Results 1 to 9 of 9

Thread: BSOD error parameters

  1. #1

    BSOD error parameters

    This is off-topic with regard to reversing but I am desperate and hoping one of you guys has come across it. It is related to the reversing work I am doing but calling it on-topic is a stretch. I have researched this online till I'm blue in the face but finding the NT parameters to describe the exact type of BSOD is near impossible.

    Please delete if not acceptable.

    What I am really looking for is a link to a Microsoft article, like in the DDK or whatever, that would explain the error in detail.

    I am doing a repair install with an XP OS and I have encountered a BSOD in phase 4 (actually Session3) which is a brief part of the installation. I get the following error:

    Stop 0x0000006F (0xC000000E, 0x0, 0x0, 0x0)

    Description: Session3_initialization_failed

    I need to find out what the 0xC000000E parameter means.

    There is no dmp file, which is odd, and the setupapi log shows the installation ending with a reference to iastor.sys with a reference to %windir%\system32\drivers. I thought there might be an issue with registry hive permissions but I checked and they were good compared to a working copy of XP.

    Apparently the error references configuration files, but which ones?

    It's supposed to have something to do with a missing or corrupted file, namely smss.exe, ftdisk.sys, winlogon.exe, ntdll.dll, or ntoskrnl.exe. I have replaced all of them.

    It's possible that my installation disk is corrupt since it is a slipstreamed version. However, I substituted another slipstreamed disk hoping it would get me past that stage but it did not.

  2. #2
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,524
    Blog Entries
    15
    Code:
    kd> !analyze -show 6f
    VSL_INITIALIZATION_FAILED (6f)
    Arguments:
    Arg1: 00000000, Indicates the NT status code that caused the failure.
    Arg2: 00000000, Indicates the initialization phase.
    Arg3: 00000000, (reserved)
    Arg4: 00000000
    
    kd> !error c000000e
    Error code: (NTSTATUS) 0xc000000e (3221225486) - A device which does not exist w
    as specified.
    kd>
    possibly you have a corrupt smss.exe which is failing when RtlUserCreateProcess is called in phase3 initialization


    Code:
    kd> bl
         0 e Disable Clear  806a3b36     0001 (0001) nt!RtlCreateUserProcess
    
    kd> .lastevent
    Last event: Hit breakpoint 0
      debugger time: Sat Mar  7 21:03:44.909 2020 
      
    kd> u @$ra l9
    nt!Phase1Initialization+0x1059:
    8069fd62 381d80315580    cmp     byte ptr [nt!InbvBootDriverInstalled (80553180)],bl
    8069fd68 8bf0            mov     esi,eax >>>>>@esi == NTSTATUS
    8069fd6a 5f              pop     edi
    8069fd6b 7405            je      nt!Phase1Initialization+0x1069 (8069fd72)
    8069fd6d e889bbe6ff      call    nt!FinalizeBootLogo (8050b8fb)
    8069fd72 3bf3            cmp     esi,ebx
    8069fd74 53              push    ebx
    8069fd75 0f8ccca90100    jl      nt!Phase1Initialization+0x106e (806ba747)
    8069fd7b ffb5b0faffff    push    dword ptr [ebp-550h]
    
    kd> $$ if(InbvBootDriverInstalled) {nt!FinalizeBootLogo()} elseif(NTSTATUS @$esi != NTSUCCESS) jumpto 806ba747
    
    
    kd> u 806ba747 l6
    nt!Phase1Initialization+0x106e:
    806ba747 53              push    ebx  NULL
    806ba748 53              push    ebx  NULL
    806ba749 56              push    esi    NTSTAUS
    806ba74a 6a6f            push    6Fh  SESSION3_INIT_FAILED
    806ba74c eb2b            jmp     nt!Phase1Initialization+0x1161 (806ba779)
    806ba74e 53              push    ebx
    
    kd> u 806ba779 l2
    nt!Phase1Initialization+0x1161:
    806ba779 e87590e7ff      call    nt!KeBugCheckEx (805337f3)
    806ba77e cc              int     3
    
    kd> kb
     # ChildEBP RetAddr  Args to Child              
    00 f8967818 8069fd62 f89678b0 00000040 00040000 nt!RtlCreateUserProcess
    01 f8967dac 8057aeff 80087000 00000000 00000000 nt!Phase1Initialization+0x1059
    02 f8967ddc 804f88ea 806a12fa 80087000 00000000 nt!PspSystemThreadStartup+0x34
    03 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16
    
    kd> dS f89678b0
    000406a0  "\SystemRoot\System32\smss.exe"
    Last edited by blabberer; March 7th, 2020 at 05:00.

  3. #3
    Quote Originally Posted by blabberer View Post
    Code:
    kd> !error c000000e
    Error code: (NTSTATUS) 0xc000000e (3221225486) - A device which does not exist as specified.kd>
    possibly you have a corrupt smss.exe which is failing when RtlUserCreateProcess is called in phase3 initialization
    Brilliant, Blabbs, just what I was looking for.

    BTW...how did you find the NT status and how did you manage to create an 0x6F bugcheck in windbg in such a manner as to detect it? I was reading last night that it is possible to induce a BSOD intentionally via the keyboard (a PS/2 keyboard is required in XP). It worked, giving me a page fault, but no dmp file was recorded, possibly because I am in install mode. Apparently that method is good if you have a frozen system but no BSOD. You can induce a BSOD from the keyboard then trace the error causing the frozen condition.

    I replaced smss.exe already along with several other files with no difference in the BSOD. However, your revelation above re the NT parameter 0xc000000e reveals a lot.

    I used nlite to integrate USB drivers into the slipstreamed install disk and they do work during the installation. However, I integrated a second set of USB drivers for my USB addon card with a VIA chipset and it won't be found till the PCIe slot is fully functional. That could be the problem right there, I had been experiencing issues with the PCIe bus after doing a repair install with the stock XP SP3 disk.

    I had taken steps to amend that last night by creating two new install disks, one with a SATA driver and no USB drivers and one with only the mainboard USB drivers. Have not yet tested either since I forgot to included the right ACPI.sys in the ISO. Without it I get an error 0xA5, which can be bypassed at the F6 prompt by pressing F7.

    Thanks again.

    ps. I see how you did it now with the
    Code:
    kd> !analyze -show 6f
    There's only a handful of people on the Net know this stuff!!!

  4. #4
    Quote Originally Posted by WaxfordSqueers View Post
    There's only a handful of people on the Net know this stuff!!!
    there used to be a lot

    just remember how big the reverse engineering scene was

    today you see people on a tablet or a smartphone or beloved windows 10

    where its about to know how and where to click or controling a software over pushes

    there where so many stuff about that time, maybe it still is but they used to make for softice maybe a bit later ollydbg

    windbg and ida apears into the room

    but still it seems like a empty room the forums are empty the examples for new programs are very low


    but back to your problem
    cant you break at either the driver entry or driver control like iofcalldriver
    if that isnt possible there is certainly a chain loader or a process you can break before that happens

  5. #5
    Quote Originally Posted by Elenil View Post
    but back to your problem
    cant you break at either the driver entry or driver control like iofcalldriver
    if that isnt possible there is certainly a chain loader or a process you can break before that happens
    First, I have to set up a kernel mode debugging session from W7 to XP. It has been done but I have not tried it yet. Furthermore, I am stuck in the middle of a repair installation and I'm not sure if XP will respond, even if the serial port is available.

    BTW...just made two more installation disks, one with sata, acpi, and the USB drivers for the chipset, and the other with SATA and ACPI only. The disk boots to the repair prompt OK, and loads files, but when it reboots it starts loading XP then fails after a few seconds with the bugcheck 0x6F.

    I may have a problem in my txtsetup.sif setup script or in the registry.

  6. #6
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,143
    Blog Entries
    5
    Softice does NTSTATUS codes as well, but not as nice as Windbg, let alone analyze -v.

    :ntstatus c000000e
    STATUS_NO_SUCH_DEVICE

    Blabberer, you did a live boot break to get to here? Once XP has loaded the INIT section code is paged out.

    Code:
    // XP ntoskrnl.exe 
    
    INIT:005C933E                   ; void __stdcall Phase1Initialization(PVOID)
    INIT:005C933E                   _Phase1Initialization@4 proc near       ; DATA XREF: PspInitPhase0(x)+3C8
    INIT:005C933E
    INIT:005C933E                   ProcessInfo     = _RTL_USER_PROCESS_INFO ptr -558h
    INIT:005C933E                   TimeFields      = TIME_FIELDS ptr -514h
    
    ...
    
    INIT:005C7D95 E8 B4 3E 00 00                    call    _RtlCreateUserProcess@40 ; RtlCreateUserProcess(x,x,x,x,x,x,x,x,x,x)
    INIT:005C7D9A 38 1D 00 BB 47 00                 cmp     _InbvBootDriverInstalled, bl
    INIT:005C7DA0 8B F0                             mov     esi, eax
    INIT:005C7DA2 5F                                pop     edi
    INIT:005C7DA3 74 05                             jz      short loc_5C7DAA
    INIT:005C7DA5 E8 79 11 E7 FF                    call    _FinalizeBootLogo@0 ; FinalizeBootLogo()
    
    ...
    
    INIT:005C7AA5                   loc_5C7AA5:                             ; CODE XREF: Phase1Initialization(x)-1591
    INIT:005C7AA5 53                                push    ebx
    INIT:005C7AA6 53                                push    ebx
    INIT:005C7AA7 56                                push    esi
    INIT:005C7AA8 6A 6F                           push    6Fh
    INIT:005C7AAA EB 2B                          jmp     short KeBugCheck
    According to this, VSL_INITIALIZATION_FAILED is a new addition to bugcodes.h in the Windows SDK. Windbg must be using good defines.

    bugcodes.h: New VSL_INITIALIZATION_FAILED, SOFT_RESTART_FATAL_ERROR, ... defines.
    https://naughter.wordpress.com/2016/08/20/changes-in-the-windows-v10-0-14393-sdk-compared-to-windows-v10-0-10240-sdk-part-one/


    Oh, here's an interesting article on Phase1Initialization

    Inside the Boot Process
    https://www.itprotoday.com/compute-engines/inside-boot-process-part-1
    https://www.itprotoday.com/compute-engines/inside-boot-process-part-2

  7. #7
    Quote Originally Posted by Kayaker View Post
    According to this, VSL_INITIALIZATION_FAILED is a new addition to bugcodes.h in the Windows SDK. Windbg must be using good defines.
    From what I could gather, VSL is a reference to the processor virtualization, like hyper-v. I tested that by turning off both of my virtualization settings in BIOS to no effect.

    The problem turned out to be in the registry. I have a lot of dormant stuff in there from at least three generations of Intel chipsets, from ICH4 - ICH9 onto the G-series. Maybe the installation software hit something it did not like while enumerating.

    The install phase causing the error is supposed to be a 'brief' configuration stage for the executive. I would presume that means it is configuring the executive to set up devices via ACPI, etc. I replaced the 5 registry hives, Default, SAM, Security, Software, and System, from a backup set I had made from November 2019, and the installation proceeded fine.

    I might advise anyone reading this to make a backup regularly of the registry. It's easy to do if done from another OS. I was running two versions of XP on separate disks and in that case it's a matter of going to %windir%\System32\config in the OFFLINE drive, where the registry hives are stored, Just copy the files listed above to another directory or a backup drive.

    I have noticed that W10 has a way of blocking certain files from being copied, even if it's offline. To get around that, I use a boot disk based on WINPE or Linux.

    Anyway, I was doing a repair install with a disk slipstreamed with XP SP3 and the unofficial SP4 update that can be found at the ryanVM site. I did the repair because the SP4 update not only updates most of the XP updates, it also adds drivers for my new Intel B360 chipset. Every one of the features of that chipset are now active on XP, from the serial ports to the 6 core processor, except for one...the LAN driver. Working on that.

    The SP4 update has more than 6 driver packs integrated into it. It setup my Nvidia card and my Creative XFi sound card while it was at it, no easy feat.

    Anyway, I'm a happy camper...for now.

  8. #8
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,524
    Blog Entries
    15
    VSL is a new name for old barley
    but now coming in a tetrapack off a robotized machinery with some artificial flavours of mayoneese and cheese
    thrown in to fool the clickety click generation

    it is a name for the winxers not for the xperts ( i am using a winx windbg on an xpert vm so its vsl not sess3)
    for the rusty old xperts it was or still is Session3_initialization_failure

    btw ms hasn't updated its docs if you can feel consolation

    @k
    yes live xp vm on a win7 host over pipe sxe ibp;.reboot on break bp nt!RtlCreateUserProcess;g btw

    although Marks articles are nice you can nowadays take a peek a on the wrk (windows research kit) sources strewn all over the net especially forxp or up to srv2003

  9. #9
    Quote Originally Posted by blabberer View Post
    VSL is a new name for old barley ...it is a name for the winxers not for the xperts...for the rusty old xperts it was or still is Session3_initialization_failure
    The latter makes far more sense as I am still trying to find out what VSL means. I have discovered meanings from the Vienna Symphonic Library to the Venezuelan Summer League (baseball) but very little pertaining to computerese.

    As I posted earlier, the better definition, posted by you, was in relation to hardware that is not present. That gave me confidence to follow up on the registry aspect since Session3 is supposed to be a brief 'configuration' phase of a Windows installation in which the Executive is initialized. That meant to me an ini file, an error in the answer file, or the registry itself.

    I still have not figured out which hardware was not present because a bsod during an OS installatiion apparently does not result in a bug report. At least, I could not find one nor could a file search find one with a 'dmp' extension.

Similar Threads

  1. parameters
    By Shadlol in forum OllyDbg Support Forums
    Replies: 1
    Last Post: January 11th, 2009, 15:13
  2. load exe with parameters
    By bOU in forum OllyDbg Support Forums
    Replies: 1
    Last Post: May 3rd, 2005, 13:06
  3. Rocognizing calls parameters?
    By Anonymous in forum OllyDbg Support Forums
    Replies: 2
    Last Post: August 27th, 2003, 10:33
  4. parameters
    By death in forum Advanced Reversing and Programming
    Replies: 1
    Last Post: March 20th, 2002, 19:12
  5. parameters passed to a call
    By The Keeper in forum Advanced Reversing and Programming
    Replies: 4
    Last Post: March 7th, 2002, 12:22

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •