Welcome to the new Woodmann RCE Messageboards Regroupment
Please be patient while the rest of the site is restored.

To all Members of the old RCE Forums:
In order to log in, it will be necessary to reset your forum login password ("I forgot my password") using the original email address you registered with. You will be sent an email with a link to reset your password for that member account.

The old vBulletin forum was converted to phpBB format, requiring the passwords to be reset. If this is a problem for some because of a forgotten email address, please feel free to re-register with a new username. We are happy to welcome old and new members back to the forums! Thanks.

All new accounts are manually activated before you can post. Any questions can be PM'ed to Kayaker.

BSOD error parameters

All-in-one reversing related discussions
Post Reply
WaxfordSqueers
Senior Member
Posts: 1000
Joined: Tue Apr 06, 2004 11:00 am

BSOD error parameters

Post by WaxfordSqueers »

This is off-topic with regard to reversing but I am desperate and hoping one of you guys has come across it. It is related to the reversing work I am doing but calling it on-topic is a stretch. I have researched this online till I'm blue in the face but finding the NT parameters to describe the exact type of BSOD is near impossible.

Please delete if not acceptable.

What I am really looking for is a link to a Microsoft article, like in the DDK or whatever, that would explain the error in detail.

I am doing a repair install with an XP OS and I have encountered a BSOD in phase 4 (actually Session3) which is a brief part of the installation. I get the following error:

Stop 0x0000006F (0xC000000E, 0x0, 0x0, 0x0)

Description: Session3_initialization_failed

I need to find out what the 0xC000000E parameter means.

There is no dmp file, which is odd, and the setupapi log shows the installation ending with a reference to iastor.sys with a reference to %windir%\system32\drivers. I thought there might be an issue with registry hive permissions but I checked and they were good compared to a working copy of XP.

Apparently the error references configuration files, but which ones?

It's supposed to have something to do with a missing or corrupted file, namely smss.exe, ftdisk.sys, winlogon.exe, ntdll.dll, or ntoskrnl.exe. I have replaced all of them.

It's possible that my installation disk is corrupt since it is a slipstreamed version. However, I substituted another slipstreamed disk hoping it would get me past that stage but it did not.
blabberer
Senior Member
Posts: 1535
Joined: Wed Dec 08, 2004 11:12 am

Post by blabberer »

Code: Select all

kd> !analyze -show 6f
VSL_INITIALIZATION_FAILED (6f)
Arguments:
Arg1: 00000000, Indicates the NT status code that caused the failure.
Arg2: 00000000, Indicates the initialization phase.
Arg3: 00000000, (reserved)
Arg4: 00000000

kd> !error c000000e
Error code: (NTSTATUS) 0xc000000e (3221225486) - A device which does not exist w
as specified.
kd>
possibly you have a corrupt smss.exe which is failing when RtlUserCreateProcess is called in phase3 initialization

Code: Select all

kd> bl
     0 e Disable Clear  806a3b36     0001 (0001) nt!RtlCreateUserProcess

kd> .lastevent
Last event: Hit breakpoint 0
  debugger time: Sat Mar  7 21:03:44.909 2020 
  
kd> u @$ra l9
nt!Phase1Initialization+0x1059:
8069fd62 381d80315580    cmp     byte ptr [nt!InbvBootDriverInstalled (80553180)],bl
8069fd68 8bf0            mov     esi,eax >>>>>@esi == NTSTATUS
8069fd6a 5f              pop     edi
8069fd6b 7405            je      nt!Phase1Initialization+0x1069 (8069fd72)
8069fd6d e889bbe6ff      call    nt!FinalizeBootLogo (8050b8fb)
8069fd72 3bf3            cmp     esi,ebx
8069fd74 53              push    ebx
8069fd75 0f8ccca90100    jl      nt!Phase1Initialization+0x106e (806ba747)
8069fd7b ffb5b0faffff    push    dword ptr [ebp-550h]

kd> $$ if(InbvBootDriverInstalled) {nt!FinalizeBootLogo()} elseif(NTSTATUS @$esi != NTSUCCESS) jumpto 806ba747


kd> u 806ba747 l6
nt!Phase1Initialization+0x106e:
806ba747 53              push    ebx  NULL
806ba748 53              push    ebx  NULL
806ba749 56              push    esi    NTSTAUS
806ba74a 6a6f            push    6Fh  SESSION3_INIT_FAILED
806ba74c eb2b            jmp     nt!Phase1Initialization+0x1161 (806ba779)
806ba74e 53              push    ebx

kd> u 806ba779 l2
nt!Phase1Initialization+0x1161:
806ba779 e87590e7ff      call    nt!KeBugCheckEx (805337f3)
806ba77e cc              int     3

kd> kb
 # ChildEBP RetAddr  Args to Child              
00 f8967818 8069fd62 f89678b0 00000040 00040000 nt!RtlCreateUserProcess
01 f8967dac 8057aeff 80087000 00000000 00000000 nt!Phase1Initialization+0x1059
02 f8967ddc 804f88ea 806a12fa 80087000 00000000 nt!PspSystemThreadStartup+0x34
03 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

kd> dS f89678b0
000406a0  "\SystemRoot\System32\smss.exe"
WaxfordSqueers
Senior Member
Posts: 1000
Joined: Tue Apr 06, 2004 11:00 am

Post by WaxfordSqueers »

blabberer wrote:

Code: Select all

kd> !error c000000e
Error code: (NTSTATUS) 0xc000000e (3221225486) - A device which does not exist as specified.kd>
possibly you have a corrupt smss.exe which is failing when RtlUserCreateProcess is called in phase3 initialization
Brilliant, Blabbs, just what I was looking for.

BTW...how did you find the NT status and how did you manage to create an 0x6F bugcheck in windbg in such a manner as to detect it? I was reading last night that it is possible to induce a BSOD intentionally via the keyboard (a PS/2 keyboard is required in XP). It worked, giving me a page fault, but no dmp file was recorded, possibly because I am in install mode. Apparently that method is good if you have a frozen system but no BSOD. You can induce a BSOD from the keyboard then trace the error causing the frozen condition.

I replaced smss.exe already along with several other files with no difference in the BSOD. However, your revelation above re the NT parameter 0xc000000e reveals a lot.

I used nlite to integrate USB drivers into the slipstreamed install disk and they do work during the installation. However, I integrated a second set of USB drivers for my USB addon card with a VIA chipset and it won't be found till the PCIe slot is fully functional. That could be the problem right there, I had been experiencing issues with the PCIe bus after doing a repair install with the stock XP SP3 disk.

I had taken steps to amend that last night by creating two new install disks, one with a SATA driver and no USB drivers and one with only the mainboard USB drivers. Have not yet tested either since I forgot to included the right ACPI.sys in the ISO. Without it I get an error 0xA5, which can be bypassed at the F6 prompt by pressing F7.

Thanks again.

ps. I see how you did it now with the

Code: Select all

kd> !analyze -show 6f 
There's only a handful of people on the Net know this stuff!!! :p
Elenil
Senior Member
Posts: 140
Joined: Tue Sep 30, 2008 7:53 pm

Post by Elenil »

WaxfordSqueers wrote: There's only a handful of people on the Net know this stuff!!! :p
there used to be a lot

just remember how big the reverse engineering scene was

today you see people on a tablet or a smartphone or beloved windows 10

where its about to know how and where to click or controling a software over pushes

there where so many stuff about that time, maybe it still is but they used to make for softice maybe a bit later ollydbg

windbg and ida apears into the room

but still it seems like a empty room the forums are empty the examples for new programs are very low


but back to your problem
cant you break at either the driver entry or driver control like iofcalldriver
if that isnt possible there is certainly a chain loader or a process you can break before that happens
WaxfordSqueers
Senior Member
Posts: 1000
Joined: Tue Apr 06, 2004 11:00 am

Post by WaxfordSqueers »

Elenil wrote:but back to your problem
cant you break at either the driver entry or driver control like iofcalldriver
if that isnt possible there is certainly a chain loader or a process you can break before that happens
First, I have to set up a kernel mode debugging session from W7 to XP. It has been done but I have not tried it yet. Furthermore, I am stuck in the middle of a repair installation and I'm not sure if XP will respond, even if the serial port is available.

BTW...just made two more installation disks, one with sata, acpi, and the USB drivers for the chipset, and the other with SATA and ACPI only. The disk boots to the repair prompt OK, and loads files, but when it reboots it starts loading XP then fails after a few seconds with the bugcheck 0x6F.

I may have a problem in my txtsetup.sif setup script or in the registry.
User avatar
Kayaker
Posts: 4169
Joined: Thu Oct 26, 2000 11:00 am

Post by Kayaker »

Softice does NTSTATUS codes as well, but not as nice as Windbg, let alone analyze -v.

:ntstatus c000000e
STATUS_NO_SUCH_DEVICE

Blabberer, you did a live boot break to get to here? Once XP has loaded the INIT section code is paged out.

Code: Select all

// XP ntoskrnl.exe 

INIT:005C933E                   ; void __stdcall [B]Phase1Initialization[/B](PVOID)
INIT:005C933E                   [email protected] proc near       ; DATA XREF: PspInitPhase0(x)+3C8
INIT:005C933E
INIT:005C933E                   ProcessInfo     = _RTL_USER_PROCESS_INFO ptr -558h
INIT:005C933E                   TimeFields      = TIME_FIELDS ptr -514h

...

INIT:005C7D95 E8 B4 3E 00 00                    call    [email protected] ; RtlCreateUserProcess(x,x,x,x,x,x,x,x,x,x)
INIT:005C7D9A 38 1D 00 BB 47 00                 cmp     _InbvBootDriverInstalled, bl
INIT:005C7DA0 8B F0                             mov     esi, eax
INIT:005C7DA2 5F                                pop     edi
INIT:005C7DA3 74 05                             jz      short loc_5C7DAA
INIT:005C7DA5 E8 79 11 E7 FF                    call    [email protected] ; FinalizeBootLogo()

...

INIT:005C7AA5                   loc_5C7AA5:                             ; CODE XREF: Phase1Initialization(x)-1591
INIT:005C7AA5 53                                push    ebx
INIT:005C7AA6 53                                push    ebx
INIT:005C7AA7 56                                push    esi
INIT:005C7AA8 6A 6F                           [B]push    6Fh[/B]
INIT:005C7AAA EB 2B                          [B]jmp     short KeBugCheck[/B]
According to this, VSL_INITIALIZATION_FAILED is a new addition to bugcodes.h in the Windows SDK. Windbg must be using good defines.
· bugcodes.h: New VSL_INITIALIZATION_FAILED, SOFT_RESTART_FATAL_ERROR, ... defines.
https://naughter.wordpress.com/2016/08/ ... -part-one/


Oh, here's an interesting article on Phase1Initialization

Inside the Boot Process
https://www.itprotoday.com/compute-engi ... ess-part-1
https://www.itprotoday.com/compute-engi ... ess-part-2
WaxfordSqueers
Senior Member
Posts: 1000
Joined: Tue Apr 06, 2004 11:00 am

Post by WaxfordSqueers »

Kayaker wrote:According to this, VSL_INITIALIZATION_FAILED is a new addition to bugcodes.h in the Windows SDK. Windbg must be using good defines.
From what I could gather, VSL is a reference to the processor virtualization, like hyper-v. I tested that by turning off both of my virtualization settings in BIOS to no effect.

The problem turned out to be in the registry. I have a lot of dormant stuff in there from at least three generations of Intel chipsets, from ICH4 - ICH9 onto the G-series. Maybe the installation software hit something it did not like while enumerating.

The install phase causing the error is supposed to be a 'brief' configuration stage for the executive. I would presume that means it is configuring the executive to set up devices via ACPI, etc. I replaced the 5 registry hives, Default, SAM, Security, Software, and System, from a backup set I had made from November 2019, and the installation proceeded fine.

I might advise anyone reading this to make a backup regularly of the registry. It's easy to do if done from another OS. I was running two versions of XP on separate disks and in that case it's a matter of going to %windir%\System32\config in the OFFLINE drive, where the registry hives are stored, Just copy the files listed above to another directory or a backup drive.

I have noticed that W10 has a way of blocking certain files from being copied, even if it's offline. To get around that, I use a boot disk based on WINPE or Linux.

Anyway, I was doing a repair install with a disk slipstreamed with XP SP3 and the unofficial SP4 update that can be found at the ryanVM site. I did the repair because the SP4 update not only updates most of the XP updates, it also adds drivers for my new Intel B360 chipset. Every one of the features of that chipset are now active on XP, from the serial ports to the 6 core processor, except for one...the LAN driver. Working on that.

The SP4 update has more than 6 driver packs integrated into it. It setup my Nvidia card and my Creative XFi sound card while it was at it, no easy feat.

Anyway, I'm a happy camper...for now. :p
blabberer
Senior Member
Posts: 1535
Joined: Wed Dec 08, 2004 11:12 am

Post by blabberer »

VSL is a new name for old barley
but now coming in a tetrapack off a robotized machinery with some artificial flavours of mayoneese and cheese
thrown in to fool the clickety click generation

it is a name for the winxers not for the xperts ( i am using a winx windbg on an xpert vm so its vsl not sess3)
for the rusty old xperts it was or still is Session3_initialization_failure

btw ms hasn't updated its docs if you can feel consolation

@k
yes live xp vm on a win7 host over pipe sxe ibp;.reboot on break bp nt!RtlCreateUserProcess;g btw

although Marks articles are nice you can nowadays take a peek a on the wrk (windows research kit) sources strewn all over the net especially forxp or up to srv2003
WaxfordSqueers
Senior Member
Posts: 1000
Joined: Tue Apr 06, 2004 11:00 am

Post by WaxfordSqueers »

blabberer wrote:VSL is a new name for old barley ...it is a name for the winxers not for the xperts...for the rusty old xperts it was or still is Session3_initialization_failure
The latter makes far more sense as I am still trying to find out what VSL means. I have discovered meanings from the Vienna Symphonic Library to the Venezuelan Summer League (baseball) but very little pertaining to computerese.

As I posted earlier, the better definition, posted by you, was in relation to hardware that is not present. That gave me confidence to follow up on the registry aspect since Session3 is supposed to be a brief 'configuration' phase of a Windows installation in which the Executive is initialized. That meant to me an ini file, an error in the answer file, or the registry itself.

I still have not figured out which hardware was not present because a bsod during an OS installatiion apparently does not result in a bug report. At least, I could not find one nor could a file search find one with a 'dmp' extension.
Post Reply