Win XP error c000021a

Hi All,

Backstory:  EU gets spy/malware, runs some legit antivir, computer freezes.
Hard reboot results in BSOD:
STOP: c000021a {Fatal System Error}
The Windows Logon Process system process terminated unexpectedly with status of
0x0000005 (0x00000000 0x00000000)
The System has been shut down

BSOD occurs when trying to boot XP in normal, safe mode, last know good config, etc.
Note that i cannot do a clean reinstall as there are some documents in  offline files cache (CSC) that the user considers to be of utmost importance.

XP Repair will not work, as this Lenovo laptop has been factory downgraded from Vista to XP and booting from a Windows XP CD results in another, unrelated, BSOD.

I can boot off of [Admin Edit] and access the HDD, registry, etc if need be.

So all this boils down to: how to get rid of the BSOD w/o reformatting the HDD?

Alternatively, whats the best way to access and retrieve offline documents  that are stuck in the CSC cache?

TIA for any help.

Who is Participating?
Timothy McCartneyConnect With a Mentor SYS ADMINISTR I INFRASCommented:
Check the SATA settings in the bios. They're probably set to AHCI. Change it to "Compatible" or "IDE" or something along those lines then try running your XP cd again to do your repair installation.

Alternately, you can find SATA drivers to load manually from the manufacturer's website (Press F6 during the initial loading of the XP setup to manually install drivers)
Remove the hard drive and scan it as a slave in another machine. Save the scan log to post here.

You could probably grab those files as well that way
wolfgordonAuthor Commented:
I did scan it as a slave - no malware found. something tells me that when the EU scanned it originally, the antivir killed the vir but also damaged some other legit file.

the offline mode files (CSC) are hidden in a folder in the bowels of windows directory and are not easily retrievable.
Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Might suggest extracting all of the files in the Client Side Cache on this dead system....

Get another XP system, and rename the current C:\Windows\CSC directory to CSC-Old, and drop the retrieved CSC folder to the working machine, and try the following....

Features and functions in version 1.1 of the Client-Side Caching ...

Direct downloads of csccmd.exe here....

The command is as follows....

csccmd.exe /extract /target:C:\ExtractedFiles /recurse
(or to only get Offline Modified files.....)
csccmd.exe /extract /target:C:\ExtractedFiles /recurse

(files are brought out to the c:\ExtractedFiles directory....

johnb6767Connect With a Mentor Commented:
Also, have you tried mounting the reg hives, and looking at the main keys, like the Winlogon key, or the Shell values? Looked for rogue services as well?

Can also check the offline system's main "viral target" target files for a possible compromise....Check versions and file sizes against a known good OS....


And I would recommend using knoppix/UBCD/Slaved drive instead of the above "Rhymes with Siren's" CD, as thats not allowed to be referenced in this site.....

If any of this needs clarification, simply ask.....
wolfgordonAuthor Commented:
Hi guys, thanks for all the hints.

tracerfett, thanks for the info, that allowed me to run the XP repair. The repair failed half way, and the supposed fix from MS ( didnt work either.

So I guess i will cut my losses and try extracting the CSC stuff as per johnb's suggestions tomorrow.

I will let all know how that goes tomorrow mid day.

thanks again


ps. john, why is "Rhymes with Siren's" banished from this site? i happen to find it very useful and saved it my a$$ plenty  times.
Timothy McCartneySYS ADMINISTR I INFRASCommented:
Have you tried the "fixboot" and "fixmbr" commands from the repair console using the XP disk?

Also, possibly a "chkdsk /r" ?
"ps. john, why is "Rhymes with Siren's" banished from this site? i happen to find it very useful and saved it my a$$ plenty  times."

Because it is distributed freely among the internet, with apps that require licensing...... Actually surprised the mods havent removed the reference yet.....Just want you to be aware for future postings....

I have two machines with the exact same problem. Both are laptops and run XP Pro. They are not related in anyway. It started as a fake av. The user reboots and gets this message.

Here is what I have tried

Based on the BSOD screen i looked up C000021A and based on what I found I looked into user-mode problems.

Restore the Registry from the Repair file...Nothing
Ran the drive as slave and tossed every scanner I could at it. Nothing came up.
SFC /Scannow did not find a problem
I compared the winlogon section of the registry Windowsnt/CurrentVersion/Winlogon and it was the same as a working machine.
System Restore didn't fixit
replaced userinit.exe and winlogon.exe
Chkdsk didn't work
Fix boot and fix mbr didn't work

I am just about out of ideas.

I was about to give up for the night and then I found the  solution!!! This worked for both of my laptops!

I renamed the four files in the C:\Windows\System32 folder: winlogon.exe, gdi32.dll, msvcrt.dll, and comctl32.dll to .old. Then I copied the a known to be good XP to the broken machine.

I first rebooted and goet a new stop code 0X0000024. Before looking it up I tried safe mode with command prompt. This worked. I then navigated to Explorer.exe and it fired up. I did a reboot and up restarting the machine was working.

I did the same thing on the other computer and it worked perfectly. Hope this helps someone else.
After getting in via SafeMode I ran the secedit command to reset the permissions. I then had to run Combo Fix again. This solved the problem for both laptops. It should work for others.
wolfgordonAuthor Commented:
thanks guys for your help. i was able to fix this Friday night, sorry for late post. I finally managed to run the repair to the end using an OEM cd. Since i used both John's and tracer's suggestions., i will split the points between both parties.


PFrazerIT Systems EngineerCommented:
Thank You ComputerCrews
Copying winlogon.exe, gdi32.dll, msvcrt.dll, and comctl32.dll fixed it.  I also included explorer.exe.   Explorer.exe & Winlogon.exe were both missing.  I booted with a WinPE CD the inserted a USB pen drive.  

I knew it could be fixed without reloading WindowsXP.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.