Solved

Win XP error c000021a

Posted on 2010-09-22
13
825 Views
Last Modified: 2012-06-27
Hi All,

Backstory:  EU gets spy/malware, runs some legit antivir, computer freezes.
Hard reboot results in BSOD:
----------------------------------------------
STOP: c000021a {Fatal System Error}
The Windows Logon Process system process terminated unexpectedly with status of
0x0000005 (0x00000000 0x00000000)
The System has been shut down
----------------------------------------------

BSOD occurs when trying to boot XP in normal, safe mode, last know good config, etc.
Note that i cannot do a clean reinstall as there are some documents in  offline files cache (CSC) that the user considers to be of utmost importance.

XP Repair will not work, as this Lenovo laptop has been factory downgraded from Vista to XP and booting from a Windows XP CD results in another, unrelated, BSOD.

I can boot off of [Admin Edit] and access the HDD, registry, etc if need be.

So all this boils down to: how to get rid of the BSOD w/o reformatting the HDD?

Alternatively, whats the best way to access and retrieve offline documents  that are stuck in the CSC cache?

TIA for any help.

~adam
0
Comment
Question by:wolfgordon
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 3
  • +3
13 Comments
 
LVL 22

Expert Comment

by:optoma
ID: 33737043
Remove the hard drive and scan it as a slave in another machine. Save the scan log to post here.

You could probably grab those files as well that way
0
 

Author Comment

by:wolfgordon
ID: 33737094
I did scan it as a slave - no malware found. something tells me that when the EU scanned it originally, the antivir killed the vir but also damaged some other legit file.

the offline mode files (CSC) are hidden in a folder in the bowels of windows directory and are not easily retrievable.
0
 
LVL 9

Accepted Solution

by:
Timothy McCartney earned 250 total points
ID: 33737202
Check the SATA settings in the bios. They're probably set to AHCI. Change it to "Compatible" or "IDE" or something along those lines then try running your XP cd again to do your repair installation.

Alternately, you can find SATA drivers to load manually from the manufacturer's website (Press F6 during the initial loading of the XP setup to manually install drivers)
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 66

Expert Comment

by:johnb6767
ID: 33737707
Might suggest extracting all of the files in the Client Side Cache on this dead system....

Get another XP system, and rename the current C:\Windows\CSC directory to CSC-Old, and drop the retrieved CSC folder to the working machine, and try the following....

Features and functions in version 1.1 of the Client-Side Caching ...
http://support.microsoft.com/kb/884739

Direct downloads of csccmd.exe here....
http://stingr.net/ftp/pub/csccmdv1.1.zip
http://www.megaupload.com/?d=5EUO5R6K

The command is as follows....

csccmd.exe /extract /target:C:\ExtractedFiles /recurse
(or to only get Offline Modified files.....)
csccmd.exe /extract /target:C:\ExtractedFiles /recurse

(files are brought out to the c:\ExtractedFiles directory....

0
 
LVL 66

Assisted Solution

by:johnb6767
johnb6767 earned 250 total points
ID: 33737757
Also, have you tried mounting the reg hives, and looking at the main keys, like the Winlogon key, or the Shell values? Looked for rogue services as well?

Can also check the offline system's main "viral target" target files for a possible compromise....Check versions and file sizes against a known good OS....

winlogon.exe
explorer.exe
userinit.exe
svchost.exe

And I would recommend using knoppix/UBCD/Slaved drive instead of the above "Rhymes with Siren's" CD, as thats not allowed to be referenced in this site.....

If any of this needs clarification, simply ask.....
0
 

Author Comment

by:wolfgordon
ID: 33737847
Hi guys, thanks for all the hints.

tracerfett, thanks for the info, that allowed me to run the XP repair. The repair failed half way, and the supposed fix from MS (http://support.microsoft.com/kb/823303) didnt work either.

So I guess i will cut my losses and try extracting the CSC stuff as per johnb's suggestions tomorrow.

I will let all know how that goes tomorrow mid day.

thanks again

~a

ps. john, why is "Rhymes with Siren's" banished from this site? i happen to find it very useful and saved it my a$$ plenty  times.
0
 
LVL 9

Expert Comment

by:Timothy McCartney
ID: 33738057
Have you tried the "fixboot" and "fixmbr" commands from the repair console using the XP disk?

Also, possibly a "chkdsk /r" ?
0
 
LVL 66

Expert Comment

by:johnb6767
ID: 33739777
"ps. john, why is "Rhymes with Siren's" banished from this site? i happen to find it very useful and saved it my a$$ plenty  times."

Because it is distributed freely among the internet, with apps that require licensing...... Actually surprised the mods havent removed the reference yet.....Just want you to be aware for future postings....
0
 

Expert Comment

by:ComputerCrews
ID: 33758861
Wolfgordon,

I have two machines with the exact same problem. Both are laptops and run XP Pro. They are not related in anyway. It started as a fake av. The user reboots and gets this message.

Here is what I have tried

Based on the BSOD screen i looked up C000021A and based on what I found I looked into user-mode problems.

Restore the Registry from the Repair file...Nothing
Ran the drive as slave and tossed every scanner I could at it. Nothing came up.
SFC /Scannow did not find a problem
I compared the winlogon section of the registry Windowsnt/CurrentVersion/Winlogon and it was the same as a working machine.
System Restore didn't fixit
replaced userinit.exe and winlogon.exe
Chkdsk didn't work
Fix boot and fix mbr didn't work

I am just about out of ideas.
0
 

Expert Comment

by:ComputerCrews
ID: 33759026

I was about to give up for the night and then I found the  solution!!! This worked for both of my laptops!

I renamed the four files in the C:\Windows\System32 folder: winlogon.exe, gdi32.dll, msvcrt.dll, and comctl32.dll to .old. Then I copied the a known to be good XP to the broken machine.

I first rebooted and goet a new stop code 0X0000024. Before looking it up I tried safe mode with command prompt. This worked. I then navigated to Explorer.exe and it fired up. I did a reboot and up restarting the machine was working.

I did the same thing on the other computer and it worked perfectly. Hope this helps someone else.
0
 

Expert Comment

by:ComputerCrews
ID: 33774079
After getting in via SafeMode I ran the secedit command to reset the permissions. I then had to run Combo Fix again. This solved the problem for both laptops. It should work for others.
0
 

Author Closing Comment

by:wolfgordon
ID: 33774672
thanks guys for your help. i was able to fix this Friday night, sorry for late post. I finally managed to run the repair to the end using an OEM cd. Since i used both John's and tracer's suggestions., i will split the points between both parties.

thanks

adam
0
 

Expert Comment

by:PFrazer
ID: 34336027
Thank You ComputerCrews
Copying winlogon.exe, gdi32.dll, msvcrt.dll, and comctl32.dll fixed it.  I also included explorer.exe.   Explorer.exe & Winlogon.exe were both missing.  I booted with a WinPE CD the inserted a USB pen drive.  

I knew it could be fixed without reloading WindowsXP.
0

Featured Post

Creating Instructional Tutorials  

For Any Use & On Any Platform

Contextual Guidance at the moment of need helps your employees/users adopt software o& achieve even the most complex tasks instantly. Boost knowledge retention, software adoption & employee engagement with easy solution.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A project that enables an administrator to perform actions within a user session context not just at the time of login but any time later on day(s) or week(s) later.
This article helps those who get the 0xc004d307 error when trying to rearm (reset the license) Office 2013 in a Virtual Desktop Infrastructure (VDI) and/or those trying to prep the master image for Microsoft Key Management (KMS) activation. (i.e.- C…
This Micro Tutorial will give you a basic overview of Windows DVD Burner through its features and interface. This will be demonstrated using Windows 7 operating system.
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

628 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question