Possible ways to find the root cause of a WINLOGON_FATAL_ERROR bluescreen?

brad_H · October 15, 2023, 7:07am

I sometimes get a WINLOGON_FATAL_ERROR BSOD on some of my VMs. The following is its detail :

*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

WINLOGON_FATAL_ERROR (c000021a)
The Winlogon process terminated unexpectedly.
Arguments:
Arg1: afdd66a8, String that identifies the problem.
Arg2: c0000008, Error Code.
Arg3: 775815be
Arg4: 040cf8ac

Debugging Details:
------------------

KEY_VALUES_STRING: 1

PROCESSES_ANALYSIS: 1

SERVICE_ANALYSIS: 1

STACKHASH_ANALYSIS: 1

TIMELINE_ANALYSIS: 1

DUMP_CLASS: 1

DUMP_QUALIFIER: 401

BUILD_VERSION_STRING:  18362.1.amd64fre.19h1_release.190318-1202

SYSTEM_MANUFACTURER:  VMware, Inc.

VIRTUAL_MACHINE:  VMware

SYSTEM_PRODUCT_NAME:  VMware Virtual Platform

SYSTEM_VERSION:  None

BIOS_VENDOR:  Phoenix Technologies LTD

BIOS_VERSION:  6.00

BIOS_DATE:  09/21/2015

BASEBOARD_MANUFACTURER:  Intel Corporation

BASEBOARD_PRODUCT:  440BX Desktop Reference Platform

BASEBOARD_VERSION:  None

ERROR_CODE: (NTSTATUS) 0xc000021a - {Fatal System Error}  The %hs system process terminated unexpectedly with a status of 0x%08x (0x%08x 0x%08x).  The system has been shut down.

EXCEPTION_CODE: (NTSTATUS) 0xc000021a - {Fatal System Error}  The %hs system process terminated unexpectedly with a status of 0x%08x (0x%08x 0x%08x).  The system has been shut down.

EXCEPTION_CODE_STR:  c000021a

EXCEPTION_PARAMETER1:  afdd66a8

EXCEPTION_PARAMETER2:  c0000008

EXCEPTION_PARAMETER3:  775815be

EXCEPTION_PARAMETER4: 40cf8ac

DUMP_TYPE:  1

BUGCHECK_P1: ffffffffafdd66a8

BUGCHECK_P2: ffffffffc0000008

BUGCHECK_P3: 775815be

BUGCHECK_P4: 40cf8ac

PROCESS_NAME:  csrss.exe

ADDITIONAL_DEBUG_TEXT:  Windows SubSystem

BUGCHECK_STR:  0xc000021a_c0000008_csrss.exe_Terminated

IMAGE_NAME:  ntkrpamp.exe

MODULE_NAME: nt

CPU_COUNT: 2

CPU_MHZ: aef

CPU_VENDOR:  GenuineIntel

CPU_FAMILY: 6

CPU_MODEL: 2c

CPU_STEPPING: 2

CPU_MICROCODE: 6,2c,2,0 (F,M,S,R)  SIG: 14'00000000 (cache) 14'00000000 (init)

BLACKBOXBSD: 1 (!blackboxbsd)

BLACKBOXNTFS: 1 (!blackboxntfs)

BLACKBOXPNP: 1 (!blackboxpnp)

BLACKBOXWINLOGON: 1

DEFAULT_BUCKET_ID:  WIN8_DRIVER_FAULT

CURRENT_IRQL:  0

ANALYSIS_SESSION_HOST:  DEV-PC

ANALYSIS_SESSION_TIME:  10-15-2023 10:26:12.0806

ANALYSIS_VERSION: 10.0.18362.1 amd64fre

LAST_CONTROL_TRANSFER:  from 823236b6 to 82166a68

STACK_TEXT:  
8de63a2c 823236b6 0000004c c000021a a2047964 nt!KeBugCheckEx
8de63a54 8231e12a 00000000 8de63c04 8de63c88 nt!PopGracefulShutdown+0x221
8de63a98 82316026 00000004 00000006 c0000004 nt!PopTransitionSystemPowerStateEx+0xa93a
8de63bf0 821793eb 00000004 00000006 c0000004 nt!NtSetSystemPowerState+0x4e
8de63bf0 82164aa9 00000004 00000006 c0000004 nt!KiSystemServicePostCall
8de63c74 8250046d 00000004 00000006 c0000004 nt!ZwSetSystemPowerState+0x11
8de63ccc 8243c43d 00000006 c0000004 00000000 nt!PopIssueActionRequest+0xc446f
8de63d0c 82034c3e 81facbb8 91bb1040 822b67b0 nt!PopPolicyWorkerAction+0x5f
8de63d28 820474aa 00000001 00000000 91bb1040 nt!PopPolicyWorkerThread+0x8a
8de63d78 821261c8 81facbb8 c4a103c8 00000000 nt!ExpWorkerThread+0xea
8de63db0 8218178d 820473c0 81facbb8 00000000 nt!PspSystemThreadStartup+0x4a
8de63dbc 00000000 00000000 80dc0dd0 0001e080 nt!KiThreadStartup+0x15

THREAD_SHA1_HASH_MOD_FUNC:  83f69a92229e25cf8f5868f3d2265207565197bf

THREAD_SHA1_HASH_MOD_FUNC_OFFSET:  e5afeb695b1f96b49d70f8bd0f7eef3aba5a6c1d

THREAD_SHA1_HASH_MOD:  dc844b1b94baa204d070855e43bbbd27eee98b94

FOLLOWUP_IP: 
nt!PopTransitionSystemPowerStateEx+a93a
8231e12a 895e60          mov     dword ptr [esi+60h],ebx

FAULT_INSTR_CODE:  e9605e89

SYMBOL_STACK_INDEX:  2

SYMBOL_NAME:  nt!PopTransitionSystemPowerStateEx+a93a

FOLLOWUP_NAME:  MachineOwner

DEBUG_FLR_IMAGE_TIMESTAMP:  0

STACK_COMMAND:  .thread ; .cxr ; kb

BUCKET_ID_FUNC_OFFSET:  a93a

FAILURE_BUCKET_ID:  0xc000021a_c0000008_csrss.exe_Terminated_nt!PopTransitionSystemPowerStateEx

BUCKET_ID:  0xc000021a_c0000008_csrss.exe_Terminated_nt!PopTransitionSystemPowerStateEx

PRIMARY_PROBLEM_CLASS:  0xc000021a_c0000008_csrss.exe_Terminated_nt!PopTransitionSystemPowerStateEx

TARGET_TIME:  2023-10-14T04:53:52.000Z

OSBUILD:  18362

OSSERVICEPACK:  0

SERVICEPACK_NUMBER: 0

OS_REVISION: 0

SUITE_MASK:  272

PRODUCT_TYPE:  1

OSPLATFORM_TYPE:  x86

OSNAME:  Windows 10

OSEDITION:  Windows 10 WinNt TerminalServer SingleUserTS

OS_LOCALE:  

USER_LCID:  0

OSBUILD_TIMESTAMP:  unknown_date

BUILDDATESTAMP_STR:  190318-1202

BUILDLAB_STR:  19h1_release

BUILDOSVER_STR:  10.0.18362.1.amd64fre.19h1_release.190318-1202

ANALYSIS_SESSION_ELAPSED_TIME:  798

ANALYSIS_SOURCE:  KM

FAILURE_ID_HASH_STRING:  km:0xc000021a_c0000008_csrss.exe_terminated_nt!poptransitionsystempowerstateex

FAILURE_ID_HASH:  {6103b4d2-a446-feb6-655c-c95c3499c651}

Followup:     MachineOwner
---------

1: kd> k
 # ChildEBP RetAddr  
00 8de63a2c 823236b6 nt!KeBugCheckEx
01 8de63a54 8231e12a nt!PopGracefulShutdown+0x221
02 8de63a98 82316026 nt!PopTransitionSystemPowerStateEx+0xa93a
03 8de63bf0 821793eb nt!NtSetSystemPowerState+0x4e
04 8de63bf0 82164aa9 nt!KiSystemServicePostCall
05 8de63c74 8250046d nt!ZwSetSystemPowerState+0x11
06 8de63ccc 8243c43d nt!PopIssueActionRequest+0xc446f
07 8de63d0c 82034c3e nt!PopPolicyWorkerAction+0x5f
08 8de63d28 820474aa nt!PopPolicyWorkerThread+0x8a
09 8de63d78 821261c8 nt!ExpWorkerThread+0xea
0a 8de63db0 8218178d nt!PspSystemThreadStartup+0x4a
0b 8de63dbc 00000000 nt!KiThreadStartup+0x15
1: kd> db afdd66a8
afdd66a8  57 69 6e 64 6f 77 73 20-53 75 62 53 79 73 74 65  Windows SubSyste
afdd66b8  6d 00 78 00 65 00 00 00-00 00 04 06 43 4d 4e 62  m.x.e.......CMNb
afdd66c8  03 00 00 00 42 04 d8 f6-00 00 00 00 08 00 56 4d  ....B.........VM
afdd66d8  42 55 53 48 49 44 00 00-00 00 04 06 53 65 41 74  BUSHID......SeAt
afdd66e8  00 00 00 00 ec 66 dd af-ec 66 dd af 00 00 00 00  .....f...f......
afdd66f8  f8 66 dd af f8 66 dd af-00 00 04 06 43 4d 4e 62  .f...f......CMNb
afdd6708  03 00 00 00 e3 b8 5c 0b-00 00 00 00 08 00 56 57  ......\.......VW
afdd6718  49 46 49 42 55 53 00 00-00 00 04 06 53 65 41 74  IFIBUS......SeAt

So it seems like for some reason the csrss.exe has caused the BSOD because of termination, but csrss.exe still exists in the output of !process (two instances, one for session 0 and one for session 1)

And looking through the call stack of csrss threads doesn’t give any clues.

My question is, is this happening because csrss.exe terminated itself, or someone else tried to terminate it?
How can I find the root cause of this BSOD? Because It is happening very frequent now in my work VMs. Note that I have some third party apps installed in these VMs, so want to make sure if they are causing it or its something else.