Link to home
Create AccountLog in
Avatar of dread1124
dread1124

asked on

Stop: c000021a {fatal system error} the windows logon process system process terminated unexpectedly

sconstantine ... I read your response and was initially excited and tried your solution, but of all the updates you listed only one was on this workstation and removing it did not work..

I do not have the luxury of re-installing windows or recoverying windows xp everytime, because I work for a school system and this nasty c000021a stop error is now on 21 desktops and laptops and counting. Some of them had the windows updates turned on, and others did not. Some are dell workstation, some are dell laptops, other are gateway desktops and gateway laptops. The model numbers are numerous. needless to say that this is not happening to any one specific machine type. I have tried all the microsoft (so called knowledge base) help files, which there are several addressing this specific issue. They range from alleged issues with IE to removing these updates as you suggested.

I have also tried booting into safe mode, but everytime the machines stops then auto reboot after trying to load AGPCPQ.sys. So my genius solution was to use recovery console to stop loading this AGPCPQ.sys at boot, but when I try to restart in safe mode again it now stops at AGP440.sys. Yes! I stopped that one from loading as well, but now it stops at mup.sys. Obviously this is not the solution.

Dell, Microsoft and Novell were all consulted, and as you would expect and bunch garbage and no solution.

Any suggestion will be greatly appreciated.

Please Help!!!!!!!!!!!!!
Avatar of flubbster
flubbster
Flag of United States of America image

It would seem obvious that the problem was caused by an update of some sort that is conflicting with some installed software common to all machines. Could you list the updates that you looked for and actually removed? This is my first glimpse of your issue.
Avatar of dread1124
dread1124

ASKER

flubbster... I searched for KB893066, KB893086, KB890859 and KB890923. Of these updates KB890859 was the only one installed on this machine that I have on my work desk.

An update to this issue: I booted in safe mode waited for the system to stop and reboot. Shut it down and rebooted with Knoppix and looked at the ntbtlog.txt file that is created in C:\Windows after safe mode fails and this is what I got..... See attached.
ntbtlog.txt
dang... it kind of looks like the chipset driver is wacked, but I don't understand how that can be on so many different systems at the same time.

Could you check for this one also pls?
891781
This is interesting.... I use recovery console as I've done before to remove other updates, but this one KB891781 give me a "Access is denied" message. What gives?
Update: I got a copy of "The Ultimate Boot CD 4 Windows" ver 3.14 and used it to remove the KB891781 but the machine still goes to that nasty stop error.... crud!!!!!!!!!!
aarrrgghhhh...... what could have been installed that could wipe out all those systems?

do they all have Google Desktop Search by any chance? If so.... kill them using the boot cd if you can.

It really looks like the chipset got corrupted, based on the log. How across all those systems tho? Can you trace back, through install logs maybe on the server, what the last update/install was that was pushed out to the systems? You could try downloading the chipset driver for a test system and install using the boot cd and see if that helps.
I've asked the other techs around the office and of 9 machines, 2 had google toolbar, 1 had yahoo toolbar and the rest are basic imaged PC's with a bunch of updates applied. The other techs also removed the KB891781 and nothing changed.... And the count is now 27 PC's with this issue.
I'm really beginning to wonder if you have a nasty that is propogating across the network. I assume you have antivirus and firewalls in place. Do you have an antivirus package that is cd bootable, like Norton's ?   (even tho I hate norton, you can boot from it). You'll need to set BIOS for CD Boot as first choice obviously..

Over what kind of timeframe was the problem observed? Did 20 systems get it at once? Did it start with 2, then within 2 days reach 20? etc....

I would still try doing the chipset on a test system if you can use Ultimate Boot to install it...

meanwhile, back at the ranch... I'm still investigating for you....
Give this a try. Use a working system and get to the %Systemroot%\system32 folder

copy these files:
Gdi32.dll
Msvcrt.dll
Comctl32.dll

On a bad system, use a command prompt or boot cd, whichever, to replace the existing ones. Now.. how do you copy them over? Not sure. If a floppy is available, that is the easiest way. Does the Ultimate Boot Cd allow you to usb USB sticks? If so, might want to try that. Otherwise, if you have an XP cd or service pack 2 CD, you can try to extract them from the \1386 folder, like so:

 expand x:\i386\Gdi32.dl_ c:\windows\i386\Gdi32.dll
attempt to register it:
regsvr32 Gdi32.dll

repeat for the other 2 files

may be able to do this from the recovery console by inserting the service pack cd into the drive after the console loads and you get the command prompt
Flubbster  I'll try this in about 2hrs... A few people with power and position PC just got the blue screen and the big boss has ordered we stop everything and tend to these crying monkeys in suits before we look for a solution. Great world we live.... When I change it I'll post the results.
np... good luck... man, sounds like an epidemic there.

I highly recommend a healthy and situation appropriate lunch.... Beer and chips.  ;-}
OK I took a laptop with me that has the error. I copied the dll's from my working laptop to my thumb drive and booted with the ultimate boot cd and i recognized the thumb drive and allowed full access to the system 32 folder. However, even though the ultimate boot cd has a start menu and a run command, it gave an error that says it could not register the dll. So i rebooted without registering and still got that @#$% blue screen    ^%$#   microsoft    $%^&^%$#$%@#$%    error!
hmmmm... I would think that the dll's should self-register at boot, unless it is not reaching them. This is getting frustrating... can only imagine how you feel.

OK... find a live chicken.... spin it over the bad pc and chant "Bill Gates is Wonderful"
hope that got a smile....

Ok...commonality. Something pushed out from the server via GPO or something. A common update. An Antivirus update. A virus that is spreading.... something along those lines. Have you tried a virus scan with a bootable Scanner CD? Norton's will do it. I think others will also.

Took a while to get a bootable virus scan disc but the results are as expected. No virus detected. I just don't get it. These machines will not even run in Debugger mode, the last known good configuration doesn't work and windows restore option does not work. We tried to use the restore option from the Windows CD and each machine responded differently, most froze during the restore process and two of them completed, but either of the two restores full functionality and has numerous issues and errors. One tech has been on and off the phones with Microsoft since 8am, and nothing. ??????????
I don't think so, but are you running Goback (included with Norton System Works)?
What service pack for XP and what version of IE?
we have sp2 and ie 7.
Back... been researching this thing for you and it sure seems like an update that crashed all your systems. Most likely related to an incompatability with the chipsets on the systems ( I hope). I would like you to try this from Microsoft. You will need an XP CD to boot into the recovery console and your admin password for the system you are trying this on of course.

http://support.microsoft.com/default.aspx?scid=kb;en-us;324764

Has to do with the video driver agp440.sys compatability with certain updates after sp2 is installed. The final solution is to attempt to get updated BIOS from the mfg. However, this will disable the service and use the built-in video driver.

please give this kb a shot and let me know how you make out.
I have already tried this approach from day one. Look at my original question

" I have also tried booting into safe mode, but everytime the machines stops then auto reboot after trying to load AGPCPQ.sys. So my genius solution was to use recovery console to stop loading this AGPCPQ.sys at boot, but when I try to restart in safe mode again it now stops at AGP440.sys. Yes! I stopped that one from loading as well, but now it stops at mup.sys. Obviously this is not the solution."

It didn't work for us either...
Sorry.. I read that several times and just didn't make the connection.

I found a reference to Winlogon.exe that handles the logon process. It is located in 3 locations typically:

c:\windows\system32
c:\windows\system32\dllcache
c:\windows\servicepackfiles\i386

I have a couple of ideas you can try if you like.

Try to replace the winlogon.exe in the first 2 locations: system32 ans system32\dllcache
you will need to expand it from an xp cd using expand d:\1386\winlogon.ex_ c:\windows\system32
repeat for the dllcache location

Have you tried to update the bios on an infected system yet? I really think you should.
I just tried that using the ultimate boot cd, and the only thing it did was to put the machine in a auto-reboot loop. When I attempt to disable the reboot after error in the F8 advance confige options menu nothing happens. But, on the bright side, I don't see the c000021a blue screen anymore because now its stuck in a "boot loop".

I just got word that if we can't find the source, then all the machine that are showing the error now are going to be imaged and anyone that pops up in the future will be re-imaged as well without troubleshooting.... Don't you just love politics!
Wonderfulll.. the leg is infected... cut it off!!!!!!!!!!!!!!

I really wish I could have helped you to solve this. I have spent so much time looking into to this. It looks like it is a pretty common problem, with no real solution.

The thing that really concerns me though is the sequence of "infections" that youi have seen. It looks like the problem just multiplied across the network. You really need to look at the timeline of the infections and compare them against your server logs to see if you can correlate what might have been pushed out to the pc's just before they crapped out.

Iknow... I know... I'm probably not telling you naything that you don't know or haven't done... but just in case. I can't tell you how many times I tried to troubleshoot a bad piece of electronics only to discover the damn thing wasn't even plugged in!!! LOL

Anyway, I truly wish you the best. One more suggestion if I may. You might want to suggest only doing a few systems initially to see if they get re-infected and track very carefully what is being pushed out to them from the server..

Other than that... It was a pleasure to "meet" you..

all the best,
Frank
Thanks for putting in the time... I gave everyone in the department a copy of our dialog along with all the data, and hopeful solutions that never worked. We (the real techs) have put this in our "X-files" cabinet along with one of the older laptops that is displaying the error message for anyone one who wants to take a crack at it later.

So, how do I close this dialog and assign you the necesary points even though we didn't exactly get a solution. Or, do you want to take another shot at this with the one bad laptop that we are keeping?
ASKER CERTIFIED SOLUTION
Avatar of flubbster
flubbster
Flag of United States of America image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
Several options were attempted but I believe that one of these could be the answer to someones blue screen issue...