Aerosol Posted December 28, 2014 Report Posted December 28, 2014 Yay, a debugging post! : )This bug check in most if not all cases is caused by a critical Windows component corruption (.dll, piece of the file system, etc), 3rd party driver causes a conflict (rare), etc.---------------------------First of all, let's have a look at the basic description of the bug check:WINLOGON_FATAL_ERROR (c000021a)This means that an error has occurred in a crucial user-mode subsystem.Okay, with that said let's go ahead and expand a bit on what this exactly means. Within user-mode we have various subsystems such as WinLogon or csrss.exe (Client/Server Runtime Subsystem). When for some reason these 'critical' subsystems unexpectedly cease to exist, have any sort of problem that prevents them from running or doing their job, the OS will swap to kernel-mode.What's the problem with this? The subsystems I mentioned above are strictly user-mode, therefore when the OS swaps to kernel-mode, it calls a bug check as this is a big no-no as the OS cannot run without those subsystems.In this bug check, two of the four parameters are important:-- In this example, I will be using a 0xC000021A I solved quite some time ago. Your parameters may obviously differ.BugCheck C000021A, {8da5e6b0, c0000006, 75a4e5e5, 13f86c}The 1st parameter (8da5e6b0 in our case) is the string that identifies the problem.The 2nd parameter (c0000006 in our case) is the error code.--------------------------- FAILURE_BUCKET_ID: 0xc000021a_csrss.exe_c0000006_PoShutdown_ANALYSIS_INCONCLUSIVEWe can see it was csrss.exe that terminated unexpectedly. Why?1: kd> db 8da5e6b08da5e6b0 57 69 6e 64 6f 77 73 20-53 75 62 53 79 73 74 65 Windows SubSyste8da5e6c0 6d 00 a5 8d c0 e6 a5 8d-04 04 2b 06 46 4d 66 6e m.........+.FMfn8da5e6d0 04 f2 4e 01 00 00 00 00-a7 73 19 00 00 00 00 00 ..N......s......8da5e6e0 e0 e6 a5 8d 00 00 00 00-00 00 00 00 e4 cf 61 8a ..............a.8da5e6f0 00 00 00 00 00 00 00 00-00 00 00 00 40 00 00 00 ........... @...............8da5e720 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................If we run db 1st parameter it dumps the bytes from the string. We can see FMFn which is a pool tag, specifically the NAME_CACHE_NODE structure. It's part of fltmgr.sys which is the Microsoft Filesystem Filter Manager driver.1: kd> da 8da5e6b08da5e6b0 "Windows SubSystem"If we run da 1st parameter it dumps ASCII strings. Not very helpful given we already knew this, but it's just another way to show you how you can see what caused the crash.---------------------------In this specific case, I advised the user to insert the installation media and run a repair (which solved the problem).Thanks for reading!Source Quote