BSOD during log in

[Jon Paris]

I'm getting desparate so I hope someone can suggest an
approach.

Yesterday I had to reboot and almost immediately after
entering my Id and pw I got the BSOD with a C000021a
stop. The system then reboots.

1) I _can_ log on as administrator (my own Id was also an
admin)

2) I _can_ log on to my Id in Safe more - but _not_ if I
load networking support (sdo I guess the problem lies
there somewhere)

3) If I create a new user they cannot log in either.

Earlier I had downloaded an update for Acro Rdr 6 and that
had requested a reboot. I also installed CanStudio (sp?)
but neither of those should have anything to do with
networking should they.

How can I detect the problem component and get back to
normal.

P.S. Reloading Win2K is not an option. IBM do not supply
the CD with Thinkpads these days.

Any and all help welcomed.

 

[David Wang [Msft]]

Bugcheck 0x21A is STATUS_SYSTEM_PROCESS_TERMINATED
This means that an error has occurred in a crucial user-mode subsystem.

Resolving an error in a user-mode device driver, system service, or
third-party application: Because bug check 0xC000021A occurs in a user-mode
process, the most common culprits are third-party applications. If the error
occurred after the installation of a new or updated device driver, system
service, or third-party application, the new software should be removed or
disabled. Contact the manufacturer of the software about a possible update.

Also, I would suspect that your computer was attacked via the network,
causing a shutdown in a critical Windows process and triggering this BSOD.

I would first disable networking for you PC access and then try to boot.
Then, make sure this computer stays off the network (or at least run a
firewall so that your machine isn't blatantly accessible via the network)
while you determine whether it is a 3rd party application causing this issue
or whether you PC was not patched/firewalled.

--
//David
IIS
This posting is provided "AS IS" with no warranties, and confers no rights.
//
I'm getting desparate so I hope someone can suggest an
approach.

Yesterday I had to reboot and almost immediately after
entering my Id and pw I got the BSOD with a C000021a
stop. The system then reboots.

1) I _can_ log on as administrator (my own Id was also an
admin)

2) I _can_ log on to my Id in Safe more - but _not_ if I
load networking support (sdo I guess the problem lies
there somewhere)

3) If I create a new user they cannot log in either.

Earlier I had downloaded an update for Acro Rdr 6 and that
had requested a reboot. I also installed CanStudio (sp?)
but neither of those should have anything to do with
networking should they.

How can I detect the problem component and get back to
normal.

P.S. Reloading Win2K is not an option. IBM do not supply
the CD with Thinkpads these days.

Any and all help welcomed.

 

[Jon Paris]

Thanks for the reply David - comments in-line

<clip>
If the error
occurred after the installation of a new or updated device driver, system
service, or third-party application, the new software should be removed or
disabled. Contact the manufacturer of the software about

a possible update.

As I noted in my original messagte I had installed an
Adobe update and one other application BUT both have now
been removed with no effect.

Also, I would suspect that your computer was attacked via the network,
causing a shutdown in a critical Windows process and

triggering this BSOD.

Coule this really happen _during_ sign-on?

I would first disable networking for you PC access and

then try to boot.

As I noted before - I can sign on to that Id in Safe mode
without Networking. By _why_ does the Administator work
just fine with networking? but other Admoin level users
fail?

Then, make sure this computer stays off the network (or at least run a
firewall so that your machine isn't blatantly accessible

via the network)

I have been behind a full firewall for some years - plus I
am running Norton AV.

<snip>

In Win 98 you could monitor each device driver etc. and
determine the problem that way. How do I do that with
W2K??

 

[David Wang [Msft]]

Even before you see the login screen, your machine is already on the
network. Services, like firewalls, should have already started by the time
the login screen is showing. As you are logging in crashes in lsass
(security) and winlogon (handles your logon dialog, Ctrl-Alt-Del, etc) are
all critical system processes that would trigger that particular BSOD.

Are you running custom company login module of some sort?

You can hit F8 and start Windows with logging, which is analogous to Win98.

But if it happens during login, the F8-based logging isn't going to show any
failures. It's something crashing in the user-mode process as you are
logging in, which is after the conclusion of that logging. You will need a
KD to figure out why.

The sudden-nature of your issue makes me suspect that it's some sort of
attack, or you're running some custom code in lsass/winlogon with a bug
related to network access.

--
//David
IIS
This posting is provided "AS IS" with no warranties, and confers no rights.
//
Thanks for the reply David - comments in-line

<clip>
If the error
occurred after the installation of a new or updated device driver, system
service, or third-party application, the new software should be removed or
disabled. Contact the manufacturer of the software about

a possible update.

As I noted in my original messagte I had installed an
Adobe update and one other application BUT both have now
been removed with no effect.

Also, I would suspect that your computer was attacked via the network,
causing a shutdown in a critical Windows process and

triggering this BSOD.

Coule this really happen _during_ sign-on?

I would first disable networking for you PC access and

then try to boot.

As I noted before - I can sign on to that Id in Safe mode
without Networking. By _why_ does the Administator work
just fine with networking? but other Admoin level users
fail?

Then, make sure this computer stays off the network (or at least run a
firewall so that your machine isn't blatantly accessible

via the network)

I have been behind a full firewall for some years - plus I
am running Norton AV.

<snip>

In Win 98 you could monitor each device driver etc. and
determine the problem that way. How do I do that with
W2K??

 

[Guest]

-----Original Message-----

Are you running custom company login module of some sort?

No - nothing like that. No VPN, no nothing.

You can hit F8 and start Windows with logging, which is

analogous to Win98.

But didn't Win98 let you say Yes/No to each driver? I had
already done as you suggested but did not get the option
to choose what got loaded. Also I haven't a clue what the
log file is called or where it is.

You will need a KD to figure out why.

That sounds like more fun than I want to have <grin> - not
to mention that I haven't a clue where to begin.

Is there no way to compare the registry entries for the
User that _can_ log on (Administrator) with the one that
can't? This is what confuses me - there must be some
difference in what is loaded and since it happens so
quickly after entering the password etc. Hopefully the
list insn't too long. But what settings control what gets
loaded for whom?

The sudden-nature of your issue makes me suspect that it's some sort of
attack, or you're running some custom code in lsass/winlogon with a bug
related to network access.

I guess attack is possible, but I'm behind a hardware
firewall and have not loaded anything non-standard, opened
any attachments, etc.

Thanks again for your help David - we may not have an
answer yet but I appreciate the effort.

 

[David Wang [Msft]]

I realize that you have reservations about setting up a KD, but I believe
it's the most direct way to resolution.

Right now, we *know* something is crashing inside of winlogon.exe right
after you log in.

Your suggestion of comparing registry keys between two users *assumes* that
the registry has info on what is loaded, but that may not be true.

However, if we catch the crash before the BSOD happens (the crash will jump
to the KD if available -- only when no debuggers are available do you see
the Blue Screen -- the "last resort" of sorts), it will identify the module
at fault, which *will* help determine a solution.

There was a time, long ago, when I'd shy away from directly debugging an
issue and try to find some other indirect method of determining the issue.
On reflection, it is MUCH faster to directly attack the problem and requires
only a little bit more of understanding. It may not be the most "customer"
friendly thing to do since there's no pretty UI and lots of scary
hexadecimal numbers, but it is the fastest way to results.

Microsoft Debugging Tools are at:
http://www.microsoft.com/ddk/debugging
There are instructions there on how to set up such a kernel debugger,
retrieve public symbols, and awaiting for the crash.


--
//David
IIS
This posting is provided "AS IS" with no warranties, and confers no rights.
//

-----Original Message-----

Are you running custom company login module of some sort?

No - nothing like that. No VPN, no nothing.

You can hit F8 and start Windows with logging, which is

analogous to Win98.

But didn't Win98 let you say Yes/No to each driver? I had
already done as you suggested but did not get the option
to choose what got loaded. Also I haven't a clue what the
log file is called or where it is.

You will need a KD to figure out why.

That sounds like more fun than I want to have <grin> - not
to mention that I haven't a clue where to begin.

Is there no way to compare the registry entries for the
User that _can_ log on (Administrator) with the one that
can't? This is what confuses me - there must be some
difference in what is loaded and since it happens so
quickly after entering the password etc. Hopefully the
list insn't too long. But what settings control what gets
loaded for whom?

The sudden-nature of your issue makes me suspect that it's some sort of
attack, or you're running some custom code in lsass/winlogon with a bug
related to network access.

I guess attack is possible, but I'm behind a hardware
firewall and have not loaded anything non-standard, opened
any attachments, etc.

Thanks again for your help David - we may not have an
answer yet but I appreciate the effort.