question

RandallBreneman-1821 avatar image
0 Votes"
RandallBreneman-1821 asked Docs-4663 edited

How to determine which driver is failing signature enforcement?

I have unknown driver causing boot crash with error 0xc000021a. Disabling driver signature enforcement allows the machine to boot. How to determine which driver or drivers are failing signature enforcement? Thanks.

Update: I ran sigverif and it logged these results:
Microsoft Signature Verification
Log file generated on 6/26/2021 at 11:02 AM
OS Platform: Windows (x64), Version: 10.0, Build: 19043, CSDVersion:
Scan Results: Total Files: 69, Signed: 69, Unsigned: 0, Not Scanned: 0

I've attached the complete log.

109602-sigverif.txt

Some additional info in case it helps... This is a Parallels VM. I have a copy of the machine with updates turned off that does not have the crash. As soon as I enable updates and get the next Windows update, the crash ensues. Here is info on the client OS, both copies are the same:
Edition Windows 10 Enterprise
Version 21H1
OS build 19043.1055
Experience Windows Feature Experience Pack 120.2212.2020.0

111527-autoruns3.png



I used autoruns as suggested to no avail. I've included a screenshot of one Not Verified that I unchecked and one missing that I unchecked. The issue is still the same - crash unless I disable driver signature enforcement. The autoruns screenshot is using the option to hide Windows entries but all of those show Verified.

There does not appear to be an obvious relationship between a driver showing Not Verified with sigverif or autoruns, and why the crash unless driver signature enforcement is disabled. I'm still stuck trying to determine which driver is causing the crash.

The theory that disabling driver signature enforcement is hiding some other issue seems like a good one. I used the Restart options to Reset Windows, restarted and it still crashed and still needed disabling driver signature enforcement to run. I'm including the results of memory.dmp file analysis. Rather than pursue this further, I created a new Parallels VM and it seems good. Thanks for the advice.

 1: kd> !analyze -v
 *******************************************************************************
 *                                                                             *
 *                        Bugcheck Analysis                                    *
 *                                                                             *
 *******************************************************************************
    
 WINLOGON_FATAL_ERROR (c000021a)
 The Winlogon process terminated unexpectedly.
 Arguments:
 Arg1: ffff8589a32f8600, String that identifies the problem.
 Arg2: ffffffffc0000428, Error Code.
 Arg3: 0000000000000000
 Arg4: 000002111ecd0000
    
 Debugging Details:
 ------------------
    
    
 KEY_VALUES_STRING: 1
    
     Key  : Analysis.CPU.mSec
     Value: 4218
    
     Key  : Analysis.DebugAnalysisManager
     Value: Create
    
     Key  : Analysis.Elapsed.mSec
     Value: 4216
    
     Key  : Analysis.Init.CPU.mSec
     Value: 5421
    
     Key  : Analysis.Init.Elapsed.mSec
     Value: 420176
    
     Key  : Analysis.Memory.CommitPeak.Mb
     Value: 78
    
     Key  : WER.OS.Branch
     Value: vb_release
    
     Key  : WER.OS.Timestamp
     Value: 2019-12-06T14:06:00Z
    
     Key  : WER.OS.Version
     Value: 10.0.19041.1
    
    
 ERROR_CODE: (NTSTATUS) 0xc000021a - {Fatal System Error}  The %hs system process terminated unexpectedly with a status of 0x
    
 EXCEPTION_CODE_STR:  c000021a
    
 EXCEPTION_PARAMETER1:  ffff8589a32f8600
    
 EXCEPTION_PARAMETER2:  ffffffffc0000428
    
 EXCEPTION_PARAMETER3:  0000000000000000
    
 EXCEPTION_PARAMETER4: 2111ecd0000
    
 BUGCHECK_CODE:  c000021a
    
 BUGCHECK_P1: ffff8589a32f8600
    
 BUGCHECK_P2: ffffffffc0000428
    
 BUGCHECK_P3: 0
    
 BUGCHECK_P4: 2111ecd0000
    
 PROCESS_NAME:  smss.exe
    
 ADDITIONAL_DEBUG_TEXT:  initial session process or
    
 IMAGE_NAME:  ntkrnlmp.exe
    
 MODULE_NAME: nt
    
 BLACKBOXBSD: 1 (!blackboxbsd)
    
    
 BLACKBOXNTFS: 1 (!blackboxntfs)
    
    
 STACK_TEXT:  
 fffff586`1f0d6598 fffff804`3adaf55a     : 00000000`0000004c 00000000`c000021a fffff586`1f4663f0 ffffd785`52d3f7e0 : nt!KeBugCheckEx
 fffff586`1f0d65a0 fffff804`3ada0f8b     : fffff586`1f0d66c0 fffff586`1f0d6660 fffff586`1f0d66c0 fffff586`1f0d6660 : nt!PopGracefulShutdown+0x29a
 fffff586`1f0d65e0 fffff804`3ad966fc     : 00000000`00000001 fffff804`00000006 00000000`00000004 00000000`00000000 : nt!PopTransitionSystemPowerStateEx+0x11c9b
 fffff586`1f0d66a0 fffff804`3a8085b5     : ffffd785`53540000 00000000`00000001 00000000`00000000 00000000`00000000 : nt!NtSetSystemPowerState+0x4c
 fffff586`1f0d6880 fffff804`3a7faa80     : fffff804`3ac31603 00000000`00000014 ffffffff`ffffff00 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x25
 fffff586`1f0d6a18 fffff804`3ac31603     : 00000000`00000014 ffffffff`ffffff00 00000000`00000000 fffff804`3b023ba0 : nt!KiServiceLinkage
 fffff586`1f0d6a20 fffff804`3ab62729     : 00000000`00000000 ffffd785`52335a60 00000000`00000000 00000000`00000000 : nt!PopIssueActionRequest+0xcedbb
 fffff586`1f0d6ac0 fffff804`3a6f32c4     : 00000000`00000001 00000000`00000000 ffffffff`ffffffff fffff804`3b023b00 : nt!PopPolicyWorkerAction+0x79
 fffff586`1f0d6b30 fffff804`3a741225     : ffffd785`00000001 ffffd785`522d4080 fffff804`3a6f3230 00000000`00000000 : nt!PopPolicyWorkerThread+0x94
 fffff586`1f0d6b70 fffff804`3a6f53b5     : ffffd785`522d4080 00000000`00000080 ffffd785`52282040 00000000`00000000 : nt!ExpWorkerThread+0x105
 fffff586`1f0d6c10 fffff804`3a7fe278     : fffff804`35d06180 ffffd785`522d4080 fffff804`3a6f5360 00000000`00000000 : nt!PspSystemThreadStartup+0x55
 fffff586`1f0d6c60 00000000`00000000     : fffff586`1f0d7000 fffff586`1f0d1000 00000000`00000000 00000000`00000000 : nt!KiStartSystemThread+0x28
    
    
 SYMBOL_NAME:  nt!PopTransitionSystemPowerStateEx+11c9b
    
 IMAGE_VERSION:  10.0.19041.1055
    
 STACK_COMMAND:  .thread ; .cxr ; kb
    
 BUCKET_ID_FUNC_OFFSET:  11c9b
    
 FAILURE_BUCKET_ID:  0xc000021a_SmpDestroyControlBlock_smss.exe_Terminated_c0000428_nt!PopTransitionSystemPowerStateEx
    
 OS_VERSION:  10.0.19041.1
    
 BUILDLAB_STR:  vb_release
    
 OSPLATFORM_TYPE:  x64
    
 OSNAME:  Windows 10
    
 FAILURE_ID_HASH:  {11c026a4-042b-4c24-02dc-2da456397475}
    
 Followup:     MachineOwner
 ---------
windows-10-security
autoruns3.png (218.2 KiB)
sigverif.txt (18.8 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

GaryNebbett avatar image
0 Votes"
GaryNebbett answered

Hello @RandallBreneman-1821,

Is any dump file (minidump or full dump) created when the system crashes? A dump file would probably make it relatively easy to identify which file is causing the problem.

I don't think that the file is necessarily a device driver file - the symbolic name of the error code 0xC000021A is STATUS_SYSTEM_PROCESS_TERMINATED and this might be hinting that an essential system process failed to start successfully because of code integrity problems.

Disabling "driver signature enforcement" possibly disables code integrity measures more widely than the name suggests...

Another approach might be to use the Microsoft-Windows-CodeIntegrity ETW provider to trace code integrity actions during the boot phase.

Gary

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

TeemoTang-MSFT avatar image
0 Votes"
TeemoTang-MSFT answered

You can use Autoruns from sysinternals to verify drivers
https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns

Validate drivers: This step checks non-Microsoft drivers. According to the Windows Sysinternals Administrator’s Reference, “Verifying a digital signature associated with that file gives a much higher degree of assurance of the file’s authenticity and integrity.” Note: When a driver is verified, the Publisher field changes from the company name to the name on the signed certificate. 1.Click the Drivers tab and look for drivers that are “Not Verified”. This will show up in the Publisher field.
and
3.If any of the drivers are highlighted and come up as “Not Verified” in the Publisher field, then the driver does not have a digital signature.

A good reference:
How to verify that system drivers are digitally signed
https://www.ghacks.net/2015/04/11/how-to-verify-that-system-drivers-are-digitally-signed/


If the Answer is helpful, please click "Accept Answer" and upvote it.
Information posted in the given link is hosted by a third party. Microsoft does not guarantee the accuracy and effectiveness of information.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Docs-4663 avatar image
0 Votes"
Docs-4663 answered Docs-4663 edited

Just noticed that you've accepted an earlier answer.

In case you need additional help please open a new thread.


Disable driver signature enforcement > boot > run the V2 log collector > post a share link into this thread

https://www.windowsq.com/resources/v2-log-collector.8/
https://www.tenforums.com/bsod-crashes-debugging/2198-bsod-posting-instructions.html


.
.
.
.
.

Please remember to vote and to mark the replies as answers if they help.

On the bottom of each post there is:

Propose as answer = answered the question

On the left side of each post: Vote = a helpful post
.
.
.
.
.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.