[SOLVED] BSOD

IBeats

Reputable
Aug 22, 2019
101
12
4,595
Does anyone know what hardware or software is causing my BSOD, this is a clean windows 10

At times my pc fails to boot as it looks like the Winlogon.exe or Csrss.exe crashes.

I suspect is the RAM or PSU causing the issue but unsure what is.

Specs:
R9 5950x CPU
RTX 2070s GPU
32gb Trident Z RAM
650w PSU
Tuf Gaming x570-plus MB (Bios: Latest Version 4403)


My minidump:
***
  • *
  • Bugcheck Analysis *
  • *
***

WINLOGON_FATAL_ERROR (c000021a)
The Winlogon process terminated unexpectedly.
Arguments:
Arg1: ffffa483d8518860, String that identifies the problem.
Arg2: ffffffffc0000006, Error Code.
Arg3: 00007fff66898ff5
Arg4: 000000adfb6fdd00

Debugging Details:
------------------

ETW minidump data unavailable

KEY_VALUES_STRING: 1

Key : Analysis.CPU.mSec
Value: 2843

Key : Analysis.DebugAnalysisManager
Value: Create

Key : Analysis.Elapsed.mSec
Value: 2860

Key : Analysis.Init.CPU.mSec
Value: 296

Key : Analysis.Init.Elapsed.mSec
Value: 575895

Key : Analysis.Memory.CommitPeak.Mb
Value: 94

Key : Dump.Attributes.AsUlong
Value: 8

Key : Dump.Attributes.KernelGeneratedTriageDump
Value: 1


FILE_IN_CAB: 061622-7968-01.dmp

ERROR_CODE: (NTSTATUS) 0xc000021a - {Fatal System Error} The %hs system process terminated unexpectedly with a status of 0x

EXCEPTION_CODE_STR: c000021a

EXCEPTION_PARAMETER1: ffffa483d8518860

EXCEPTION_PARAMETER2: ffffffffc0000006

EXCEPTION_PARAMETER3: 00007fff66898ff5

EXCEPTION_PARAMETER4: adfb6fdd00

DUMP_FILE_ATTRIBUTES: 0x8
Kernel Generated Triage Dump

BUGCHECK_CODE: c000021a

BUGCHECK_P1: ffffa483d8518860

BUGCHECK_P2: ffffffffc0000006

BUGCHECK_P3: 7fff66898ff5

BUGCHECK_P4: adfb6fdd00

PROCESS_NAME: csrss.exe

ADDITIONAL_DEBUG_TEXT: Windows SubSystem

IMAGE_NAME: ntkrnlmp.exe

MODULE_NAME: nt

CUSTOMER_CRASH_COUNT: 1

STACK_TEXT:
ffffec02a8737558 fffff8005a9af33a : 000000000000004c 00000000c000021a ffffec02a9d973b0 ffff8e0ec318aa90 : nt!KeBugCheckEx
ffffec02a8737560 fffff8005a9902f9 : ffffec02a8737680 ffffec02a8737620 ffffec02a8737680 ffffec02a8737620 : nt!PopGracefulShutdown+0x29a
ffffec02a87375a0 fffff8005a996ecc : 0000000000000001 0000000000000006 0000000000000005 0000000000000000 : nt!PopTransitionSystemPowerStateEx+0x1205
ffffec02a8737660 fffff8005a4096b8 : 0000000000000000 0000000000000000 0000000000000000 0000000000000004 : nt!NtSetSystemPowerState+0x4c
ffffec02a8737840 fffff8005a3fbbc0 : fffff8005a841165 0000000000000014 ffffffffffffff00 0000000000000000 : nt!KiSystemServiceCopyEnd+0x28
ffffec02a87379d8 fffff8005a841165 : 0000000000000014 ffffffffffffff00 0000000000000000 fffff8005ac23c20 : nt!KiServiceLinkage
ffffec02a87379e0 fffff8005a765079 : 0000000000000000 ffff8e0e9be87cc0 0000000000000000 0000000000000000 : nt!PopIssueActionRequest+0xdbfcd
ffffec02a8737a80 fffff8005a349094 : 0000000000000001 0000000000000000 ffffffffffffffff fffff8005ac23b00 : nt!PopPolicyWorkerAction+0x79
ffffec02a8737af0 fffff8005a2bfae5 : ffff8e0e00000001 ffff8e0ec2bfb040 fffff8005a349000 fffff80000000000 : nt!PopPolicyWorkerThread+0x94
ffffec02a8737b30 fffff8005a2eea75 : ffff8e0ec2bfb040 0000000000000080 ffff8e0e9bed5080 000004d000000001 : nt!ExpWorkerThread+0x105
ffffec02a8737bd0 fffff8005a3ff3b8 : ffffdc0149940180 ffff8e0ec2bfb040 fffff8005a2eea20 0000000000000000 : nt!PspSystemThreadStartup+0x55
ffffec02a8737c20 0000000000000000 : ffffec02a8738000 ffffec02a8731000 0000000000000000 0000000000000000 : nt!KiStartSystemThread+0x28


SYMBOL_NAME: nt!PopTransitionSystemPowerStateEx+1205

IMAGE_VERSION: 10.0.19041.1706

STACK_COMMAND: .cxr; .ecxr ; kb

BUCKET_ID_FUNC_OFFSET: 1205

FAILURE_BUCKET_ID: 0xc000021a_c0000006_csrss.exe_Terminated_nt!PopTransitionSystemPowerStateEx

OSPLATFORM_TYPE: x64

OSNAME: Windows 10

FAILURE_ID_HASH: {b3ffc8fa-795c-38e6-3bd9-0b1e1680adf3}

Followup: MachineOwner
---------
 
Last edited:
Solution
bugcheck happened because the registry process was attempting to read a key and got a error:
indicating that the key was paged out of memory and could not be paged in.
This error is most likely going to be related to asus armory crate or malware attacking its drivers.
general info on attack:Kernel exploitation: weaponizing CVE-2020-17382 MSI Ambient Link driver :: — uf0 (matteomalvica.com)

download microsoft autoruns64,Autoruns for Windows - Windows Sysinternals | Microsoft Docs

boot into bios and turn off armory crate
reboot and uninstall any armory crate software.
run autoruns and confirm these drivers have been removed:
C:\WINDOWS\system32\drivers\MsIo64.sys Sun Jan 19 19:35:15 2020...
winlogon failed due to a STATUS_IN_PAGE_ERROR
this means it needed something from storage and the memory manager was unable to load it into RAM.

  • Most likely something did not wake up from a sleep state.
  • update the motherboard drivers from the motherboard vendors website. (chispset drivers)
  • check the health of your storage, download and run crystaldiskinfo.exe to read the smart data from the drive.
  • if you have a ssd make sure there is plenty of free disk space, boot into bios and let the system set idle for 30 minutes. after 5 minutes the drives firmware starts its cleanup routines.

As a work around you can set your system to run in high performance mode until you get your system updated.
 
  • Like
Reactions: IBeats

IBeats

Reputable
Aug 22, 2019
101
12
4,595
winlogon failed due to a STATUS_IN_PAGE_ERROR
this means it needed something from storage and the memory manager was unable to load it into RAM.

  • Most likely something did not wake up from a sleep state.
  • update the motherboard drivers from the motherboard vendors website. (chispset drivers)
  • check the health of your storage, download and run crystaldiskinfo.exe to read the smart data from the drive.
  • if you have a ssd make sure there is plenty of free disk space, boot into bios and let the system set idle for 30 minutes. after 5 minutes the drives firmware starts its cleanup routines.
As a work around you can set your system to run in high performance mode until you get your system updated.

Here is a list of things that I tried to solve the issue
https://docs.google.com/spreadsheet...ouid=117240122974756262283&rtpof=true&sd=true

MiniDump file
https://drive.google.com/file/d/1aV_lX1dRUEDvTkOCViAI3MW0iNWkMdc5/view?usp=sharing
 
bugcheck happened because the registry process was attempting to read a key and got a error:
indicating that the key was paged out of memory and could not be paged in.
This error is most likely going to be related to asus armory crate or malware attacking its drivers.
general info on attack:Kernel exploitation: weaponizing CVE-2020-17382 MSI Ambient Link driver :: — uf0 (matteomalvica.com)

download microsoft autoruns64,Autoruns for Windows - Windows Sysinternals | Microsoft Docs

boot into bios and turn off armory crate
reboot and uninstall any armory crate software.
run autoruns and confirm these drivers have been removed:
C:\WINDOWS\system32\drivers\MsIo64.sys Sun Jan 19 19:35:15 2020
C:\WINDOWS\system32\drivers\AsIO2.sys Mon May 31 18:42:16 2021
C:\WINDOWS\system32\drivers\AsIO3.sys Wed Sep 29 03:05:28 2021

then run cmd.exe as a admin and run
dism.exe /online /cleanup-image /restorehealth
this should repair the 4 modified windows files.
(checksums removed from files)
 
  • Like
Reactions: IBeats
Solution

IBeats

Reputable
Aug 22, 2019
101
12
4,595
bugcheck happened because the registry process was attempting to read a key and got a error:
indicating that the key was paged out of memory and could not be paged in.
This error is most likely going to be related to asus armory crate or malware attacking its drivers.
general info on attack:Kernel exploitation: weaponizing CVE-2020-17382 MSI Ambient Link driver :: — uf0 (matteomalvica.com)

download microsoft autoruns64,Autoruns for Windows - Windows Sysinternals | Microsoft Docs

boot into bios and turn off armory crate
reboot and uninstall any armory crate software.
run autoruns and confirm these drivers have been removed:
C:\WINDOWS\system32\drivers\MsIo64.sys Sun Jan 19 19:35:15 2020
C:\WINDOWS\system32\drivers\AsIO2.sys Mon May 31 18:42:16 2021
C:\WINDOWS\system32\drivers\AsIO3.sys Wed Sep 29 03:05:28 2021

then run cmd.exe as a admin and run
dism.exe /online /cleanup-image /restorehealth
this should repair the 4 modified windows files.
(checksums removed from files)

Should the drivers be unticked?

C:\WINDOWS\system32\drivers\MsIo64.sys Sun Jan 19 19:35:15 2020
C:\WINDOWS\system32\drivers\AsIO2.sys Mon May 31 18:42:16 2021
C:\WINDOWS\system32\drivers\AsIO3.sys Wed Sep 29 03:05:28 2021
 
Should the drivers be unticked?

C:\WINDOWS\system32\drivers\MsIo64.sys Sun Jan 19 19:35:15 2020
C:\WINDOWS\system32\drivers\AsIO2.sys Mon May 31 18:42:16 2021
C:\WINDOWS\system32\drivers\AsIO3.sys Wed Sep 29 03:05:28 2021
i would disable them but you will want to find out how they are installed or they will just keep coming back.
sometimes asus puts a task in task manager to reinstall their drivers.
armory crate drops in files like a rootkit (outside of the operating system)
 

IBeats

Reputable
Aug 22, 2019
101
12
4,595
i would disable them but you will want to find out how they are installed or they will just keep coming back.
sometimes asus puts a task in task manager to reinstall their drivers.
armory crate drops in files like a rootkit (outside of the operating system)

This driver is not listed in the Autorun64, but I can find it the folders
C:\WINDOWS\system32\drivers\MsIo64.sys

EDIT: Found it
 

IBeats

Reputable
Aug 22, 2019
101
12
4,595
This driver is not listed in the Autorun64, but I can find it the folders
C:\WINDOWS\system32\drivers\MsIo64.sys

EDIT: Found it
ignore the errors, basically 3 types of errors
  1. share violation when trying to copy the logs to a temp directory
  2. errors related to attempting to delete files that were already deleted
  3. on error attempting to delete a subsystem .net dll
(most likely the file was in use and you just need to reboot)
 

IBeats

Reputable
Aug 22, 2019
101
12
4,595
bugcheck happened because the registry process was attempting to read a key and got a error:
indicating that the key was paged out of memory and could not be paged in.
This error is most likely going to be related to asus armory crate or malware attacking its drivers.
general info on attack:Kernel exploitation: weaponizing CVE-2020-17382 MSI Ambient Link driver :: — uf0 (matteomalvica.com)

download microsoft autoruns64,Autoruns for Windows - Windows Sysinternals | Microsoft Docs

boot into bios and turn off armory crate
reboot and uninstall any armory crate software.
run autoruns and confirm these drivers have been removed:
C:\WINDOWS\system32\drivers\MsIo64.sys Sun Jan 19 19:35:15 2020
C:\WINDOWS\system32\drivers\AsIO2.sys Mon May 31 18:42:16 2021
C:\WINDOWS\system32\drivers\AsIO3.sys Wed Sep 29 03:05:28 2021

then run cmd.exe as a admin and run
dism.exe /online /cleanup-image /restorehealth
this should repair the 4 modified windows files.
(checksums removed from files)


I did a clean install with the Armoury Crate disable in the BIOS, and made sure those drivers are not installed. So far so good, haven't had any crashes at start-up or BSOD yet. I'll keep you updated if I do :)

Also, it's kind of stupid how official drives from the MB manufacturer cause problems.
 

Colif

Win 11 Master
Moderator
armoury crate, if not disabled in bios, is set to auto install itself on 1st restart in windows now. It is a feature they introduced in the last few years. It is meant to check the website and download the latest version but I have seen it install old versions before.
 

IBeats

Reputable
Aug 22, 2019
101
12
4,595
armoury crate, if not disabled in bios, is set to auto install itself on 1st restart in windows now. It is a feature they introduced in the last few years. It is meant to check the website and download the latest version but I have seen it install old versions before.

I hate that. I also tried the latest version of armoury crate and still got BSOD and crashes lmao