The call stack showed presence of cnsminkp.sys which according to Microsoft is a file associated with spyware called VirTool:WinNT/Protmin.gen!A. According to Wikipedia cnsminkp.sys is part of Yahoo Assistant. Malware or not I needed to take it out given the state of the machine to see if it would make any difference. It did not.
After several hours of prying, it became evident that CreateWindowStation call was failing in winlogon startup. That is a pretty big call and coupled with GDI transitioning back to user mode and going back again, windbg was finding it hard to do it right as far as session breakpoints are concerned. Eventually I found that win32k!HeavyAllocPool was failing to allocate paged pool.
A !vm confirmed the issue –
********** Excessive Paged Pool Usage ***** PagedPool Usage: 40718 ( 162872 Kb) PagedPool Maximum: 40960 ( 163840 Kb) ********** 71 pool allocations have failed ********** Session Commit: 266 ( 1064 Kb) Shared Commit: 388 ( 1552 Kb)
After turning on pool tagging2 by setting HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\GlobalFlag to 0x400, and a reboot – it was clear who was the top pool consumer when paged pool was depleted enough to fail graphics operations.
kd> !poolused 4 Sorting by Paged Pool Consumed Pool Used: NonPaged Paged Tag Allocs Used Allocs Used SavE 4 224 645 125603704 CM31 0 0 5918 25481216
Once Symantec anti-virus pool allocations were out of the picture, the machine started booting again3. When winlogon failed to create a window station, it exited and since it is a critical process, the system bugchecked.