BSOD related to Device Install Manager - USB Issues


  1. Posts : 4
    Windows 8 Pro
       #1

    BSOD related to Device Install Manager - USB Issues


    Hi folks,

    After some irritating BSODs and a long process of trial and error that followed, I managed to track down the cause: the Device Install Service (C:\Windows\system32\svchost.exe -k DcomLaunch) in Windows or something related to it.

    As I understand it, this service manages PnP for the USB drives etc. Every time it is triggered (even if triggered manually via command prompt or through the Services app), I get a BSOD.

    Some notes:

    1) All USB devices removed except for mouse and keyboard. Problem still occurs.

    2) Did a system restore to a point before problems started appearing. Problem still occurs.

    3) Leaving the mouse and keyboard in the same USB ports does not trigger the error (Windows seems to remember the mapping before I had problems). Changing the physical USB port for either device or trying to boot with either device in any other port than the port it is currently in will trigger the BSOD. Sometimes the "New Device Found" window will appear on boot before this happens.

    4) Plugging in any new USB device will trigger the failure.

    5) BSOD happens anytime between 5-30 seconds after the service is triggered.

    6) The presence of Driver Verifier running does not alter the dump results. Looks like software rather than hardware.

    Can anyone help me in attempting to repair this without doing a reinstallation?

    The WinDbg output for the crash dump is given below.

    Code:
    Microsoft (R) Windows Debugger Version 6.2.9200.20512 AMD64
    Copyright (c) Microsoft Corporation. All rights reserved.
    
    
    Loading Dump File [C:\Windows\Minidump\120213-10687-01.dmp]
    Mini Kernel Dump File: Only registers and stack trace are available
    
    Symbol search path is: SRV*C:\Symbols*http://msdl.microsoft.com/download/symbols
    Executable search path is: 
    Windows 8 Kernel Version 9200 MP (8 procs) Free x64
    Product: WinNt, suite: TerminalServer SingleUserTS
    Built by: 9200.16628.amd64fre.win8_gdr.130531-1504
    Machine Name:
    Kernel base = 0xfffff800`9ea6c000 PsLoadedModuleList = 0xfffff800`9ed38a20
    Debug session time: Mon Dec  2 02:25:40.499 2013 (UTC + 8:00)
    System Uptime: 0 days 0:04:12.149
    Loading Kernel Symbols
    ...............................................................
    ................................................................
    ..................................................
    Loading User Symbols
    Loading unloaded module list
    ...........
    *******************************************************************************
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************
    
    Use !analyze -v to get detailed debugging information.
    
    BugCheck C000021A, {fffff8a01089e760, 0, 0, 0}
    
    ----- ETW minidump data unavailable-----
    Probably caused by : ntkrnlmp.exe ( nt!NtSetSystemPowerState+878 )
    
    Followup: MachineOwner
    ---------
    
    3: kd> !analyze -v
    *******************************************************************************
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************
    
    WINLOGON_FATAL_ERROR (c000021a)
    The Winlogon process terminated unexpectedly.
    Arguments:
    Arg1: fffff8a01089e760, String that identifies the problem.
    Arg2: 0000000000000000, Error Code.
    Arg3: 0000000000000000
    Arg4: 0000000000000000
    
    Debugging Details:
    ------------------
    
    ----- ETW minidump data unavailable-----
    
    BUGCHECK_STR:  0xc000021a_0
    
    ERROR_CODE: (NTSTATUS) 0xc000021a - {Fatal System Error}  The %hs system process terminated unexpectedly with a status of 0x%08x (0x%08x 0x%08x).  The system has been shut down.
    
    EXCEPTION_CODE: (NTSTATUS) 0xc000021a - {Fatal System Error}  The %hs system process terminated unexpectedly with a status of 0x%08x (0x%08x 0x%08x).  The system has been shut down.
    
    EXCEPTION_PARAMETER1:  fffff8a01089e760
    
    EXCEPTION_PARAMETER2:  0000000000000000
    
    EXCEPTION_PARAMETER3:  0000000000000000
    
    EXCEPTION_PARAMETER4: 0
    
    ADDITIONAL_DEBUG_TEXT:  Windows must now restart because the Device Install Service service terminated unexpectedly
    
    CUSTOMER_CRASH_COUNT:  1
    
    DEFAULT_BUCKET_ID:  WIN8_DRIVER_FAULT
    
    PROCESS_NAME:  services.exe
    
    CURRENT_IRQL:  0
    
    LAST_CONTROL_TRANSFER:  from fffff8009eddd37a to fffff8009eac6440
    
    STACK_TEXT:  
    fffff880`02fea6e8 fffff800`9eddd37a : 00000000`0000004c 00000000`c000021a fffff880`0cde2400 fffffa80`13afbe60 : nt!KeBugCheckEx
    fffff880`02fea6f0 fffff800`9edcea24 : 00000000`00000001 00000000`00000002 ffffffff`80001630 00000000`00000002 : nt!PopGracefulShutdown+0x29a
    fffff880`02fea730 fffff800`9eac5453 : fffffa80`0cabf640 00000000`00000000 00000000`c0000004 fffff800`9eb9c801 : nt!NtSetSystemPowerState+0x878
    fffff880`02fea870 fffff800`9eaca630 : fffff800`9f06e8ef 00000000`00000001 00000000`00000000 00000000`00000007 : nt!KiSystemServiceCopyEnd+0x13
    fffff880`02feaa08 fffff800`9f06e8ef : 00000000`00000001 00000000`00000000 00000000`00000007 fffff8a0`1116ed00 : nt!KiServiceLinkage
    fffff880`02feaa10 fffff800`9ef42bb7 : 00000000`00000000 fffff800`9eba2558 00000000`00000000 fffffa80`0e5facb0 : nt! ?? ::NNGAKEGL::`string'+0x42985
    fffff880`02feaad0 fffff800`9ea9b7ac : fffffa80`0cabf640 00000000`00000000 00000000`00000002 fffff800`9eacfcbc : nt!PopPolicyWorkerAction+0x63
    fffff880`02feab40 fffff800`9eb042a1 : fffff800`00000002 fffff800`9ea9b6ec fffff800`9ed05560 fffff800`9ed05c00 : nt!PopPolicyWorkerThread+0xc0
    fffff880`02feab80 fffff800`9ea98fd9 : 00000000`00000000 00000000`00000080 fffff800`9eb04160 fffffa80`0cabf640 : nt!ExpWorkerThread+0x142
    fffff880`02feac10 fffff800`9eb4d7e6 : fffff880`012d8180 fffffa80`0cabf640 fffff880`012e3f40 fffffa80`0ca44200 : nt!PspSystemThreadStartup+0x59
    fffff880`02feac60 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiStartSystemThread+0x16
    
    
    STACK_COMMAND:  kb
    
    FOLLOWUP_IP: 
    nt!NtSetSystemPowerState+878
    fffff800`9edcea24 cc              int     3
    
    SYMBOL_STACK_INDEX:  2
    
    SYMBOL_NAME:  nt!NtSetSystemPowerState+878
    
    FOLLOWUP_NAME:  MachineOwner
    
    MODULE_NAME: nt
    
    IMAGE_NAME:  ntkrnlmp.exe
    
    DEBUG_FLR_IMAGE_TIMESTAMP:  51a966cd
    
    BUCKET_ID_FUNC_OFFSET:  878
    
    FAILURE_BUCKET_ID:  0xc000021a_0_nt!NtSetSystemPowerState
    
    BUCKET_ID:  0xc000021a_0_nt!NtSetSystemPowerState
    
    Followup: MachineOwner
      My Computer


  2. Posts : 3,056
    Windows 10
       #2

    Hello Deadlock123 and welcome to SF :).

    Cause:

    • This error occurs when a user-mode subsystem, such as WinLogon or the Client Server Run-Time Subsystem (CSRSS), has been fatally compromised and security can no longer be guaranteed. In response, the operating system switches to kernel mode. Microsoft Windows cannot run without WinLogon or CSRSS. Therefore, this is one of the few cases where the failure of a user-mode service can shut down the system. Mismatched system files can also cause this error. This can occur if you have restored your hard disk from a backup. Some backup programs might skip restoring system files that they determine are in use.


    Resolving the Problem
    :
    • Running the kernel debugger is not useful in this situation because the actual error occurred in a user-mode process.
    • Resolving an error in a user-mode device driver, system service, or third-party application: Because bug check 0xC000021A occurs in a user-mode process, the most common culprits are third-party applications. If the error occurred after the installation of a new or updated device driver, system service, or third-party application, the new software should be removed or disabled. Contact the manufacturer of the software about a possible update.
    • If the error occurs during system startup, restart your computer, and press F8 at the character-based menu that displays the operating system choices. At the resulting Windows Advanced Options menu, choose the Last Known Good Configuration option. This option is most effective when only one driver or service is added at a time.
    • If this does not resolve the error, try manually removing the offending software. If the system partition is formatted with NTFS file system, you might be able to use Safe Mode to rename or delete the faulty software.
    • If the faulty software is used as part of the system startup process in Safe Mode, you need to start the computer using the Recovery Console in order to access the file. If a newly installed piece if hardware is suspected, remove it to see if this resolves the issue.
    • Try running the Emergency Recovery Disk (ERD) and allow the system to repair any errors that it detects.
    • Resolving a mismatched system file problem: If you have recently restored your hard disk from a backup, check if there is an updated version of the Backup/Restore program available from the manufacturer. Make sure the latest Windows Service Pack is installed.
    Seeing this is one of the few and rare occasions that a bug check originated in user-mode
    rather then in the Kernel, I would start with a thorough Virus and Malware scans
    then continue with a repair install.

    Are you able to boot normally or into Safe Mode ?
    If you are please follow the Blue Screen of Death (BSOD) Posting Instructions to give us more information about the system.

    Please scan for possible infection and file corruption.


    (*Kaspersky Rescue CD from a USB thumbdrive)

    For good measure I suggest testing the HDD as well:
       Warning
    The Following Method Should NOT Be Performed On An SSD!


    Testing the HDD:


    1. Perform a Disk Check | Disk Check- Scroll down to OPTION TWO of the tutorial and use the /R switch in the CHKDSK command | chkdsk C: /R.
    2. Then Post the Disk Check results following | This Tutorial.
    3. Once back in Windows, download Crystal Disk Info and post a screenshot (multiple shots if you have more than one drive).
    4. Download SeaTools for DOS if you don't want to use a CD to test the HDD you can use YUMI – Multiboot USB Creator to create a bootable USB (instructions are found at the bottom of both pages).
    5. If SeaTools for DOS is unable to recognize your HDD:
    6. Visit HDDdiag and follow the instructions | Or follow the instructions below.

    If SeaTools For DOS does not recognize the drive;
    Boot into the BIOS using the *Fx key.
    Look for an entry called SATA Mode (or something similar), it should be set to IDE / AHCI.
    It's probably set to AHCI which is why SeaTools doesn't recognize them in the DOS environment.
    Set it to IDE then save and exit usually by pressing the F10 key.
    Now boot into SeaTools and it should detect the drives.
    Start the Long Test and let it run.
    Upon completion don't try to boot into Windows as it will only result in a BSOD, go back into the BIOS
    and change the SATA setting back to what it was in the first place.



    Let us know the results.
    Last edited by YoYo155; 01 Dec 2013 at 18:32.
      My Computer


  3. Posts : 4
    Windows 8 Pro
    Thread Starter
       #3

    Thanks for the reply. :)

    I am able to both boot normally and into safe mode. The BSOD only happens when I try to plug in a USB device or change the USB port of any already-plugged in device. As long as I don't do this, the system is rock stable.

    My BSOD dump is attached. If you do see anything of use, please let me know.

    I will try the rootkit and malware checks tomorrow, but I am doubtful this is the cause as I maintain very vigilant watch over my system (been a power user for 15 years - not once been infected). Still, I suppose it is worth a try.

    My main drive is a RAID-0 SSD, so I will not attempt the HDD scan.

    REALLY appreciate the detailed help given on there. Thanks again!

    EDIT: Attachment removed. Issue solved.
    Last edited by Deadlock123; 02 Dec 2013 at 10:46.
      My Computer


  4. Posts : 3,056
    Windows 10
       #4

    Thanks for the files :) .
    Now as you have Windows 8 and a RAID setup I wouldn't perform a repair install!.

    Instead let's troubleshoot the startup. First Perform a clean startup.


       Warning
    Disabling the wrong entry may result in Windows not booting properly or not at all!
    Make sure you know what you're disabling.
    *** What to uncheck and what not. *** - Sysinternals Forums

    Upload an Autoruns log;


    • Download Autoruns
    • Run Autoruns as Administrator
    • At the top go to Options> Filter Options...
      • Check these:

    • Click the little floppy icon at the top to save..
      My Computer


  5. Posts : 4
    Windows 8 Pro
    Thread Starter
       #5

    YoYo, just to clarify before I do this: I have no issues with start up at all. I only get a BSOD upon trying to use any USB port AFTER start-up.

    Do you still want me to run this process?

    Thanks!
      My Computer


  6. Posts : 3,056
    Windows 10
       #6

    I know, but I'm going somewhere with it, do the BSODs appear as they normally do but while in safe-mode?
      My Computer


  7. Posts : 4
    Windows 8 Pro
    Thread Starter
       #7

    Hi YoYo,

    SINCERELY appreciate your help with this.

    I have fixed the problem. I had a hunch that it had something directly to do with the DeviceInstall service as indicated in my first post. Did some digging, compared reports from Event Viewer and crash dump etc and found the issue:

    The registry key HKLM/System/CurrentControlSet/Services/DeviceInstall/Parameters was missing the ServiceDll string. I restored it manually (referred to another Windows 8 machine for the correct value, which should be %SystemRoot%\system32\umpnpmgr.dll), and now all is fine again.

    I have no idea how the key got removed in the first place. I have not found a single other instance online where this has happened, but it is what it is.

    Thanks again for your efforts, and I am indebted to this forum because this is the first time I am using Driver Verifier, the Windows Debugger and the Event Viewer to diagnose issues, and my knowledge has improved tremendously in the last few hours.

    :)
      My Computer


  8. Posts : 3,056
    Windows 10
       #8

    Hi :).
    Thanks for posting back with a resolution, for future reference.
    That would have been a tough one to discover remotely
    especially in light of the fact that I'm on Windows 7.
    Glad you have it fixed now!
    Linger around and no matter how advanced you may be you'll be surprised
    at the amount of precious information you'll pick up .

    Enjoy your stay.
      My Computer


 

  Related Discussions
Our Sites
Site Links
About Us
Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 13:34.
Find Us