Tuesday, June 17, 2014

0xC000021A Debugging

Yay, a debugging post! : )

This bug check in most if not all cases is caused by a critical Windows component corruption (.dll, piece of the file system, etc), 3rd party driver causes a conflict (rare), etc.

---------------------------

First of all, let's have a look at the basic description of the bug check:

WINLOGON_FATAL_ERROR (c000021a)

This means that an error has occurred in a crucial user-mode subsystem.

Okay, with that said let's go ahead and expand a bit on what this exactly means. Within user-mode we have various subsystems such as WinLogon or csrss.exe (Client/Server Runtime Subsystem). When for some reason these 'critical' subsystems unexpectedly cease to exist, have any sort of problem that prevents them from running or doing their job, the OS will swap to kernel-mode.

What's the problem with this? The subsystems I mentioned above are strictly user-mode, therefore when the OS swaps to kernel-mode, it calls a bug check as this is a big no-no as the OS cannot run without those subsystems.

In this bug check, two of the four parameters are important:

-- In this example, I will be using a 0xC000021A I solved quite some time ago. Your parameters may obviously differ.

BugCheck C000021A, {8da5e6b0, c0000006, 75a4e5e5, 13f86c}

The 1st parameter (8da5e6b0 in our case) is the string that identifies the problem.

The 2nd parameter (c0000006 in our case) is the error code.

---------------------------

FAILURE_BUCKET_ID:  0xc000021a_csrss.exe_c0000006_PoShutdown_ANALYSIS_INCONCLUSIVE
We can see it was csrss.exe that terminated unexpectedly. Why?
1: kd> db 8da5e6b0
8da5e6b0  57 69 6e 64 6f 77 73 20-53 75 62 53 79 73 74 65  Windows SubSyste
8da5e6c0  6d 00 a5 8d c0 e6 a5 8d-04 04 2b 06 46 4d 66 6e  m.........+.FMfn8da5e6d0  04 f2 4e 01 00 00 00 00-a7 73 19 00 00 00 00 00  ..N......s......
8da5e6e0  e0 e6 a5 8d 00 00 00 00-00 00 00 00 e4 cf 61 8a  ..............a.
8da5e6f0  00 00 00 00 00 00 00 00-00 00 00 00 40 00 00 00  ............@...
8da5e700  01 00 00 00 dc 00 de 00-40 e7 a5 8d 2e 00 2e 00  ........@.......
8da5e710  40 e7 a5 8d 00 00 00 00-00 00 00 00 00 00 00 00  @...............
8da5e720  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
If we run db 1st parameter it dumps the bytes from the string. We can see FMFn which is a pool tag, specifically the NAME_CACHE_NODE structure. It's part of fltmgr.sys which is the Microsoft Filesystem Filter Manager driver.

1: kd> da 8da5e6b0
8da5e6b0  "Windows SubSystem"
If we run da 1st parameter it dumps ASCII strings. Not very helpful given we already knew this, but it's just another way to show you how you can see what caused the crash.

---------------------------

In this specific case, I advised the user to insert the installation media and run a repair (which solved the problem).

Thanks for reading!

No comments:

Post a Comment