My first BSOD blog post 0x21A Analysis

This blog is focused on my first BSOD blog post, which is about 0x21A analysis.
Descriptions about BSOD error codes are from my own opinion based on 1.5+ year BSOD debugging experience.
 
 
 
Some information about the situation

The problem description:

While playing my Computer randomly crashes. It happended several times now and i don’t know where the issue is. The Computer once had a several BSOD in succession, but works again. It also happend while watching a movie.
I also get a Blackscreen randomly without doing anything. The screen becomes black,sometimes red, and works again after a reset. Therefore i guess it is GPU related but i am not very sure, because it also happend just while watching a movie.
 

Link: BSOD playing Games like CIV 6
 
 
 
The BSOD present with usual causes
– 0x21A,

  • User-mode device driver,
  • system service or 3rd party application,
  • Mismatched system files

– 0x34,

  • Insufficient physical memory,
  • Indexing,
  • Device driver

– 0x109,

  • Device driver,
  • Breakpoint set with no debugger attached,
  • Hardware (Memory in particular)

My own experience with these bugchecks:
– The 0x21A is IMO usually caused by HDD and RAM issues rather than mismatched system files. Mismatched system files are usually the result of a different cause.

– The 0x34 is IMO similar to the 0x24 crash, which is a NTFS related crash.

– The 0x109 is in this case caused by a ‘Modification of a function or .pdata’, usually caused by buggy drivers or bad RAM.

These crashes in combination have a few causes.
– HDD
– RAM
With bad luck it may also be the motherboard that you can include in the list due to problems in communication with the RAM or HDD to say it very basically.
 
 
 
So, with this all in mind I wanted to find out what the 0x21A is complaining about so I ran the !error command on the second parameter.

WINLOGON_FATAL_ERROR (c000021a)
The Winlogon process terminated unexpectedly.
Arguments:
Arg1: ffffb082ec613ab0, String that identifies the problem.
Arg2: ffffffffc0000428, Error Code.
Arg3: 0000000000000000
Arg4: 000001898e8a0000

6: kd> !error ffffffffc0000428
Error code: (NTSTATUS) 0xc0000428 (3221226536) - Windows cannot verify the digital signature for this file. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

Windows marks some files as critical files, because Windows cannot run when any problem happens with these files. If any problem occurs the system crashes with a 0xC000021A.
In the case of the 0x21A it is about the termination of a critical file, this can happen for various of reasons like malware or in this case an invalid digital signature.
The 0x21A is compaining about the smss.exe file, this is the Windows application that handles the sessions in Windows.

Smss.exe initializes the Windows subsystem, as a side note, this is the reason why smss.exe is a Windows application that doesn’t use the API’s of Windows, instead it uses the core executive API’s a.k.a. the Windows native API.
After the Windows subsystem is initialized, the smss.exe maps the registry by calling the configuration manager subsystem. The configuration manager is programmed to know where the corresponding hive is stored on the disk and records the paths to the hives it loads in HKLM\SYSTEM\CurrentControlSet\Control\hivelist.
 
 
 
When looking at the time of the 0x21A crash, we see that the system lasted 9 seconds

System Uptime: 0 days 0:00:09.093

This indicates that the smss.exe was working on its second task indicating that there may be a problem with the RAM.

I let the user ran SeaTools, HDTunes, chkdsk, MemTest86+ and sfc/scannow.
SFC I doubted to give results in FS corruption, but better safe than sorry so I suggested it.
Unfortunately all attachments of the user were deleted, except for the chkdsk result, so I can only say that a few security descriptors were removed.

MemTest86+ however, did show errors on every slot combination possible meaning that the motherboard needed to be RMA’ed.

This concludes the first blog post.

Reference

BSOD Index
Windows Internals 6th Edition Part 1 & 2.

One thought on “My first BSOD blog post 0x21A Analysis”

Leave a Reply

Your email address will not be published. Required fields are marked *