The other day, a colleague of mine hands me this Sony Vaio notebook that blue screens when booting up with a 0xc000021a. The bsod happened on every boot but you could boot the machine into safe mode. Curious about what it could be, my first guess was obviously malware. Symantec was installed on this 5+ year old XP machine – so at least it had some protection.  I booted it once to see the failure and there it was, albeit without any bugcheck argument information.  It was time to investigate what was going on.

Once the machine was booted to safe mode,  I changed boot.ini for firewire debugging on channel 1 with boot debug turned on. Device Manager would not show any of the devices however so I could not disable 1394 controller as is customary when debugging. This was increasingly looking like a malware infection of some kind. Malware likes to hide things like My Computer, Task Manager and perhaps the malware(s) active have kernel mode components that do not wish to reveal themselves in device management.

The snag I hit next was windbg would crash every time I attempt to connect to debuggee. When windbg crashes, it does not leave a dump of any kind for you to look at. The window would just vanish. However you can attach another instance of windbg to see what the problem is1. Instead I wanted to give kd a try. Here is what kd spewed out –

Opened \\.\DBG1394_INSTANCE01
Timer Resolution set to 1000 usec.
Waiting to reconnect…
Debugger can’t get KD version information, Win32 error 0n56
Debugger can’t get KD version information, Win32 error 0n56
DbgKdWaitStateChange failed: c0000001

On a hunch I changed from channel 1 to 44 and removed boot debug option from boot.ini. That helped and kd connected this time and so did windbg. The bugcheck looked like below –

The Winlogon process terminated unexpectedly.
Arg1: e17a1790, String that identifies the problem.
Arg2: 00000407, Error Code.
Arg3: 00000000
Arg4: 00000000

The bugcheck was because of winlogon.exe terminating abnormally. The first argument pointed to ASCII string “Windows Logon Process”. The second argument, which is the “Error Code”, is lamentably not a standard windows error code or status. This is what is passed to TerminateProcess by winlogon.exe and is probably an internal code used by Microsoft.

Tagged with →  
Share →

Leave a Reply

Your email address will not be published. Required fields are marked *


Looking for something?

Use the form below to search the site:

Still not finding what you're looking for? Drop us a note so we can take care of it!

Visit our friends!

A few highly recommended friends...

Set your Twitter account name in your settings to use the TwitterBar Section.