I have unknown driver causing boot crash with error 0xc000021a. Disabling driver signature enforcement allows the machine to boot. How to determine which driver or drivers are failing signature enforcement? Thanks.
Update: I ran sigverif and it logged these results:
Microsoft Signature Verification
Log file generated on 6/26/2021 at 11:02 AM
OS Platform: Windows (x64), Version: 10.0, Build: 19043, CSDVersion:
Scan Results: Total Files: 69, Signed: 69, Unsigned: 0, Not Scanned: 0
I've attached the complete log.
109602-sigverif.txt
Some additional info in case it helps... This is a Parallels VM. I have a copy of the machine with updates turned off that does not have the crash. As soon as I enable updates and get the next Windows update, the crash ensues. Here is info on the client OS, both copies are the same:
Edition Windows 10 Enterprise
Version 21H1
OS build 19043.1055
Experience Windows Feature Experience Pack 120.2212.2020.0
I used autoruns as suggested to no avail. I've included a screenshot of one Not Verified that I unchecked and one missing that I unchecked. The issue is still the same - crash unless I disable driver signature enforcement. The autoruns screenshot is using the option to hide Windows entries but all of those show Verified.
There does not appear to be an obvious relationship between a driver showing Not Verified with sigverif or autoruns, and why the crash unless driver signature enforcement is disabled. I'm still stuck trying to determine which driver is causing the crash.
The theory that disabling driver signature enforcement is hiding some other issue seems like a good one. I used the Restart options to Reset Windows, restarted and it still crashed and still needed disabling driver signature enforcement to run. I'm including the results of memory.dmp file analysis. Rather than pursue this further, I created a new Parallels VM and it seems good. Thanks for the advice.
1: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
WINLOGON_FATAL_ERROR (c000021a)
The Winlogon process terminated unexpectedly.
Arguments:
Arg1: ffff8589a32f8600, String that identifies the problem.
Arg2: ffffffffc0000428, Error Code.
Arg3: 0000000000000000
Arg4: 000002111ecd0000
Debugging Details:
------------------
KEY_VALUES_STRING: 1
Key : Analysis.CPU.mSec
Value: 4218
Key : Analysis.DebugAnalysisManager
Value: Create
Key : Analysis.Elapsed.mSec
Value: 4216
Key : Analysis.Init.CPU.mSec
Value: 5421
Key : Analysis.Init.Elapsed.mSec
Value: 420176
Key : Analysis.Memory.CommitPeak.Mb
Value: 78
Key : WER.OS.Branch
Value: vb_release
Key : WER.OS.Timestamp
Value: 2019-12-06T14:06:00Z
Key : WER.OS.Version
Value: 10.0.19041.1
ERROR_CODE: (NTSTATUS) 0xc000021a - {Fatal System Error} The %hs system process terminated unexpectedly with a status of 0x
EXCEPTION_CODE_STR: c000021a
EXCEPTION_PARAMETER1: ffff8589a32f8600
EXCEPTION_PARAMETER2: ffffffffc0000428
EXCEPTION_PARAMETER3: 0000000000000000
EXCEPTION_PARAMETER4: 2111ecd0000
BUGCHECK_CODE: c000021a
BUGCHECK_P1: ffff8589a32f8600
BUGCHECK_P2: ffffffffc0000428
BUGCHECK_P3: 0
BUGCHECK_P4: 2111ecd0000
PROCESS_NAME: smss.exe
ADDITIONAL_DEBUG_TEXT: initial session process or
IMAGE_NAME: ntkrnlmp.exe
MODULE_NAME: nt
BLACKBOXBSD: 1 (!blackboxbsd)
BLACKBOXNTFS: 1 (!blackboxntfs)
STACK_TEXT:
fffff586`1f0d6598 fffff804`3adaf55a : 00000000`0000004c 00000000`c000021a fffff586`1f4663f0 ffffd785`52d3f7e0 : nt!KeBugCheckEx
fffff586`1f0d65a0 fffff804`3ada0f8b : fffff586`1f0d66c0 fffff586`1f0d6660 fffff586`1f0d66c0 fffff586`1f0d6660 : nt!PopGracefulShutdown+0x29a
fffff586`1f0d65e0 fffff804`3ad966fc : 00000000`00000001 fffff804`00000006 00000000`00000004 00000000`00000000 : nt!PopTransitionSystemPowerStateEx+0x11c9b
fffff586`1f0d66a0 fffff804`3a8085b5 : ffffd785`53540000 00000000`00000001 00000000`00000000 00000000`00000000 : nt!NtSetSystemPowerState+0x4c
fffff586`1f0d6880 fffff804`3a7faa80 : fffff804`3ac31603 00000000`00000014 ffffffff`ffffff00 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x25
fffff586`1f0d6a18 fffff804`3ac31603 : 00000000`00000014 ffffffff`ffffff00 00000000`00000000 fffff804`3b023ba0 : nt!KiServiceLinkage
fffff586`1f0d6a20 fffff804`3ab62729 : 00000000`00000000 ffffd785`52335a60 00000000`00000000 00000000`00000000 : nt!PopIssueActionRequest+0xcedbb
fffff586`1f0d6ac0 fffff804`3a6f32c4 : 00000000`00000001 00000000`00000000 ffffffff`ffffffff fffff804`3b023b00 : nt!PopPolicyWorkerAction+0x79
fffff586`1f0d6b30 fffff804`3a741225 : ffffd785`00000001 ffffd785`522d4080 fffff804`3a6f3230 00000000`00000000 : nt!PopPolicyWorkerThread+0x94
fffff586`1f0d6b70 fffff804`3a6f53b5 : ffffd785`522d4080 00000000`00000080 ffffd785`52282040 00000000`00000000 : nt!ExpWorkerThread+0x105
fffff586`1f0d6c10 fffff804`3a7fe278 : fffff804`35d06180 ffffd785`522d4080 fffff804`3a6f5360 00000000`00000000 : nt!PspSystemThreadStartup+0x55
fffff586`1f0d6c60 00000000`00000000 : fffff586`1f0d7000 fffff586`1f0d1000 00000000`00000000 00000000`00000000 : nt!KiStartSystemThread+0x28
SYMBOL_NAME: nt!PopTransitionSystemPowerStateEx+11c9b
IMAGE_VERSION: 10.0.19041.1055
STACK_COMMAND: .thread ; .cxr ; kb
BUCKET_ID_FUNC_OFFSET: 11c9b
FAILURE_BUCKET_ID: 0xc000021a_SmpDestroyControlBlock_smss.exe_Terminated_c0000428_nt!PopTransitionSystemPowerStateEx
OS_VERSION: 10.0.19041.1
BUILDLAB_STR: vb_release
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
FAILURE_ID_HASH: {11c026a4-042b-4c24-02dc-2da456397475}
Followup: MachineOwner
---------