Solved

Win XP error c000021a

Posted on 2010-09-22
13
812 Views
Last Modified: 2012-06-27
Hi All,

Backstory:  EU gets spy/malware, runs some legit antivir, computer freezes.
Hard reboot results in BSOD:
----------------------------------------------
STOP: c000021a {Fatal System Error}
The Windows Logon Process system process terminated unexpectedly with status of
0x0000005 (0x00000000 0x00000000)
The System has been shut down
----------------------------------------------

BSOD occurs when trying to boot XP in normal, safe mode, last know good config, etc.
Note that i cannot do a clean reinstall as there are some documents in  offline files cache (CSC) that the user considers to be of utmost importance.

XP Repair will not work, as this Lenovo laptop has been factory downgraded from Vista to XP and booting from a Windows XP CD results in another, unrelated, BSOD.

I can boot off of [Admin Edit] and access the HDD, registry, etc if need be.

So all this boils down to: how to get rid of the BSOD w/o reformatting the HDD?

Alternatively, whats the best way to access and retrieve offline documents  that are stuck in the CSC cache?

TIA for any help.

~adam
0
Comment
Question by:wolfgordon
  • 3
  • 3
  • 3
  • +3
13 Comments
 
LVL 22

Expert Comment

by:optoma
ID: 33737043
Remove the hard drive and scan it as a slave in another machine. Save the scan log to post here.

You could probably grab those files as well that way
0
 

Author Comment

by:wolfgordon
ID: 33737094
I did scan it as a slave - no malware found. something tells me that when the EU scanned it originally, the antivir killed the vir but also damaged some other legit file.

the offline mode files (CSC) are hidden in a folder in the bowels of windows directory and are not easily retrievable.
0
 
LVL 9

Accepted Solution

by:
Timothy McCartney earned 250 total points
ID: 33737202
Check the SATA settings in the bios. They're probably set to AHCI. Change it to "Compatible" or "IDE" or something along those lines then try running your XP cd again to do your repair installation.

Alternately, you can find SATA drivers to load manually from the manufacturer's website (Press F6 during the initial loading of the XP setup to manually install drivers)
0
 
LVL 66

Expert Comment

by:johnb6767
ID: 33737707
Might suggest extracting all of the files in the Client Side Cache on this dead system....

Get another XP system, and rename the current C:\Windows\CSC directory to CSC-Old, and drop the retrieved CSC folder to the working machine, and try the following....

Features and functions in version 1.1 of the Client-Side Caching ...
http://support.microsoft.com/kb/884739

Direct downloads of csccmd.exe here....
http://stingr.net/ftp/pub/csccmdv1.1.zip
http://www.megaupload.com/?d=5EUO5R6K

The command is as follows....

csccmd.exe /extract /target:C:\ExtractedFiles /recurse
(or to only get Offline Modified files.....)
csccmd.exe /extract /target:C:\ExtractedFiles /recurse

(files are brought out to the c:\ExtractedFiles directory....

0
 
LVL 66

Assisted Solution

by:johnb6767
johnb6767 earned 250 total points
ID: 33737757
Also, have you tried mounting the reg hives, and looking at the main keys, like the Winlogon key, or the Shell values? Looked for rogue services as well?

Can also check the offline system's main "viral target" target files for a possible compromise....Check versions and file sizes against a known good OS....

winlogon.exe
explorer.exe
userinit.exe
svchost.exe

And I would recommend using knoppix/UBCD/Slaved drive instead of the above "Rhymes with Siren's" CD, as thats not allowed to be referenced in this site.....

If any of this needs clarification, simply ask.....
0
 

Author Comment

by:wolfgordon
ID: 33737847
Hi guys, thanks for all the hints.

tracerfett, thanks for the info, that allowed me to run the XP repair. The repair failed half way, and the supposed fix from MS (http://support.microsoft.com/kb/823303) didnt work either.

So I guess i will cut my losses and try extracting the CSC stuff as per johnb's suggestions tomorrow.

I will let all know how that goes tomorrow mid day.

thanks again

~a

ps. john, why is "Rhymes with Siren's" banished from this site? i happen to find it very useful and saved it my a$$ plenty  times.
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 9

Expert Comment

by:Timothy McCartney
ID: 33738057
Have you tried the "fixboot" and "fixmbr" commands from the repair console using the XP disk?

Also, possibly a "chkdsk /r" ?
0
 
LVL 66

Expert Comment

by:johnb6767
ID: 33739777
"ps. john, why is "Rhymes with Siren's" banished from this site? i happen to find it very useful and saved it my a$$ plenty  times."

Because it is distributed freely among the internet, with apps that require licensing...... Actually surprised the mods havent removed the reference yet.....Just want you to be aware for future postings....
0
 

Expert Comment

by:ComputerCrews
ID: 33758861
Wolfgordon,

I have two machines with the exact same problem. Both are laptops and run XP Pro. They are not related in anyway. It started as a fake av. The user reboots and gets this message.

Here is what I have tried

Based on the BSOD screen i looked up C000021A and based on what I found I looked into user-mode problems.

Restore the Registry from the Repair file...Nothing
Ran the drive as slave and tossed every scanner I could at it. Nothing came up.
SFC /Scannow did not find a problem
I compared the winlogon section of the registry Windowsnt/CurrentVersion/Winlogon and it was the same as a working machine.
System Restore didn't fixit
replaced userinit.exe and winlogon.exe
Chkdsk didn't work
Fix boot and fix mbr didn't work

I am just about out of ideas.
0
 

Expert Comment

by:ComputerCrews
ID: 33759026

I was about to give up for the night and then I found the  solution!!! This worked for both of my laptops!

I renamed the four files in the C:\Windows\System32 folder: winlogon.exe, gdi32.dll, msvcrt.dll, and comctl32.dll to .old. Then I copied the a known to be good XP to the broken machine.

I first rebooted and goet a new stop code 0X0000024. Before looking it up I tried safe mode with command prompt. This worked. I then navigated to Explorer.exe and it fired up. I did a reboot and up restarting the machine was working.

I did the same thing on the other computer and it worked perfectly. Hope this helps someone else.
0
 

Expert Comment

by:ComputerCrews
ID: 33774079
After getting in via SafeMode I ran the secedit command to reset the permissions. I then had to run Combo Fix again. This solved the problem for both laptops. It should work for others.
0
 

Author Closing Comment

by:wolfgordon
ID: 33774672
thanks guys for your help. i was able to fix this Friday night, sorry for late post. I finally managed to run the repair to the end using an OEM cd. Since i used both John's and tracer's suggestions., i will split the points between both parties.

thanks

adam
0
 

Expert Comment

by:PFrazer
ID: 34336027
Thank You ComputerCrews
Copying winlogon.exe, gdi32.dll, msvcrt.dll, and comctl32.dll fixed it.  I also included explorer.exe.   Explorer.exe & Winlogon.exe were both missing.  I booted with a WinPE CD the inserted a USB pen drive.  

I knew it could be fixed without reloading WindowsXP.
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Join & Write a Comment

If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
This Micro Tutorial will give you a basic overview of Windows DVD Burner through its features and interface. This will be demonstrated using Windows 7 operating system.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now