Strange shutdown error message in XP Pro 6

[RBHirsch]

After finally disabling Spyware Doctor, the serious problems being produced by it seemed gone. So I totally unninstalled the software.

But, it was still after me. When I went onto the Internet, I had no connection. I confirmed that my network was OK, on another machine. So I tried again, and when the "no access" message box came up, and XP offered to help with the problem, I decided to let Windows XP Pro "fix" the problem. It came up with a message box stating that (sorry, I didn't copy down the exact message) a layer/file (or something) from PC Tools (the company behind Spyware Doctor) was the culprit, and did I want it removed. I clicked on OK, rebooted, and all seemed well - IE 7 and my OE mail were back in place.

But now, all of a sudden, when I shut down my system, and the shutdown has gone about half was through, a blue screen with this message appears

STOP: c000021a {Fatal System Error}
The Windows Logon Process System process terminated unexpectedly with a status of 0xc0000005 (0x00000000 0x00000000)
The system has been shut down.

At this point, I just kill the power, as Windows has been shutdown, but not in the proper event sequence et al.

I don't understand what the logon process has to do with shutting down, unles somehow, I've been logged on incorrectly.

I'm the only user, and administrator. I have not set up any password, so when I turn on my machine, it just boots up, asking nothing more of me.

Can anyone give me an idea of what that message means, and what I can do to get rid of it?

I'm perfectly willing to edit the Registry, or go into the users' setup screens, or whatever is needed to resolve this issue.

Thanks

Ron Hirsch

 

[RBHirsch]

Hi Ben,

I have the same version numbers as you have for both of the files. I looked in the Windows/System32 file, where I assume they are called from.

Then I did a search, and there lots of copies of files with names like winlogon.exe.20071008-130610-00.hdmp, but with different dates and numeric strings. They range in size from about 7 to 9.44 MB.

These named files are in C:|Windowspchealth\ErrorRep\userdumps.

They must have been put there following crashes. There is also 1 copy of winlogon.exe.mdmp in the Documents and Settings Temp folder.

The csrss.exe file is only in the System32 folder.

My searches didn't show anything in the various uninstall folders et al for either file. And I did include system and hidden in teh search.

And, as I've said before, I've seen references to WinLogon.exe during many of the closing crashes.

Does all of this help us? It sure seems to say that the WinLogon.exe file is involved in the problem.

There is no single program that is causing the powerdown crashes. I commented that I ran only IE and OE, with no troubles. But later I ran only them again, and shut down, and the same crash occurred in powerdown.

It does seem like we're getting warmer.

You mentioned the O15 - Trusted Zone: *.https item in HJT. Does this have any bearing on the crash problem? And should I allow HJT to fix that also?

Thanks again -

Ron

 

[linney]

I don't normally recommend the use of Registry Cleaners, never use them other than a last resort option prior to the usually necessary repair install.

If I did it would be this one.

jv16 PowerTools (or their cut down version RegSupreme)

http://www.macecraft.com

The only good thing about using them (in your type of situation) is that the resulting mess (one who talks from experience) would make the repair installation, or even a format and clean install, seem like a welcome relief.

Repairs with slipstreamed SP2's are performed regularly with little or no problems.

310560 - How to Troubleshoot By Using the Msconfig Utility in Windows XP

http://support.microsoft.com/default.aspx?scid=kb;en-us;310560&FR=1&PA=1&SD=HSCH

How to Perform an In-Place Upgrade (Reinstallation) of Windows XP (Q315341)

http://support.microsoft.com/support/kb/articles/q315/3/41.asp

Can you produce the Shutdown problem in Safe Mode?

Can you check out how it runs if you login as any other user in Normal Mode? You could login in as the Built-in Administrator by pressing Ctrl+Alt+Del twice if you have a logon at the Welcome Screen, or you would have to disable Auto Login for your user (to get the screen), or create a new temporary User.

 

[RBHirsch]

Hi Linney,

Thanks for your reply.

I do use WinPatrol which I find far superior to using MSConfig. It has numerous capabilities that MSConfig does not have. If you are not familiar with it, go to

http://www.winpatrol.com/

There is a free version, but the paid version is worth its weight in gold.

I did not try working in Safe mode. When the crash shutdown was only "sometimes", it was hard to know what was impacting it.

If you recall from the past, and the start of this problem, I did have two programs that were absoslutely causing serious problems on my machine - Google Desktop, and Spyware Doctor.

I was right on the verge of working on the Safe Mode tryout. When I got solid evidence that WinLogon.exe was heavily involved in things, I decided to put back two programs that I had disabled - PhraseExpress, and the new version of SpyBot - Search and Destroy.

The lastest version is no longer just a passive protector. It's an on guard program now. And since Spyware Doctor was history, I wanted the protection back from SpyBot.

So I went into WinPatrol, and "enabled" them both.

I then shut down, expecting the usual "crash" shutdown. But the shutdown/powerdown went very smoothly, amazingly. I just assumed that this was one of the few times that there was no crash.

So I rebooted, ran lots of programs, and shutdowns - no crashes. I did this about 4 more times, and all shut down normally. I know from past experience that a number of shutdowns with no problem could be only a temporary thing.

But that's where I stand now. Can it be remotely possible that enabling those two disabled programs could have had an impact on the WinLogon.exe problem? If things stays in good order, who am I to look a gift horse in the mouth?

I assume that it's OK to delete all that stuff that's in the C:\Windowspchealth\ErrorRep\userdumps folder

Ron

 

[BadBigBen]

Ron, yes you can safely delete that line using HJT...

about the versions, that was just to see if you where up to date with those files, if they were not then that would indicate a possible source for the problem...

in your HJT log, both where enabled and running...

But that's where I stand now. Can it be remotely possible that enabling those two disabled programs could have had an impact on the WinLogon.exe problem? If things stays in good order, who am I to look a gift horse in the mouth?

knock on wood, glad that it is running smooth... possible is almost everything, though very hard to believe that reenabling SpyBot would make the problem go away... I am not familiar with PhraseExpress though, so can't vouch for that one...

I assume that it's OK to delete all that stuff that's in the C:\Windowspchealth\ErrorRep\userdumps folder

I see no problem with that...



Ben

"If it works don't fix it! If it doesn't use a sledgehammer..."

 

[RBHirsch]

Ben,

I did speak prematurely. I had about 7 clean shutdowns. then this morning when I booted up and shut down later, the problem was back.

It's so hard to understand why, if I boot up, but do nothing, it will shut down cleanly. Sometimes I can do lots, and get a clean shutdown, but mostly it does crash.

But the boot, and operations are clean and smooth. But just before tthe "Saving your setting appears, Windows shuts down, and I get a black screen. followed in a few seconds by the usual error messageon a BSOD..

According to MS (parenthesis are mine)
Stop 0xC000021A can (occur) when on restart/(shutdown), after a system administrator has modified permissions so that the SYSTEM account no longer has adequate permissions to access system files and folders.

This sure ssems like the case. It can't save settings, as it has no access any longer.

And, considering the stack of error copies of the WinLogon.exe++ files, and the fact that I've seen WinLogon.exe mentioned many times in the past, in other error messages, it obviously is in the act.

Question - what harm can result from the shutdown/powerdown happening fast like that?

I'm going to try a few more things, and then I may decide to live with it, until such time as it show up with other problems.

Ron

 

[linney]

WinLogon.exe may be in on the act, but is it the victim or cause, who knows?

HOW TO: Reset Security Settings Back to the Defaults

http://support.microsoft.com/?id=313222#appliesto

Faulty Shutdowns can be a cause of file corruption. File corruption can then be a cause of faulty shutdowns and worse. A sort of vicious loop, if you like?

If it is a profile problem then this may help.
811151 - How to Copy User Data to a New User Profile

http://support.microsoft.com/?kbid=811151

 

[RBHirsch]

Hi Linney,

Thanks for good info. I'm going to follow up on the profile situation, and create a new adminstrative user - possibly that will help.

Re my ongoing question

What are the negative aspects of this "preliminary" shutdown, followed by the crash message?

What "settings" are not saved, and how harmful can that be?

All else is smooth as silk.

Ron

 

[linney]

Faulty Shutdowns can be a cause of file corruption. File corruption can then be a cause of faulty shutdowns and worse. Master File Tables are prone to corruption in this situation. XP may lose track of where files are on the hard drive, the files may become orphan files, unknown to XP as to purpose and location. Running ChkDsk can solve part of this problem.

Some settings may not be saved, means, any changes that you have made in that session may not be saved and therefor lost or not remembered.

 

[RBHirsch]

Hi Linney,

I ran chkdsk over the weekend, and it went well - no errors or problems.

When I called for CHKDSK in a Windows session, of course it cannot be run while Windows is active. So I accepted the usual message which will run it prior to the next bootup.

The usual "crash" occurred on shutdown, and I assumed that SHKDAK would not ve run on bootup, as it might not have been remembered/saved, because the "saving settings" Part of shutdown did not appear to happen. But, on the next bootup it did run CHKDSK.

And, in another session I made changes to the paging file numbers, where one has to reboot to save them to become effective. I made the changes as a possible help to the crashes on shutdown. On the required shutdown, the usual crash occurred, but the paging file changes were shown after the next bootup - so those changes were remembered.

QUESTION: When I went in to change the paging file location, I assumed that the original area on C: would be removed when I added a similar area on D:. But both were there. Each one is in the area of 5-7 GB. Is it proper to have paging files on both C and D?

Ron

 

[gigahertz]

Although it doesn't address your issue specifically, this addon Microsoft service may help ...

http://www.microsoft.com/downloads/...6D-8912-4E18-B570-42470E2F3582&displaylang=en

 

[linney]

5 - 7 GB seems overly large for Paging Files unless you have a lot of RAM or something. Is this a Dual Boot? One large Paging File ought to suffice (it is recommended that you have a very small Paging File of a couple of MB's size on the XP Partition itself)

If the Pagefile.sys file is not being used by Windows you would be able to delete it just like any other file.

This is a good article if you are going down this track. Make sure you have set them up, and moved them, correctly.

RAM, Virtual Memory, PageFile and all that stuff.

http://members.shaw.ca/bsanders/WindowsGeneralWeb/RAMVirtualMemoryPageFileEtc.htm

 

[RBHirsch]

Hi Linney,

I have 4 internal drives, each of which is 400 GB. It is not a dual boot system. The reason I added a paging file to D, was that one of the MS papers noted that paging files could be involved in my "problem".

All programs and XP Pro are on C, and there's lot of free HD space. Is there any point in having large paging files on both C and D, which is now how things are set up?

From all the info I've accumulated, and all the "crash" copies of logon.exe in the C:\Windowspchealth\ErrorRep\userdumps folder, it seems that the MS words may be on target. In one of the MS papers. they write that when, during shutdown, Windows loses permission to access system files et al, it cannot perform the normal shutdown, and crashes.

Surprisingly, when I shut down this am to install the updates I received today, I was afraid that it would not install them, because of the crashing. But that shutdown presented a small error message window, which was too fast to read. And then it installed the new updates, going through a normal shutdown.

Ron

 

[BadBigBen]

Hi Ron,

you should only have one PageFile on one drive...

disable the pagefile on C drive... then reboot... if it is still listed on C, then you can safely delete that one... and as Linney pointed out, it is usually not good to have one that large, even if you have greats amount of RAM...

I'm still pondering what could make XP loose permission once in a while and not every time (sporadic vs. constant)...

just for knowledge sake: when this started to happen, the BSOD on shutdown, did you do a BIOS update before hand ...

reason: I've seen some strange things happening with BETA or newer BIOS's, such as USB not working correctly, strange shutdowns, hang ups, etc...


Ben

"If it works don't fix it! If it doesn't use a sledgehammer..."

 

[linney]

You can try looking in the Event Viewer, Application Log, to see if you can find the strange message (if it was just a message box and not a BSOD). It may be listed as a Application Pop-up Message or similar? I'm not in XP, so that's just from memory, a fading one too.

Make sure the Permissions on your Paging File allow full access to the "System". As a temporary measure, you could change it to allow "Everyone" full access and see if that stops your Shutdown errors?

 

[RBHirsch]

Linney,

I have been in the Paging File windows, but I cannot locate the path to set the "permissions". I have been looking for that, as one of the MS papers re my error message on shutdown indicates that there might have been some problem accessing the system files, so it just crashes.

I just wish I knoew what the variable was in that shutdown crash. Sometimes I've had a long session, running many different programs, and it shuts down normally. Next time, after running very little of the same programs as the previous time, it crashes.

But every time, if I boot and immediately shut down, it does so normally.

If it does continue, as I expect it will, I'm going to use the XP CD to try and repair the system. Before doing that, I will create an image using True Image. So, if the recovery leaves me in worse shape, I can at least get back to where I am now - where everytbing runs flawlessly, except for the shutdown.

Ron

 

[linney]

Do you have the Security tab available on your other files, or are you saying you don't have the Security tab on the Pagefile.sys? Are you able to able to change any Permissions via Safe Mode?

In Folder Options/ View/ the last option controls whether or not you see a Security tab. Uncheck "Use simple file sharing" if it is selected.

RAM, Virtual Memory, PageFile and all that stuff.

http://members.shaw.ca/bsanders/WindowsGeneralWeb/RAMVirtualMemoryPageFileEtc.htm

Using the above article as a guide, you could temporarily SET the machine to have No Paging File on all drives, this would allow you to delete Pagefile.sys (if it remained after a reboot). You could then set your Paging File to System Managed, or whatever you want, and that might clear up any corruption in the Paging File?

 

[RBHirsch]

Hi Linney,

I cannot locate a file named "pagefile.sys". My search included all system and hidden files.

After I did some small changes in the page file over the weekend, I went for 10 shutdowns with no problems. I also did a cleaning job using ccleaner, and things stayed with no shutdown crashes for a while. But the crashes have started again.

And, the prior time I went into the paging file settings, and made some small changes, the system went for a while with no crashes, but then they resumed.

It's seeming more and more like the paging file may be a key to the problems.

I did now uncheck the "simple file sharing" box in the options as you suggested above.

Below is a clip of the opening section of the Dr. Watson log created on the last crash. Does this tell you anything?

I will review all the material in the link you gave me re the paging file et al.

Ron

Microsoft (R) DrWtsn32
Copyright (C) 1985-2001 Microsoft Corp. All rights reserved.

Application exception occurred:
App: \??\C:\WINDOWS\system32\winlogon.exe (pid=1232)
When: 10/15/2007 @ 07:08:52.484
Exception number: c0000005 (access violation)

*----> System Information <----*
Computer Name: RBH1
User Name: SYSTEM
Terminal Session Id: 0
Number of Processors: 2
Processor Type: x86 Family 15 Model 35 Stepping 2
Windows Version: 5.1
Current Build: 2600
Service Pack: 2
Current Type: Multiprocessor Free
Registered Organization:
Registered Owner: Ronald Hirsch

*----> Task List <----*
0 System Process
4 System
912 smss.exe
1208 csrss.exe
1232 winlogon.exe
1284 services.exe
1296 lsass.exe
1464 svchost.exe
1540 svchost.exe
1656 svchost.exe
1748 svchost.exe
1852 svchost.exe
1968 aawservice.exe
712 brsvc01a.exe
736 brss01a.exe
744 spoolsv.exe
1184 schedul2.exe
1212 avgamsvr.exe
1508 avgupsvc.exe
1620 avgemc.exe
1764 nvsvc32.exe
2008 svchost.exe
2080 Tablet.exe
2124 TrueImageTryStartService.exe
2416 BRMFRSMG.EXE
2452 Error 0xD0000022
3204 x10nets.exe
3252 PDSched.exe
1824 alg.exe
2132 logonui.exe
3484 drwtsn32.exe

 

[electronicsfreak]

On folder options, uncheck the box to hide operating system files. It will give a warning, just hit ok. Now go to my computer, then c:. Pagefile.sys is in there.

There is a point in wisdom and knowledge that when you reach it, you exceed what is considered possible - Jason Schoon

 

[RBHirsch]

When I did my search in the Windows XP Pro search window, I did have the boxes checked to include hiddden, system and operating files. But I guess that does not override the FOLDER OPTIONS settings.

I unchecked the box in the FOLDER OPTIONS, and that did allow me to locate and examine pagefile.sys.

There is no tab for security in the properties window for pagefile.sys. But there is a security tab in the properties window for pagefileconfig.sys.

As I mentioned earlier, I had done some "tinkering" with the pagefile setup since the crash problem started. I also have now made the following changes in the pagefile configuration window, in addition to unchecking the "Use simple file sharing", in the Folder Options choices.

1. I removed the pagefile I had set up for my D drive

2. I changed the setting for the page file on my C drive to SYSTEM managed.

All four of my system drives are 400 GB, so there is no space problem anywhere.

I will now see if things are any different. In the past, making just about any page file changes, kept the system free of crashes during shutdown for a goodly number of times.

Ron

 

[RBHirsch]

Playing with the pagefile has not resulted in anything substantial.

There may be a number of sequential no-crash shutdowns, but the crash does return. But the crash never occurs if I shut down right after bootup, without running anything

Below is a copy of the Dr Watson log on the last crash.

Note the first line showing "Application Exception" and the "??" in the path & also in the "Module" list with the "??" in the path. I think this may be very relevant to the cause.

Can anyone decipher/translate this line, and comment on what it may be all about, and to how to "fix" it.

Ron Hirsch
++++++++++++++++++++++++======

Microsoft (R) DrWtsn32
Copyright (C) 1985-2001 Microsoft Corp. All rights reserved.

Application exception occurred:
App: \??\C:\WINDOWS\system32\winlogon.exe (pid=1272)
When: 10/16/2007 @ 07:53:16.531
Exception number: c0000005 (access violation)

*----> System Information <----*
Computer Name: RBH1
User Name: SYSTEM
Terminal Session Id: 0
Number of Processors: 2
Processor Type: x86 Family 15 Model 35 Stepping 2
Windows Version: 5.1
Current Build: 2600
Service Pack: 2
Current Type: Multiprocessor Free
Registered Organization:
Registered Owner: Ronald Hirsch

*----> Task List <----*
0 System Process
4 System
912 smss.exe
1248 csrss.exe
1272 winlogon.exe
1324 services.exe
1344 lsass.exe
1508 svchost.exe
1604 svchost.exe
1700 svchost.exe
1792 svchost.exe
1896 svchost.exe
2012 aawservice.exe
776 brsvc01a.exe
796 brss01a.exe
804 spoolsv.exe
1476 schedul2.exe
1396 avgamsvr.exe
1668 avgupsvc.exe
1688 avgemc.exe
1816 nvsvc32.exe
2112 svchost.exe
2180 Tablet.exe
2220 TrueImageTryStartService.exe
2368 BRMFRSMG.EXE
2528 Error 0xD0000022
3136 x10nets.exe
3176 PDSched.exe
3976 alg.exe
2720 wuauclt.exe
368 logonui.exe
3816 drwtsn32.exe

*----> Module List <----*
(0000000001000000 - 0000000001080000: \??\C:\WINDOWS\system32\winlogon.exe
(00000000016d0000 - 000000000170b000: C:\WINDOWS\system32\WgaLogon.dll
(0000000001710000 - 00000000019d5000: C:\WINDOWS\system32\xpsp2res.dll
(000000000ffd0000 - 000000000fff8000: C:\WINDOWS\system32\rsaenh.dll
(0000000020000000 - 0000000020017000: C:\WINDOWS\system32\odbcint.dll