How to determine which driver is failing signature enforcement?

Randall Breneman 41 Reputation points
2021-06-26T14:35:21.71+00:00

I have unknown driver causing boot crash with error 0xc000021a. Disabling driver signature enforcement allows the machine to boot. How to determine which driver or drivers are failing signature enforcement? Thanks.

Update: I ran sigverif and it logged these results:
Microsoft Signature Verification
Log file generated on 6/26/2021 at 11:02 AM
OS Platform: Windows (x64), Version: 10.0, Build: 19043, CSDVersion:
Scan Results: Total Files: 69, Signed: 69, Unsigned: 0, Not Scanned: 0

I've attached the complete log.

109602-sigverif.txt

Some additional info in case it helps... This is a Parallels VM. I have a copy of the machine with updates turned off that does not have the crash. As soon as I enable updates and get the next Windows update, the crash ensues. Here is info on the client OS, both copies are the same:
Edition Windows 10 Enterprise
Version 21H1
OS build 19043.1055
Experience Windows Feature Experience Pack 120.2212.2020.0

111527-autoruns3.png

I used autoruns as suggested to no avail. I've included a screenshot of one Not Verified that I unchecked and one missing that I unchecked. The issue is still the same - crash unless I disable driver signature enforcement. The autoruns screenshot is using the option to hide Windows entries but all of those show Verified.

There does not appear to be an obvious relationship between a driver showing Not Verified with sigverif or autoruns, and why the crash unless driver signature enforcement is disabled. I'm still stuck trying to determine which driver is causing the crash.

The theory that disabling driver signature enforcement is hiding some other issue seems like a good one. I used the Restart options to Reset Windows, restarted and it still crashed and still needed disabling driver signature enforcement to run. I'm including the results of memory.dmp file analysis. Rather than pursue this further, I created a new Parallels VM and it seems good. Thanks for the advice. 

1: kd> !analyze -v  
*******************************************************************************  
*                                                                             *  
*                        Bugcheck Analysis                                    *  
*                                                                             *  
*******************************************************************************  
  
WINLOGON_FATAL_ERROR (c000021a)  
The Winlogon process terminated unexpectedly.  
Arguments:  
Arg1: ffff8589a32f8600, String that identifies the problem.  
Arg2: ffffffffc0000428, Error Code.  
Arg3: 0000000000000000  
Arg4: 000002111ecd0000  
  
Debugging Details:  
------------------  
  
  
KEY_VALUES_STRING: 1  
  
    Key  : Analysis.CPU.mSec  
    Value: 4218  
  
    Key  : Analysis.DebugAnalysisManager  
    Value: Create  
  
    Key  : Analysis.Elapsed.mSec  
    Value: 4216  
  
    Key  : Analysis.Init.CPU.mSec  
    Value: 5421  
  
    Key  : Analysis.Init.Elapsed.mSec  
    Value: 420176  
  
    Key  : Analysis.Memory.CommitPeak.Mb  
    Value: 78  
  
    Key  : WER.OS.Branch  
    Value: vb_release  
  
    Key  : WER.OS.Timestamp  
    Value: 2019-12-06T14:06:00Z  
  
    Key  : WER.OS.Version  
    Value: 10.0.19041.1  
  
  
ERROR_CODE: (NTSTATUS) 0xc000021a - {Fatal System Error}  The %hs system process terminated unexpectedly with a status of 0x  
  
EXCEPTION_CODE_STR:  c000021a  
  
EXCEPTION_PARAMETER1:  ffff8589a32f8600  
  
EXCEPTION_PARAMETER2:  ffffffffc0000428  
  
EXCEPTION_PARAMETER3:  0000000000000000  
  
EXCEPTION_PARAMETER4: 2111ecd0000  
  
BUGCHECK_CODE:  c000021a  
  
BUGCHECK_P1: ffff8589a32f8600  
  
BUGCHECK_P2: ffffffffc0000428  
  
BUGCHECK_P3: 0  
  
BUGCHECK_P4: 2111ecd0000  
  
PROCESS_NAME:  smss.exe  
  
ADDITIONAL_DEBUG_TEXT:  initial session process or  
  
IMAGE_NAME:  ntkrnlmp.exe  
  
MODULE_NAME: nt  
  
BLACKBOXBSD: 1 (!blackboxbsd)  
  
  
BLACKBOXNTFS: 1 (!blackboxntfs)  
  
  
STACK_TEXT:    
fffff586`1f0d6598 fffff804`3adaf55a     : 00000000`0000004c 00000000`c000021a fffff586`1f4663f0 ffffd785`52d3f7e0 : nt!KeBugCheckEx  
fffff586`1f0d65a0 fffff804`3ada0f8b     : fffff586`1f0d66c0 fffff586`1f0d6660 fffff586`1f0d66c0 fffff586`1f0d6660 : nt!PopGracefulShutdown+0x29a  
fffff586`1f0d65e0 fffff804`3ad966fc     : 00000000`00000001 fffff804`00000006 00000000`00000004 00000000`00000000 : nt!PopTransitionSystemPowerStateEx+0x11c9b  
fffff586`1f0d66a0 fffff804`3a8085b5     : ffffd785`53540000 00000000`00000001 00000000`00000000 00000000`00000000 : nt!NtSetSystemPowerState+0x4c  
fffff586`1f0d6880 fffff804`3a7faa80     : fffff804`3ac31603 00000000`00000014 ffffffff`ffffff00 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x25  
fffff586`1f0d6a18 fffff804`3ac31603     : 00000000`00000014 ffffffff`ffffff00 00000000`00000000 fffff804`3b023ba0 : nt!KiServiceLinkage  
fffff586`1f0d6a20 fffff804`3ab62729     : 00000000`00000000 ffffd785`52335a60 00000000`00000000 00000000`00000000 : nt!PopIssueActionRequest+0xcedbb  
fffff586`1f0d6ac0 fffff804`3a6f32c4     : 00000000`00000001 00000000`00000000 ffffffff`ffffffff fffff804`3b023b00 : nt!PopPolicyWorkerAction+0x79  
fffff586`1f0d6b30 fffff804`3a741225     : ffffd785`00000001 ffffd785`522d4080 fffff804`3a6f3230 00000000`00000000 : nt!PopPolicyWorkerThread+0x94  
fffff586`1f0d6b70 fffff804`3a6f53b5     : ffffd785`522d4080 00000000`00000080 ffffd785`52282040 00000000`00000000 : nt!ExpWorkerThread+0x105  
fffff586`1f0d6c10 fffff804`3a7fe278     : fffff804`35d06180 ffffd785`522d4080 fffff804`3a6f5360 00000000`00000000 : nt!PspSystemThreadStartup+0x55  
fffff586`1f0d6c60 00000000`00000000     : fffff586`1f0d7000 fffff586`1f0d1000 00000000`00000000 00000000`00000000 : nt!KiStartSystemThread+0x28  
  
  
SYMBOL_NAME:  nt!PopTransitionSystemPowerStateEx+11c9b  
  
IMAGE_VERSION:  10.0.19041.1055  
  
STACK_COMMAND:  .thread ; .cxr ; kb  
  
BUCKET_ID_FUNC_OFFSET:  11c9b  
  
FAILURE_BUCKET_ID:  0xc000021a_SmpDestroyControlBlock_smss.exe_Terminated_c0000428_nt!PopTransitionSystemPowerStateEx  
  
OS_VERSION:  10.0.19041.1  
  
BUILDLAB_STR:  vb_release  
  
OSPLATFORM_TYPE:  x64  
  
OSNAME:  Windows 10  
  
FAILURE_ID_HASH:  {11c026a4-042b-4c24-02dc-2da456397475}  
  
Followup:     MachineOwner  
---------
Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,754 questions
0 comments
Accepted answer
  1. Gary Nebbett 5,721 Reputation points
    2021-07-04T12:51:56.56+00:00

    Hello @Randall Breneman ,

    Is any dump file (minidump or full dump) created when the system crashes? A dump file would probably make it relatively easy to identify which file is causing the problem.

    I don't think that the file is necessarily a device driver file - the symbolic name of the error code 0xC000021A is STATUS_SYSTEM_PROCESS_TERMINATED and this might be hinting that an essential system process failed to start successfully because of code integrity problems.

    Disabling "driver signature enforcement" possibly disables code integrity measures more widely than the name suggests...

    Another approach might be to use the Microsoft-Windows-CodeIntegrity ETW provider to trace code integrity actions during the boot phase.

    Gary

    0 comments

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Teemo Tang 11,336 Reputation points
    2021-06-28T02:26:34.99+00:00

    You can use Autoruns from sysinternals to verify drivers
    https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns

    Validate drivers: This step checks non-Microsoft drivers. According to the Windows Sysinternals Administrator’s Reference, “Verifying a digital signature associated with that file gives a much higher degree of assurance of the file’s authenticity and integrity.” Note: When a driver is verified, the Publisher field changes from the company name to the name on the signed certificate. 1.Click the Drivers tab and look for drivers that are “Not Verified”. This will show up in the Publisher field.
    and
    3. If any of the drivers are highlighted and come up as “Not Verified” in the Publisher field, then the driver does not have a digital signature.

    A good reference:
    How to verify that system drivers are digitally signed
    https://www.ghacks.net/2015/04/11/how-to-verify-that-system-drivers-are-digitally-signed/

    -------------------------------------------------------------------------------------

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Information posted in the given link is hosted by a third party. Microsoft does not guarantee the accuracy and effectiveness of information.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments
  2. Docs 15,141 Reputation points
    2021-07-11T01:44:12.087+00:00

    Just noticed that you've accepted an earlier answer.

    In case you need additional help please open a new thread.

    Disable driver signature enforcement > boot > run the V2 log collector > post a share link into this thread

    https://www.windowsq.com/resources/v2-log-collector.8/
    https://www.tenforums.com/bsod-crashes-debugging/2198-bsod-posting-instructions.html

    .
    .
    .
    .
    .

    Please remember to vote and to mark the replies as answers if they help.

    On the bottom of each post there is:

    Propose as answer = answered the question

    On the left side of each post: Vote = a helpful post
    .
    .
    .
    .
    .

    0 comments