Debugging a fatal system error 0xC000021A (STATUS_SYSTEM_PROCESS_TERMINATED) with Verification of a known DLL failed X64_0xc000021a_c000012f
I had a system that would try to boot into the Operating system then power itself off. In safe mode I could see it load a bunch of drivers then it would just hang on one dll (WLDAP32.dll). I wanted to verify that the dll I saw safe mode hang on was indeed causing the fatal system error. I attached a kernel debugger (the server was configured for kernel debugging) and restarted the server with the kernel debugger break on first module load CTRL+K and stepped through the boot up until I hit the stop code.
*** Fatal System Error: 0xc000021a
(0xFFFFF8A002A45760,0xFFFFFFFFC000012F,0xFFFFF8A0003D37C0,0x0000000000000000)
STOP: c000021a {Fatal System Error}
The Verification of a KnownDLL failed. system process terminated unexpectedly with a status of 0xc000012f (0x003d37c0 0x00000000)
The system has been shut down.
Break instruction exception - code 80000003 (first chance)
A fatal system error has occurred.
Debugger entered on first try; Bugcheck callbacks have not been invoked.
A fatal system error has occurred.
Connected to Windows 7 7000 x64 target at (Tue Apr 21 17:54:06.970 2009 (UTC + 1:00)), ptr64 TRUE
Loading Kernel Symbols
...............................................................
...........................................
Loading User Symbols
Loading unloaded module list
...
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck C000021A, {fffff8a002a45760, ffffffffc000012f, fffff8a0003cd3d0, 0}
Probably caused by : Unknown_Image
Followup: kitt
---------
1: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
WINLOGON_FATAL_ERROR (c000021a)
The Winlogon process terminated unexpectedly.
Arguments:
Arg1: fffff8a002a45760, String that identifies the problem.
Arg2: ffffffffc000012f, Error Code.
Arg3: fffff8a0003cd3d0
Arg4: 0000000000000000
Debugging Details:
------------------
ERROR_CODE: (NTSTATUS) 0xc000021a - {Fatal System Error} The %hs system process terminated unexpectedly with a status of 0x%08x
0x%08x 0x%08x). The system has been shut down.
EXCEPTION_CODE: (NTSTATUS) 0xc000021a - {Fatal System Error} The %hs system process terminated unexpectedly with a status of 0x
8x (0x%08x 0x%08x). The system has been shut down.
EXCEPTION_PARAMETER1: fffff8a002a45760
EXCEPTION_PARAMETER2: ffffffffc000012f
EXCEPTION_PARAMETER3: fffff8a0003cd3d0
EXCEPTION_PARAMETER4: 0
ADDITIONAL_DEBUG_TEXT: Verification of a KnownDLL failed.
BUGCHECK_STR: 0xc000021a_c000012f
DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
PROCESS_NAME: System
CURRENT_IRQL: 0
FOLLOWUP_NAME: kitt
MODULE_NAME: Unknown_Module
IMAGE_NAME: Unknown_Image
DEBUG_FLR_IMAGE_TIMESTAMP: 0
STACK_COMMAND: kb
FAILURE_BUCKET_ID: X64_0xc000021a_c000012f
BUCKET_ID: X64_0xc000021a_c000012f
OK now I know that a fatal system error occurred, I couldn’t see that from safe mode but what caused it?
ADDITIONAL_DEBUG_TEXT: Verification of a KnownDLL failed.
Good but what dll?
MODULE_NAME: Unknown_Module
IMAGE_NAME: Unknown_Image
Dump the string that identifies the problem fffff8a002a45760
1: kd> db fffff8a002a45760
fffff8a0`02a45760 56 65 72 69 66 69 63 61-74 69 6f 6e 20 6f 66 20 Verification of
fffff8a0`02a45770 61 20 4b 6e 6f 77 6e 44-4c 4c 20 66 61 69 6c 65 a KnownDLL faile
fffff8a0`02a45780 64 2e 00 43 46 30 43 35-43 39 36 42 41 46 42 7d d..CF0C5C96BAFB}
fffff8a0`02a45790 04 01 11 03 63 64 72 6f-5c 00 34 00 26 00 31 00 ....cdro\.4.&.1.
fffff8a0`02a457a0 a0 57 a4 02 a0 f8 ff ff-40 a7 e8 01 80 fa ff ff .W......@.......
fffff8a0`02a457b0 5c 00 3f 00 3f 00 5c 00-49 00 44 00 45 00 23 00 \.?.?.\.I.D.E.#.
fffff8a0`02a457c0 43 00 64 00 52 00 6f 00-6d 00 50 00 48 00 49 00 C.d.R.o.m.P.H.I.
fffff8a0`02a457d0 4c 00 49 00 50 00 53 00-5f 00 44 00 56 00 44 00 L.I.P.S._.D.V.D.
OK tells us what we have already figured out the verification of a known dll failed
Dump the 3rd argument
1: kd> da fffff8a0003cd3d0
fffff8a0`003cd3d0 "WLDAP32.dll"
There we go, the same dll I saw in safe mode.
