: https://social.technet.microsoft.com/Forums/en-US/f856b1d8-d3e6-4b9f-8ec0-74b961faf781/cbslog-regexe-do-not-match-actual-file-and-corrupted?forum=w8itproappcompat

 

The SFCfix output is very small - only the one file is a problem, it says:

 

 

SFCFix version 3.0.0.0 by niemiro.
Start time: 2017-01-15 00:52:55.846
Microsoft Windows 7 Service Pack 1 - amd64
Not using a script file.
 
 
 
 
AutoAnalysis::
CORRUPT: C:\Windows\winsxs\amd64_microsoft-windows-r..-commandline-editor_31bf3856ad364e35_6.1.7600.16385_none_8d8925a444607f8c\reg.exe
 
 
SUMMARY: Some corruptions could not be fixed automatically. Seek advice from helper or sysnative.com.
   CBS & SFC total detected corruption count:     1
   CBS & SFC total unimportant corruption count:  0
   CBS & SFC total fixed corruption count:        0
   SURT total detected corruption count:          0
   SURT total unimportant corruption count:       0
   SURT total fixed corruption count:             0
AutoAnalysis:: directive completed successfully.
 
 
 
 
Successfully processed all directives.
 
 
 
Failed to generate a complete zip file. Upload aborted.
 
 
SFCFix version 3.0.0.0 by niemiro has completed.
Currently storing 0 datablocks.
Finish time: 2017-01-15 01:02:05.260
----------------------EOF-----------------------

 

I don't know why it failed to generate a zip file.

 

I'm glad to hear that. Unfortunately, this is not a permanent fix, as you already know. There is an ongoing thread here with a gentleman experiencing the same BSOD as you are — I suggest you read it. Right now, I suggest you back-up all your files, if you have not done so already. Then run these commands in an elevated command prompt.

sfc /SCANFILE=C:\Windows\System32\csrss.exe

sfc /SCANFILE=C:\Windows\System32\winlogon.exe

What's the output of the commands? If possible run a full SFC scan and post the CBS log.

 

Thanks. :)


Edited by egrek, 15 January 2017 - 01:37 PM.


#8 bwv848

bwv848

    Bleepin' Owl


  • BSOD Kernel Dump Expert
  • 3,027 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:92.96 million miles away from the sun
  • Local time:12:03 PM

Posted 15 January 2017 - 02:14 PM

Good job. I still want to ensure that csrss.exe and winlogon.exe are not corrupted:

• Download Sigcheck64 and save it to your desktop from here.
• Copy and paste the contents of this code box into a new Notepad document:

@echo off
title bwv848's batch file
color 6f
:top
echo ----------------------------------------
echo Welcome to bwv848's batch file!
echo ----------------------------------------
echo Please press any key on your keyboard to continue.
cd %userprofile%\desktop
pause >nul
>%userprofile%\desktop\info.log  (
sigcheck64 -a "%SystemRoot%\System32\csrss.exe"
sigcheck64 -a "%SystemRoot%\System32\winlogon.exe"
)
echo Operation has been completed! Press any key to exit.
pause >nul
exit /B

• Save the file as fixme.bat to your Desktop.
• Double-click on fixme.bat to run it.
• You'll find a file called info.log on your Desktop. Copy and paste the contents of that file in your next reply.
 

 


If I do not reply in three days, please message me.
 
BC BSOD Posting Instructions | Carrona BSOD Index | Driver Reference Table (DRT)


#9 egrek

egrek
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:11:03 AM

Posted 15 January 2017 - 02:31 PM

Your script failed in an interesting way:

 

c:\windows\system32\csrss.exe:
Verified: Signed
Signing date: 10:17 PM 7/13/2009
Publisher: Microsoft Windows
Company: Microsoft Corporation
Description: Client Server Runtime Process
Product: Microsoft® Windows® Operating System
Prod version: 6.1.7600.16385
File version: 6.1.7600.16385 (win7_rtm.090713-1255)
MachineType: 64-bit
Binary Version: 6.1.7600.16385
Original Name: CSRSS.Exe
Internal Name: CSRSS.Exe
Copyright: © Microsoft Corporation. All rights reserved.
Comments: n/a
Entropy: 4.263
㩣睜湩潤獷獜獹整㍭尲楷汮杯湯攮數ഺऊ敖楲楦摥ऺ楓湧摥਍匉杩楮杮搠瑡㩥㔉ㄺ′䵁㤠ㄯ⼲〲㐱਍倉扵楬桳牥ऺ楍牣獯景⁴楗摮睯൳ऊ潃灭湡㩹䴉捩潲潳瑦䌠牯潰慲楴湯਍䐉獥牣灩楴湯ऺ楗摮睯⁳潌潧灁汰捩瑡潩൮ऊ牐摯捵㩴䴉捩潲潳瑦₮楗摮睯깳传数慲楴杮匠獹整൭ऊ牐摯瘠牥楳湯ऺ⸶⸱㘷㄰ㄮ㔸〴਍䘉汩⁥敶獲潩㩮㘉ㄮ㜮〶⸱㠱㐵‰眨湩猷ㅰ束牤ㄮ〴ㄷⴶ㔱㠰ഩऊ慍档湩呥灹㩥㘉ⴴ楢൴ऊ楂慮祲嘠牥楳湯ऺ⸶⸱㘷㄰ㄮ㔸〴਍伉楲楧慮慎敭ऺ䥗䱎䝏乏䔮䕘਍䤉瑮牥慮慎敭ऺ楷汮杯湯਍䌉灯特杩瑨ऺ₩楍牣獯景⁴潃灲牯瑡潩⹮䄠汬爠杩瑨⁳敲敳癲摥മऊ潃浭湥獴ऺ⽮ൡऊ湅牴灯㩹㔉㜮ഷ
 
 
 
Nonetheless, here's the output for winlogon.exe run by hand:
 
C:\Users\Omitted\Desktop>sigcheck64 -a "%SystemRoot%\System32\winlogon.exe"
 
Sigcheck v2.54 - File version and signature viewer
Copyright © 2004-2016 Mark Russinovich
Sysinternals - www.sysinternals.com
 
c:\windows\system32\winlogon.exe:
        Verified:       Signed
        Signing date:   5:12 AM 9/12/2014
        Publisher:      Microsoft Windows
        Company:        Microsoft Corporation
        Description:    Windows Logon Application
        Product:        Microsoft« Windows« Operating System
        Prod version:   6.1.7601.18540
        File version:   6.1.7601.18540 (win7sp1_gdr.140716-1508)
        MachineType:    64-bit
        Binary Version: 6.1.7601.18540
        Original Name:  WINLOGON.EXE
        Internal Name:  winlogon
        Copyright:      ⌐ Microsoft Corporation. All rights reserved.
        Comments:       n/a
        Entropy:        5.77
 
 

Good job. I still want to ensure that csrss.exe and winlogon.exe are not corrupted:

• Download Sigcheck64 and save it to your desktop from here.
• Copy and paste the contents of this code box into a new Notepad document:

@echo off
title bwv848's batch file
color 6f
:top
echo ----------------------------------------
echo Welcome to bwv848's batch file!
echo ----------------------------------------
echo Please press any key on your keyboard to continue.
cd %userprofile%\desktop
pause >nul
>%userprofile%\desktop\info.log  (
sigcheck64 -a "%SystemRoot%\System32\csrss.exe"
sigcheck64 -a "%SystemRoot%\System32\winlogon.exe"
)
echo Operation has been completed! Press any key to exit.
pause >nul
exit /B

• Save the file as fixme.bat to your Desktop.
• Double-click on fixme.bat to run it.
• You'll find a file called info.log on your Desktop. Copy and paste the contents of that file in your next reply.
 

 



#10 bwv848

bwv848

    Bleepin' Owl


  • BSOD Kernel Dump Expert
  • 3,027 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:92.96 million miles away from the sun
  • Local time:12:03 PM

Posted 15 January 2017 - 02:49 PM

I wonder why that happened... must be something to do with notepad and fonts. The script works fine on my computer.

Anyway, csrss.exe and winlogon.exe are both digitally signed — that means they're not corrupted. My guess is that you have incompatible drivers on your system. Can you follow these instructions:

https://www.bleepingcomputer.com/forums/t/576314/blue-screen-of-death-bsod-posting-instructions-windows-10-81-8-7-vista/

and attach the SysnativeFileCollectionApp.zip file in your next reply.


If I do not reply in three days, please message me.
 
BC BSOD Posting Instructions | Carrona BSOD Index | Driver Reference Table (DRT)


#11 egrek

egrek
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:11:03 AM

Posted 16 January 2017 - 02:18 AM

Link to SysNative zip sent in private message.

 

I also ran the installer for the MS checksur utility. Checksur did not find any problems:

 

=================================
Checking System Update Readiness.
Binary Version 6.1.7601.22471
Package Version 26.0
2017-01-15 19:07

Checking Windows Servicing Packages

Checking Package Manifests and Catalogs

Checking Package Watchlist

Checking Component Watchlist

Checking Packages

Checking Component Store

Summary:
Seconds executed: 318
 No errors detected
 

Trying to run Perfmon /report gives an error:

 

Error:
 
An error occured while attempting to generate the report.
   
The Data Collector Set or one of its dependencies is already in use.

 

 

I wonder why that happened... must be something to do with notepad and fonts. The script works fine on my computer.

Anyway, csrss.exe and winlogon.exe are both digitally signed — that means they're not corrupted. My guess is that you have incompatible drivers on your system. Can you follow these instructions:

https://www.bleepingcomputer.com/forums/t/576314/blue-screen-of-death-bsod-posting-instructions-windows-10-81-8-7-vista/

and attach the SysnativeFileCollectionApp.zip file in your next reply.



#12 bwv848

bwv848

    Bleepin' Owl


  • BSOD Kernel Dump Expert
  • 3,027 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:92.96 million miles away from the sun
  • Local time:12:03 PM

Posted 16 January 2017 - 12:27 PM

Thanks, please PM usasma the link to the ZIP file too. He's much more knowledgable than I, and I would appreciate his input. FYI, only members can download attached files from Bleeping Computer.

I see you have several VMWare drivers installed. Unforunately they're over three years old. Is it possible you save all your VMs and uninstall VMWare for troubleshooting purposes? :)

I think the first major thing we should do is check your hard disk. Let's try Seagate SeaTools for Windows (since it'll be a pain booting from a disk). The tutorial for running SeaTools is here. Do not attempt to "fix" the drive; run the S.M.A.R.T. test, short drive self test, short generic test, then the long generic test if the short generic test passes.

Also, you mentioned that the BSODs first happened in 2015. Do you remember making any changes to your system around the time of the first BSOD apart from Windows Update and Malwarebytes?

 

P.S. Uninstall Malwarebytes if possible.


Edited by bwv848, 17 January 2017 - 09:21 AM.

If I do not reply in three days, please message me.
 
BC BSOD Posting Instructions | Carrona BSOD Index | Driver Reference Table (DRT)


#13 egrek

egrek
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:11:03 AM

Posted 16 January 2017 - 10:10 PM

Ok - will email (I'll generate a new zip now that MalwareBytes and VMware have been uninstalled) to usasma.

 

Seatools: SMART, short-self-test, short generic, all pass - long generic is still running.

 

In looking through the SysNative zip, I picked up some reminders that I had installed a Service (that I was doing development on). It's since uninstalled, but I saw and remembered that I had disabled several standard services. I've gone through and turned most of them back on - but I'll do a comparison to another Win 7 machine and make sure the services are all in their normal configuration too.

 

 

Thanks, please PM usasma the link to the ZIP file too. He's much more knowledgable than I. FYI, only members can download attached files from Bleeping Computer.

I see you have several VMWare drivers installed. Unforunately they're over three years old. Is it possible you save all your VMs and uninstall VMWare for troubleshooting purposes? :)

I think the first major thing we should do is check your hard disk. Let's try Seagate SeaTools for Windows (since it'll be a pain booting from a disk). The tutorial for running SeaTools is here. Do not attempt to "fix" the drive; run the S.M.A.R.T. test, short drive self test, short generic test, then the long generic test if the short generic test passes.

Also, you mentioned that the BSODs first happened in 2015. Do you remember making any changes to your system around the time of the first BSOD apart from Windows Update and Malwarebytes?

 

P.S. Uninstall Malwarebytes if possible.



#14 bwv848

bwv848

    Bleepin' Owl


  • BSOD Kernel Dump Expert
  • 3,027 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:92.96 million miles away from the sun
  • Local time:12:03 PM

Posted 16 January 2017 - 10:26 PM

Good work! Please run Event Viewer as the administrator and navigate to Applications and Services Logs → Microsoft →  Windows →  CodeIntegrity →  Operational. On the right side, click Save All Events As..., and save it accordingly. Zip up the .evtx file and attach it in your next reply.


If I do not reply in three days, please message me.
 
BC BSOD Posting Instructions | Carrona BSOD Index | Driver Reference Table (DRT)


#15 egrek

egrek
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:11:03 AM

Posted 17 January 2017 - 08:52 AM

Seatools: Long generic test finished, passed.

 

Codeintegrity.evtx, will upload.

 

Interestingly, Running SysNative collector now caused a new BSOD.

 

Problem signature:
  Problem Event Name:    BlueScreen
  OS Version:    6.1.7601.2.1.0.256.1
  Locale ID:    1033

Additional information about the problem:
  BCCode:    3b
  BCP1:    00000000C0000005
  BCP2:    FFFFF8000484BC3A
  BCP3:    FFFFF8800883F670
  BCP4:    0000000000000000
  OS Version:    6_1_7601
  Service Pack:    1_0
  Product:    256_1
 

 

Good work! Please run Event Viewer as the administrator and navigate to Applications and Services Logs → Microsoft →  Windows →  CodeIntegrity →  Operational. On the right side, click Save All Events As..., and save it accordingly. Zip up the .evtx file and attach it in your next reply.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users