You experience a STOP error 0xC000021a (WINLOGON_FATAL_ERROR) on one or more systems with Symantec Endpoint Protection 12.1 or higher. This issue may happen in spite of the same version of Symantec Endpoint Protection having run on the system(s) without any issues for an extended period of time. You find that uninstalling Symantec Endpoint Protection resolves the issue.

An investigation of the resulting memory dump(s) using the Windows Debugger (WinDBG) shows the following:

• While booting the system, the system state is set to SHUTDOWN, with a QueryPower minor IRP.
• The specific error is The initial session process or system process terminated unexpectedly.
• The failure bucket is 0xc000021a_SmpDestroyControlBlock_smss.exe_Terminated_00000001_nt!KiFastCallEntry, confirming the process involved is smss.exe.
• After setting the system state, the registry is flushed and dirty data is written to a log file (\Windows\System32\config\SOFTWARE.LOG1), through ntfs.sys (Microsoft's NT File System driver).
• While displaying the LAST_CONTROL_TRANSFER to address shows a reference to symefasi.sys (our Extended File Attributes driver), it performs a different operation across dumps (none of which can be tied to any existing issues in our support database).
• A dump of all the stacks of all Symantec components does not show any direct involvement in the crash.

1: kd> !poaction
PopAction: 82d46868
State..........: 3 - Set System State
Updates........: 0 SHUTDOWN-set
Action.........: Shutdown
Lightest State.: Shutdown
Flags..........: c0000004 OverrideApps|DisableWakes|Critical
Irp minor......: QueryPower
System State...: Shutdown
Hiber Context..: 00000000

1: kd> !thread 8522ba70
THREAD 8522ba70 Cid 0004.0038 Teb: 00000000 Win32Thread: 00000000 RUNNING on processor 0
IRP List:
87b74c00: (0006,01d8) Flags: 00060a01 Mdl: 00000000
Not impersonating
DeviceMap 8ae08b98
Owning Process 85209020 Image: System
Attached Process N/A Image: N/A
Wait Start TickCount 1388 Ticks: 0
Context Switch Count 679 IdealProcessor: 0 NoStackSwap
UserTime 00:00:00.000
KernelTime 00:00:00.093
Win32 Start Address nt!ExpWorkerThread (0x82c8adfe)
Stack Init 8c125ed0 Current 8c125200 Base 8c126000 Limit 8c123000 Call 00000000
Priority 13 BasePriority 12 PriorityDecrement 0 IoPriority 2 PagePriority 5
ChildEBP RetAddr Args to Child 
8c125250 8a0dbcec 06143852 87a60160 979d0c78 nt!KeAcquireGuardedMutex+0x1b (FPO: [0,0,2])
8c125340 8a0dc53a 87a60160 861f90d8 979d0c78 Ntfs!NtfsAllocateClusters+0xba4 (FPO: [Non-Fpo])
8c1253ec 8a044264 87a60160 87744c98 0100000c Ntfs!NtfsAddAllocation+0x34f (FPO: [Non-Fpo])
8c125430 8a03868b 87a60160 87744c98 0000000c Ntfs!NtfsAddAllocationForNonResidentWrite+0x133 (FPO: [Non-Fpo])
8c12554c 8a03c87a 87a60160 87b74c00 06143ed6 Ntfs!NtfsCommonWrite+0x1ae1 (FPO: [Non-Fpo])
8c1255c4 82c44c29 861f9020 87b74c00 87b74c00 Ntfs!NtfsFsdWrite+0x2e1 (FPO: [Non-Fpo])
8c1255dc 89da920c 861f8380 87b74c00 00000000 nt!IofCallDriver+0x63    <- Driver ntfs.sys is called
8c125600 89da93cb 8c125620 861f8380 00000000 fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x2aa (FPO: [Non-Fpo])
8c125638 82c44c29 861f8380 87b74c00 87b74c00 fltmgr!FltpDispatch+0xc5 (FPO: [Non-Fpo])
8c125650 82e38bf9 87744c98 87b74c00 87b74db4 nt!IofCallDriver+0x63
8c125670 82e7e990 861f8380 87744c98 00000001 nt!IopSynchronousServiceTail+0x1f8
8c12570c 82c4b8ba 861f8380 800003dc 00000000 nt!NtWriteFile+0x6e8
8c12570c 82c4ad15 861f8380 800003dc 00000000 nt!KiFastCallEntry+0x12a (FPO: [0,3] TrapFrame @ 8c125738)
8c1257a8 82e1b630 800001f8 800003dc 00000000 nt!ZwWriteFile+0x11 (FPO: [9,0,0])
8c125824 82e1dafd 800001f8 8c125868 00000001 nt!CmpDoFileWrite+0x15c
8c125840 82e1b983 8ae886f8 00000004 8c125868 nt!CmpFileWrite+0x33
8c125888 82e1b9ea 0122ba70 00000000 8522ba70 nt!HvpWriteDirtyDataToLog+0x229
8c1258a0 82eb47b6 8ae0c008 8ae1a028 00000000 nt!HvOptimizedSyncHive+0x1c
8c1258c4 82df5d61 00000000 8b996050 8ae1a028 nt!CmpDoFlushAll+0xda
8c1258e8 82dedc72 8ae1a008 00000000 8c125944 nt!CmFlushKey+0x34
8c125938 82c4b8ba 800002b0 8c125a1c 82c497fd nt!NtFlushKey+0x17a
8c125938 82c497fd 800002b0 8c125a1c 82c497fd nt!KiFastCallEntry+0x12a (FPO: [0,3] TrapFrame @ 8c125944)
8c1259b4 82f2f8f3 800002b0 00000000 00000004 nt!ZwFlushKey+0x11 (FPO: [1,0,0])
8c125a1c 82f312b2 00000001 8c125aec 8c125b70 nt!PopFlushVolumes+0x9b
8c125ad8 82c4b8ba 00000004 00000004 c0000004 nt!NtSetSystemPowerState+0x468
8c125ad8 82c4a991 00000004 00000004 c0000004 nt!KiFastCallEntry+0x12a (FPO: [0,3] TrapFrame @ 8c125aec)
8c125b5c 82e9e58b 00000004 00000004 c0000004 nt!ZwSetSystemPowerState+0x11 (FPO: [3,0,0])
8c125bac 82e9e845 00000000 00000004 00000004 nt!PopIssueActionRequest+0x1bf
8c125be8 82cd4576 82d50060 8522ba70 82d493bc nt!PopPolicyWorkerAction+0x45
8c125c00 82c8af0b 00000000 00000000 8522ba70 nt!PopPolicyWorkerThread+0x64
8c125c50 82e1712f 00000001 94fbbdb2 00000000 nt!ExpWorkerThread+0x10d
8c125c90 82cbe549 82c8adfe 00000001 00000000 nt!PspSystemThreadStartup+0x9e
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x19

1: kd> !irp 87b74c00
Irp is active with 10 stacks 9 is current (= 0x87b74d90)
No Mdl: No System Buffer: Thread 8522ba70: Irp stack trace. 
cmd flg cl Device File Completion-Context
[...]
>[IRP_MJ_WRITE(4), N/A(0)]
0 e0 861f9020 87744c98 89da8aae-87b79c00 Success Error Cancel 
\FileSystem\Ntfs    fltmgr!FltpPassThroughCompletion
Args: 00004000 00000000 0013de00 00000000
[IRP_MJ_WRITE(4), N/A(0)]
0 1 861f8380 87744c98 00000000-00000000 pending
\FileSystem\FltMgr
Args: 00004000 00000000 0013de00 00000000

1: kd> !fileobj 87744c98 

\Windows\System32\config\SOFTWARE.LOG1

[...]

Windows Embedded Standard 7 Service Pack 1 (32-bit)
Windows 7 (32-bit or 64-bit)
Symantec Endpoint Protection 12.1 or higher

A master smss.exe ("Windows Session Manager") process gets created as part of The Windows boot process. For each new user session, this master process creates a copy of itself (at maximum, there can be four concurrent sessions, plus one more for each extra CPU beyond one), then starts the winlogon.exe and csrss.exe instances corresponding to that user session and terminates the copy. It does this to provide faster response times in Terminal Services environments, where multiple users may log on simultaneously. As this initial process is unexpectedly terminated, the system crashes with a STOP error 0x000021a (WINLOGON_FATAL_ERROR).

As per https://support.microsoft.com/kb/256986, \Windows\System32\config\SOFTWARE.LOG1 is related to the HKEY_LOCAL_MACHINE\Software registry hive. If a system shuts down while changes are being made in that hive (which is not uncommon), any uncommitted changes are written to that .log file, so they can be recovered later on.

In https://support.microsoft.com/kb/2564071, Microsoft confirmed it to be a problem in Windows 7 that a STOP error 0xc000021a may occur when a shutdown signal is sent to the system while starting up and smss.exe terminates. 

Microsoft also released Windows update https://support.microsoft.com/kb/2840149 ("MS13-036: Description of the security update for the Windows file system kernel-mode driver (ntfs.sys): April 9, 2013") to address the issues reported in https://support.microsoft.com/kb/2839011 ("You receive an Event ID 55 or a 0xc000021a Stop error in Windows 7 after you install security update 2823324"). While correlation does not necessarily mean causation, the crashing thread stack does show several ntfs.sys function calls lead to the crash. Even if security update 2823324 should not be installed, it would be worthwhile to install the Windows update (if not already present), given the matching description and that the fix included might resolve this issue.

1. Install Microsoft Windows update https://support.microsoft.com/kb/2840149 ("MS13-036: Description of the security update for the Windows file system kernel-mode driver (ntfs.sys): April 9, 2013");
2. Verify if, in Control Panel > Power Options > System Settings > Define power buttons and turn on password protection, the When I press the power button action is set to Shut down (if it is, set it to Do nothing).

If either of the above actions should not resolve the issue, consider doing the following:

1. Upgrade one of the affected systems to the latest version of Symantec Endpoint Protection (which includes the latest version of symefasi.sys) and verify whether or not the issue still occurs.
2. Given that there is no apparent involvement of Symantec components and only Microsoft-based root causes for this issue are known, contact Microsoft for a second opinion.