Microsoft → [XPPro] Stop c00021a Logon Process Error

I'm working with an XP laptop that gets this error about once per day:

Stop:c000021a {Fatal Error} The windows logon process system process terminated unexpectedly with a status of 0xc0000005(0x00000000)(0x00000000)

This doesn't happen at reboot or logon, it mainly happens on the fly as the computer is being used. Or sometimes it's sitting on the blue screen when it sits for awhile, but it seems pretty random.

Is there any way I can figure out what's causing this, or how can I fix it? I tried enabling DrWatson but the log generated doesn't seem to tell me a thing about what process is actually causing the issue.

any more errros or warnings in eventviewer logs? Does it happen in Safe Mode?

Cudni

I'll try to check the event viewer. I'm not sure I can test safe mode because it's in use so often, but hopefully event viewer will shed some light. I tried to get there yesterday but it's been so long since I've used XP I had a brain fart and forgot where it even was.

The actual process is the windows logon process i.e., the process running winlogon.exe. I'm not sure that actually helps though.

Winlogon gets created at system initialization, executes the logon procedure, and starts whatever's needed to create the user-specific environment. In addition, the winlogon desktop is displayed when you type ctrl+alt+del (at least in the configs I use) and in order to handle UAC elevation prompts.

Based on the event message, I'd guess it's an attempted access to virtual address 0, which is never valid. Which is generally a software bug.

Mini dumps?

I'm guessing the kernel minidump won't tell you anything.

The kernel deliberately crashed because the winlogon process terminated, and winlogon is one of the critical-to-system-operations processes.

The question is, what caused winlogon to terminate. (The immediate cause is 'an access violation exception' but that, while precise, isn't helpful from a diagnostic point of view).

What's in the Dr. Watson log here?

There is an 8800GTS that maybe using out dated Nvidia drivers - something relative to a driver for the video card could be a cause.

Maybe a "clean boot" to see if it still shows. That would at least point to a 3rd party product or internal to Windows.

Clean Boot:
»support.microsoft.com/kb/310353

Advanced Clean Boot
»support.microsoft.com/kb/316434

The first link would be enough though I'd think.

The specs in my sig aren't for the laptop in question here.

I don't understand why the winlogon.exe is even being called while the computer is actually booted up and being put to work, but I guess I don't understand the process 100%. It just seems like it should only be a problem when trying to log on or off.

The Dr. Watson log is huge, let me see if I can find any specifics unless I should just post the whole thing. I guess I can try a clean boot sometime too.

I also exported the event viewer log and looked at it on my PC, but a lot of the errors say "The description for event ID XXXX cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer."

I'm guessing that's saying the problem PC has the issue displaying the events, not the one I'm just viewing the log on.

The exact log entry when it crashed was:

"The description for Event ID 1004 from source Application Error cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

If the event originated on another computer, the display information had to be saved with the event.

The following information was included with the event:

winlogon.exe
0.0.0.0
unknown
0.0.0.0
730074fd

the message resource is present but the message is not found in the string/message table"

Really doesn't tell me anything. I did find the access violation part with winlogon.exe in the Drwtsn log, how much of it should I paste here? I'm not sure where it ends.

Okay, you have me there, but if the computer in question shows an update for graphics at windows, it's a start, an I'm covered.

Was anything installed prior to the alert?
(Although this could be ignored due to not being at logon.)
Scan with MBAM for malware?
Svchost.exe errors?

Clean boot may hint or give direction on this.
You are right there isn't much there.

I don't see an SVChost issues. I ran a few scans last week and it didn't find any source of malware.

I'm looking at the event viewer again, and every time there is a winlogon.exe error (Event ID 1004), this Event ID 1000 happens before it. Sometimes it's 20 minutes, sometimes it's hours, but it's always the previous error before the winlogon.exe. Not sure if this means anything to anyone:

Faulting application name: , version: 0.0.0.0, time stamp: 0xunknown
Faulting module name: 0.0.0.0, version: 730074fd, time stamp: 0x4170706C69636174696F6E204661696C757265202020302E302E302E3020696E20756E6B6E6F776E 20302E302E302E30206174206F6666736574203733303037346664
Exception code: 0x%7
Fault offset: 0x%8
Faulting process id: 0x%9
Faulting application start time: 0x%10
Faulting application path: %11
Faulting module path: %12
Report Id: %13

Best to post as dave suggests - give him Dr.Watson logs even if it has to be uploaded to a file share site somewhere.

I gather you have read this link?

»answers.microsoft.com/en ··· 17575c18

>I'm guessing that's saying the problem PC has the issue displaying the events, not the one I'm just viewing the log on.

Probably not. The way event logging works is that the event logger writes into the log a compact notation that means "event N from source X with parameters P1,P2...".

When you decide to look at the log entry, the event viewer then uses N and S to find some stuff in the registry that points to a DLL that defines the message text, and formats up the message with the parameters P1,P2,...

So, "description for event cannot be found" is a viewer issue. The usual cause is that the software is no longer installed, either because you deinstalled it, or because the viewer is running on a different computer from the logger.

(This approach is beneficial because the log is compact, it's more efficient than formatting messages no-one looks at, and the language for the message is chosen by the viewer.)