Debugging Stop 0xC000021A - WINLOGON_FATAL_ERROR

[x BlueRobot]

WINLOGON_FATAL_ERROR (c000021a)
The Winlogon process terminated unexpectedly.
Arguments:
Arg1: ffff900938f02310, String that identifies the problem.
Arg2: ffffffffc0000428, Error Code.
Arg3: 0000000000000000
Arg4: 0000024ce7740000

This bugcheck indicates that a very important process called winlogon.exe has terminated. In most cases, this will be the operating system terminating the process because it isn't able to verify the integrity of the system. If this is the case, then the operating system will cause the system to transition into kernel-mode and then issue the shutdown of the machine. This is to preserve the security of the user's credentials. To understand why this is necessary, it is important to provide a brief explanation of what winlogon.exe is and how the sign-in process works on Windows.

The winlogon.exe is initiated early during the startup process and is responsible for initiating the LogonUI.exe which is what handles the logon process which we are all familiar with. Before it does this, winlogon.exe will await the successful initialisation of lsass.exe and the LSM service. It is very important that only the winlogon.exe is able to call LogonUI.exe as the operating system can guarantee that the login GUI hasn't been drawn by a malicious process. Once the user has entered their credentials for the corresponding credential provider (for example, using a pin or password), a logon session is created and the credentials are validated by the LSASS process. If the credentials are valid, then the user's profile is loaded into the registry key called HKEY_CURRENT_USER.

Let's examine the first two bugcheck parameters which are used to describe the problem. The first parameter is a string and we can use the standard dc command to dump it.

2: kd> dc ffff900938f02310
ffff9009`38f02310  74696e69 206c6169 73736573 206e6f69  initial session
ffff9009`38f02320  636f7270 20737365 0000726f ffff4649  process or..IF..
ffff9009`38f02330  03030000 6944624f 00000000 00000000  ....ObDi........
ffff9009`38f02340  38ea4f30 ffff9009 38ece7f0 ffff9009  0O.8.......8....
ffff9009`38f02350  680b0fee 10000000 00004000 00000042  ...h.....@..B...
ffff9009`38f02360  03030000 6944624f 00000000 00000000  ....ObDi........
ffff9009`38f02370  38ea4960 ffff9009 38ecfde0 ffff9009  `I.8.......8....
ffff9009`38f02380  25de4e53 006e0069 37ca1780 ffff9009  SN.%i.n....7....

Alternatively, you can use the da command like so:

2: kd> da ffff900938f02310
ffff9009`38f02310  "initial session process or"

The string itself isn't too helpful, yet we can we can see it mentions the initial session process and a pool tag which is related to the global object directory.

2: kd> !pooltag ObDi
Pooltag ObDi
Description: object directory
Driver!Module: nt!ob

However, we can find the full string by using !dpx - only available as part of PDE - and then dumping the string from the stack:

2: kd> !dpx
Start memory scan  : 0xfffff28ab4a84598 ($csp)
End memory scan    : 0xfffff28ab4a85000 (Kernel Stack Base)

               rax : 0xffffb58f5dedd190 :  !da ""The initial session process or system process terminated unexpectedly with a sta...""

2: kd> !PDE.da ffffb58f5dedd190
The initial session process or system process terminated unexpectedly with a status of 0xc0000428 (0x00000000 0xe7740000).
The system has been shut down.

Notice the third and fourth parameter values? The values shown in the string are omitted to 16-bits hence why the preceding part is missing. Now, let's dump the error code shown in the second parameter using the !error command.

2: kd> !error c0000428
Error code: (NTSTATUS) 0xc0000428 (3221226536) - Windows cannot verify the digital signature for this file. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

Ah! That is much more helpful. It appears that the operating system has terminated the process since it can't verify the digital signature associated to a key system file. This can be due to a corrupted .cat file or because the file itself has become corrupted. In either case, Windows isn't able to verify the integrity of the logon process and therefore terminates.

2: kd> knL
 # Child-SP          RetAddr           Call Site
00 fffff28a`b4a84598 fffff804`55daf55a nt!KeBugCheckEx
01 fffff28a`b4a845a0 fffff804`55da0f8f nt!PopGracefulShutdown+0x29a
02 fffff28a`b4a845e0 fffff804`55d966fc nt!PopTransitionSystemPowerStateEx+0x11c9f
03 fffff28a`b4a846a0 fffff804`558086b8 nt!NtSetSystemPowerState+0x4c
04 fffff28a`b4a84880 fffff804`557fab50 nt!KiSystemServiceCopyEnd+0x28
05 fffff28a`b4a84a18 fffff804`55c31447 nt!KiServiceLinkage
06 fffff28a`b4a84a20 fffff804`55b627a9 nt!PopIssueActionRequest+0xceb7f
07 fffff28a`b4a84ac0 fffff804`556f32c4 nt!PopPolicyWorkerAction+0x79
08 fffff28a`b4a84b30 fffff804`55741225 nt!PopPolicyWorkerThread+0x94
09 fffff28a`b4a84b70 fffff804`556f53b5 nt!ExpWorkerThread+0x105
0a fffff28a`b4a84c10 fffff804`557fe348 nt!PspSystemThreadStartup+0x55
0b fffff28a`b4a84c60 00000000`00000000 nt!KiStartSystemThread+0x28

The stack doesn't show much useful information, although, we can see the system transitioning to kernel mode and then shutting down the system with the bugcheck as described earlier.

Now, there are a few things which you can do to remedy the problem. First of all, we can run the sfc /scannow command to find which file(s) are corrupt and repair them. Alternatively, we can attempt a repair install of the entire operating system. In this particular case, the user did a in-place upgrade and it resolved the issue. In addition to this, you wish to consider, having the user run some hard drive diagnostics to ensure that the drive isn't failing. Another less common yet still significant factor is malfunctioning RAM.

As a closing note, Microsoft have mentioned that the crash can be due to backup programs not fully backing up the operating system properly and missing key system files. This may be something to check if you ever find a user with this bugcheck.

References:

Debugging CSRSS - Windows drivers
Bug Check 0xC000021A WINLOGON_FATAL_ERROR - Windows drivers
Windows Internals 7th Edition - Part 2