You experience a STOP error 0xC000021a (WINLOGON_FATAL_ERROR) on one or more systems with Symantec Endpoint Protection 12.1 or higher. This issue may happen in spite of the same version of Symantec Endpoint Protection having run on the system(s) without any issues for an extended period of time. You find that uninstalling Symantec Endpoint Protection resolves the issue.
An investigation of the resulting memory dump(s) using the Windows Debugger (WinDBG) shows the following:
While booting the system, the system state is set to SHUTDOWN, with a QueryPower minor IRP.
The specific error is The initial session process or system process terminated unexpectedly.
The failure bucket is 0xc000021a_SmpDestroyControlBlock_smss.exe_Terminated_00000001_nt!KiFastCallEntry, confirming the process involved is smss.exe.
After setting the system state, the registry is flushed and dirty data is written to a log file (\Windows\System32\config\SOFTWARE.LOG1), through ntfs.sys (Microsoft's NT File System driver).
While displaying the LAST_CONTROL_TRANSFERto address shows a reference to symefasi.sys (our Extended File Attributes driver), it performs a different operation across dumps (none of which can be tied to any existing issues in our support database).
A dump of all the stacks of all Symantec components does not show any direct involvement in the crash.
Windows Embedded Standard 7 Service Pack 1 (32-bit)
Windows 7 (32-bit or 64-bit)
Symantec Endpoint Protection 12.1 or higher
1: kd> !poaction
State..........: 3 - Set System State
Updates........: 0 SHUTDOWN-set
Lightest State.: Shutdown
Flags..........: c0000004 OverrideApps|DisableWakes|Critical
Irp minor......: QueryPower
System State...: Shutdown
Hiber Context..: 00000000
1: kd> !irp 87b74c00
Irp is active with 10 stacks 9 is current (= 0x87b74d90)
No Mdl: No System Buffer: Thread 8522ba70: Irp stack trace.
cmd flg cl Device File Completion-Context
0 e0 861f9020 87744c98 89da8aae-87b79c00 Success Error Cancel
Args: 00004000 00000000 0013de00 00000000
0 1 861f8380 87744c98 00000000-00000000 pending
Args: 00004000 00000000 0013de00 00000000
1: kd> !fileobj 87744c98
A master smss.exe ("Windows Session Manager") process gets created as part of The Windows boot process. For each new user session, this master process creates a copy of itself (at maximum, there can be four concurrent sessions, plus one more for each extra CPU beyond one), then starts the winlogon.exe and csrss.exe instances corresponding to that user session and terminates the copy. It does this to provide faster response times in Terminal Services environments, where multiple users may log on simultaneously. As this initial process is unexpectedly terminated, the system crashes with a STOP error 0x000021a (WINLOGON_FATAL_ERROR).
As per https://support.microsoft.com/kb/256986, \Windows\System32\config\SOFTWARE.LOG1 is related to the HKEY_LOCAL_MACHINE\Software registry hive. If a system shuts down while changes are being made in that hive (which is not uncommon), any uncommitted changes are written to that .log file, so they can be recovered later on.
In https://support.microsoft.com/kb/2564071, Microsoft confirmed it to be a problem in Windows 7 that a STOP error 0xc000021a may occur when a shutdown signal is sent to the system while starting up and smss.exe terminates.
Microsoft also released Windows update https://support.microsoft.com/kb/2840149 ("MS13-036: Description of the security update for the Windows file system kernel-mode driver (ntfs.sys): April 9, 2013") to address the issues reported in https://support.microsoft.com/kb/2839011 ("You receive an Event ID 55 or a 0xc000021a Stop error in Windows 7 after you install security update 2823324"). While correlation does not necessarily mean causation, the crashing thread stack does show several ntfs.sys function calls lead to the crash. Even if security update 2823324 should not be installed, it would be worthwhile to install the Windows update (if not already present), given the matching description and that the fix included might resolve this issue.
Verify if, in Control Panel > Power Options > System Settings > Define power buttons and turn on password protection, the When I press the power button action is set to Shut down (if it is, set it to Do nothing).
If either of the above actions should not resolve the issue, consider doing the following:
1. Upgrade one of the affected systems to the latest version of Symantec Endpoint Protection (which includes the latest version of symefasi.sys) and verify whether or not the issue still occurs. 2. Given that there is no apparent involvement of Symantec components and only Microsoft-based root causes for this issue are known, contact Microsoft for a second opinion.
Subscribing will provide email updates when this Article is updated. Login is required.