Results 1 to 9 of 9

Thread: BSOD error parameters

Hybrid View

  1. #1

    BSOD error parameters

    This is off-topic with regard to reversing but I am desperate and hoping one of you guys has come across it. It is related to the reversing work I am doing but calling it on-topic is a stretch. I have researched this online till I'm blue in the face but finding the NT parameters to describe the exact type of BSOD is near impossible.

    Please delete if not acceptable.

    What I am really looking for is a link to a Microsoft article, like in the DDK or whatever, that would explain the error in detail.

    I am doing a repair install with an XP OS and I have encountered a BSOD in phase 4 (actually Session3) which is a brief part of the installation. I get the following error:

    Stop 0x0000006F (0xC000000E, 0x0, 0x0, 0x0)

    Description: Session3_initialization_failed

    I need to find out what the 0xC000000E parameter means.

    There is no dmp file, which is odd, and the setupapi log shows the installation ending with a reference to iastor.sys with a reference to %windir%\system32\drivers. I thought there might be an issue with registry hive permissions but I checked and they were good compared to a working copy of XP.

    Apparently the error references configuration files, but which ones?

    It's supposed to have something to do with a missing or corrupted file, namely smss.exe, ftdisk.sys, winlogon.exe, ntdll.dll, or ntoskrnl.exe. I have replaced all of them.

    It's possible that my installation disk is corrupt since it is a slipstreamed version. However, I substituted another slipstreamed disk hoping it would get me past that stage but it did not.

  2. #2
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,525
    Blog Entries
    15
    Code:
    kd> !analyze -show 6f
    VSL_INITIALIZATION_FAILED (6f)
    Arguments:
    Arg1: 00000000, Indicates the NT status code that caused the failure.
    Arg2: 00000000, Indicates the initialization phase.
    Arg3: 00000000, (reserved)
    Arg4: 00000000
    
    kd> !error c000000e
    Error code: (NTSTATUS) 0xc000000e (3221225486) - A device which does not exist w
    as specified.
    kd>
    possibly you have a corrupt smss.exe which is failing when RtlUserCreateProcess is called in phase3 initialization


    Code:
    kd> bl
         0 e Disable Clear  806a3b36     0001 (0001) nt!RtlCreateUserProcess
    
    kd> .lastevent
    Last event: Hit breakpoint 0
      debugger time: Sat Mar  7 21:03:44.909 2020 
      
    kd> u @$ra l9
    nt!Phase1Initialization+0x1059:
    8069fd62 381d80315580    cmp     byte ptr [nt!InbvBootDriverInstalled (80553180)],bl
    8069fd68 8bf0            mov     esi,eax >>>>>@esi == NTSTATUS
    8069fd6a 5f              pop     edi
    8069fd6b 7405            je      nt!Phase1Initialization+0x1069 (8069fd72)
    8069fd6d e889bbe6ff      call    nt!FinalizeBootLogo (8050b8fb)
    8069fd72 3bf3            cmp     esi,ebx
    8069fd74 53              push    ebx
    8069fd75 0f8ccca90100    jl      nt!Phase1Initialization+0x106e (806ba747)
    8069fd7b ffb5b0faffff    push    dword ptr [ebp-550h]
    
    kd> $$ if(InbvBootDriverInstalled) {nt!FinalizeBootLogo()} elseif(NTSTATUS @$esi != NTSUCCESS) jumpto 806ba747
    
    
    kd> u 806ba747 l6
    nt!Phase1Initialization+0x106e:
    806ba747 53              push    ebx  NULL
    806ba748 53              push    ebx  NULL
    806ba749 56              push    esi    NTSTAUS
    806ba74a 6a6f            push    6Fh  SESSION3_INIT_FAILED
    806ba74c eb2b            jmp     nt!Phase1Initialization+0x1161 (806ba779)
    806ba74e 53              push    ebx
    
    kd> u 806ba779 l2
    nt!Phase1Initialization+0x1161:
    806ba779 e87590e7ff      call    nt!KeBugCheckEx (805337f3)
    806ba77e cc              int     3
    
    kd> kb
     # ChildEBP RetAddr  Args to Child              
    00 f8967818 8069fd62 f89678b0 00000040 00040000 nt!RtlCreateUserProcess
    01 f8967dac 8057aeff 80087000 00000000 00000000 nt!Phase1Initialization+0x1059
    02 f8967ddc 804f88ea 806a12fa 80087000 00000000 nt!PspSystemThreadStartup+0x34
    03 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16
    
    kd> dS f89678b0
    000406a0  "\SystemRoot\System32\smss.exe"
    Last edited by blabberer; March 7th, 2020 at 05:00.

  3. #3
    Quote Originally Posted by blabberer View Post
    Code:
    kd> !error c000000e
    Error code: (NTSTATUS) 0xc000000e (3221225486) - A device which does not exist as specified.kd>
    possibly you have a corrupt smss.exe which is failing when RtlUserCreateProcess is called in phase3 initialization
    Brilliant, Blabbs, just what I was looking for.

    BTW...how did you find the NT status and how did you manage to create an 0x6F bugcheck in windbg in such a manner as to detect it? I was reading last night that it is possible to induce a BSOD intentionally via the keyboard (a PS/2 keyboard is required in XP). It worked, giving me a page fault, but no dmp file was recorded, possibly because I am in install mode. Apparently that method is good if you have a frozen system but no BSOD. You can induce a BSOD from the keyboard then trace the error causing the frozen condition.

    I replaced smss.exe already along with several other files with no difference in the BSOD. However, your revelation above re the NT parameter 0xc000000e reveals a lot.

    I used nlite to integrate USB drivers into the slipstreamed install disk and they do work during the installation. However, I integrated a second set of USB drivers for my USB addon card with a VIA chipset and it won't be found till the PCIe slot is fully functional. That could be the problem right there, I had been experiencing issues with the PCIe bus after doing a repair install with the stock XP SP3 disk.

    I had taken steps to amend that last night by creating two new install disks, one with a SATA driver and no USB drivers and one with only the mainboard USB drivers. Have not yet tested either since I forgot to included the right ACPI.sys in the ISO. Without it I get an error 0xA5, which can be bypassed at the F6 prompt by pressing F7.

    Thanks again.

    ps. I see how you did it now with the
    Code:
    kd> !analyze -show 6f
    There's only a handful of people on the Net know this stuff!!!

  4. #4
    Quote Originally Posted by WaxfordSqueers View Post
    There's only a handful of people on the Net know this stuff!!!
    there used to be a lot

    just remember how big the reverse engineering scene was

    today you see people on a tablet or a smartphone or beloved windows 10

    where its about to know how and where to click or controling a software over pushes

    there where so many stuff about that time, maybe it still is but they used to make for softice maybe a bit later ollydbg

    windbg and ida apears into the room

    but still it seems like a empty room the forums are empty the examples for new programs are very low


    but back to your problem
    cant you break at either the driver entry or driver control like iofcalldriver
    if that isnt possible there is certainly a chain loader or a process you can break before that happens

  5. #5
    Quote Originally Posted by Elenil View Post
    but back to your problem
    cant you break at either the driver entry or driver control like iofcalldriver
    if that isnt possible there is certainly a chain loader or a process you can break before that happens
    First, I have to set up a kernel mode debugging session from W7 to XP. It has been done but I have not tried it yet. Furthermore, I am stuck in the middle of a repair installation and I'm not sure if XP will respond, even if the serial port is available.

    BTW...just made two more installation disks, one with sata, acpi, and the USB drivers for the chipset, and the other with SATA and ACPI only. The disk boots to the repair prompt OK, and loads files, but when it reboots it starts loading XP then fails after a few seconds with the bugcheck 0x6F.

    I may have a problem in my txtsetup.sif setup script or in the registry.

  6. #6
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,146
    Blog Entries
    5
    Softice does NTSTATUS codes as well, but not as nice as Windbg, let alone analyze -v.

    :ntstatus c000000e
    STATUS_NO_SUCH_DEVICE

    Blabberer, you did a live boot break to get to here? Once XP has loaded the INIT section code is paged out.

    Code:
    // XP ntoskrnl.exe 
    
    INIT:005C933E                   ; void __stdcall Phase1Initialization(PVOID)
    INIT:005C933E                   _Phase1Initialization@4 proc near       ; DATA XREF: PspInitPhase0(x)+3C8
    INIT:005C933E
    INIT:005C933E                   ProcessInfo     = _RTL_USER_PROCESS_INFO ptr -558h
    INIT:005C933E                   TimeFields      = TIME_FIELDS ptr -514h
    
    ...
    
    INIT:005C7D95 E8 B4 3E 00 00                    call    _RtlCreateUserProcess@40 ; RtlCreateUserProcess(x,x,x,x,x,x,x,x,x,x)
    INIT:005C7D9A 38 1D 00 BB 47 00                 cmp     _InbvBootDriverInstalled, bl
    INIT:005C7DA0 8B F0                             mov     esi, eax
    INIT:005C7DA2 5F                                pop     edi
    INIT:005C7DA3 74 05                             jz      short loc_5C7DAA
    INIT:005C7DA5 E8 79 11 E7 FF                    call    _FinalizeBootLogo@0 ; FinalizeBootLogo()
    
    ...
    
    INIT:005C7AA5                   loc_5C7AA5:                             ; CODE XREF: Phase1Initialization(x)-1591
    INIT:005C7AA5 53                                push    ebx
    INIT:005C7AA6 53                                push    ebx
    INIT:005C7AA7 56                                push    esi
    INIT:005C7AA8 6A 6F                           push    6Fh
    INIT:005C7AAA EB 2B                          jmp     short KeBugCheck
    According to this, VSL_INITIALIZATION_FAILED is a new addition to bugcodes.h in the Windows SDK. Windbg must be using good defines.

    bugcodes.h: New VSL_INITIALIZATION_FAILED, SOFT_RESTART_FATAL_ERROR, ... defines.
    https://naughter.wordpress.com/2016/08/20/changes-in-the-windows-v10-0-14393-sdk-compared-to-windows-v10-0-10240-sdk-part-one/


    Oh, here's an interesting article on Phase1Initialization

    Inside the Boot Process
    https://www.itprotoday.com/compute-engines/inside-boot-process-part-1
    https://www.itprotoday.com/compute-engines/inside-boot-process-part-2

Similar Threads

  1. parameters
    By Shadlol in forum OllyDbg Support Forums
    Replies: 1
    Last Post: January 11th, 2009, 15:13
  2. load exe with parameters
    By bOU in forum OllyDbg Support Forums
    Replies: 1
    Last Post: May 3rd, 2005, 13:06
  3. Rocognizing calls parameters?
    By Anonymous in forum OllyDbg Support Forums
    Replies: 2
    Last Post: August 27th, 2003, 10:33
  4. parameters
    By death in forum Advanced Reversing and Programming
    Replies: 1
    Last Post: March 20th, 2002, 19:12
  5. parameters passed to a call
    By The Keeper in forum Advanced Reversing and Programming
    Replies: 4
    Last Post: March 7th, 2002, 12:22

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •