Sunday, June 23, 2013

A new bugcheck appears!

I ran into my first 0xC0000221 (STATUS_IMAGE_CHECKSUM_MISMATCH) bugcheck today. What does this bugcheck mean? Good question! Ultimately, this is caused when a device driver or important system file has become corrupted (from what I have read, more-so the latter than the former). In most cases, the filename of the problematic driver / system file is generally shown in the stop message. However, there are certain cases in which it is not, and you need to do some digging, although not very difficult!

For example, here's a dump from a crash I dealt with:

BugCheck C0000221, {fffff8a000227450, 0, 0, 0}

Probably caused by : ntkrnlmp.exe ( nt!ExpSystemErrorHandler2+5ff )

Followup: MachineOwner
---------

0: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Unknown bugcheck code (c0000221)
Unknown bugcheck description
Arguments:
Arg1: fffff8a000227450
Arg2: 0000000000000000
Arg3: 0000000000000000
Arg4: 0000000000000000

Debugging Details:
------------------


BUGCHECK_STR:  0xc0000221

ERROR_CODE: (NTSTATUS) 0xc0000221 - {Bad Image Checksum}  The image %hs is possibly corrupt. The header checksum does not match the computed checksum.

EXCEPTION_CODE: (NTSTATUS) 0xc0000221 - {Bad Image Checksum}  The image %hs is possibly corrupt. The header checksum does not match the computed checksum.

EXCEPTION_PARAMETER1:  fffff8a000227450

EXCEPTION_PARAMETER2:  0000000000000000

EXCEPTION_PARAMETER3:  0000000000000000

EXCEPTION_PARAMETER4: 0

MODULE_NAME: nt

IMAGE_NAME:  ntkrnlmp.exe

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  VERIFIER_ENABLED_VISTA_MINIDUMP

PROCESS_NAME:  System

CURRENT_IRQL:  0

LAST_CONTROL_TRANSFER:  from fffff8000352332f to fffff800032d4c00

STACK_TEXT: 
fffff880`009a91e8 fffff800`0352332f : 00000000`0000004c 00000000`c0000221 fffff880`009a9288 fffffa80`0353d610 : nt!KeBugCheckEx
fffff880`009a91f0 fffff800`0332090d : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00001000 : nt!ExpSystemErrorHandler2+0x5ff
fffff880`009a9420 fffff800`037079e1 : 00000000`c0000221 00000000`00000001 00000000`00000001 00000000`00040000 : nt!ExpSystemErrorHandler+0xdd
fffff880`009a9460 fffff800`03707de6 : fffffa80`c0000221 00000000`00000001 fffffa80`00000001 00000000`00040000 : nt!ExpRaiseHardError+0xe1
fffff880`009a9790 fffff800`037097a6 : fffff880`c0000221 00000000`00000001 00000000`00000001 fffff880`009a9988 : nt!ExRaiseHardError+0x1d6
fffff880`009a9890 fffff800`0371cadf : 00000000`c0000221 00000000`08000000 fffff800`037a3828 ffffffff`800000a0 : nt!NtRaiseHardError+0x1e4
fffff880`009a9930 fffff800`0371ce39 : 00000000`002a0028 00000000`00000000 00000000`00000001 fffff800`037d3ac0 : nt!PspLocateSystemDll+0xbf
fffff880`009a9a00 fffff800`0380736d : fffff800`00812810 00000000`00000002 00000000`00000000 fffff800`0344fe80 : nt!PsLocateSystemDlls+0x69
fffff880`009a9a40 fffff800`0380a4f5 : 00000000`00000007 00000000`00000010 ffffffff`8000002c fffff800`00818080 : nt!IoInitSystem+0x85d
fffff880`009a9b40 fffff800`0375a0f9 : 00000000`00000000 fffffa80`018e6040 00000000`00000080 fffffa80`01869890 : nt!Phase1InitializationDiscard+0x1275
fffff880`009a9d10 fffff800`03572ede : 00000000`00000000 00000000`00000080 00000000`00000000 fffff800`032c58f9 : nt!Phase1Initialization+0x9
fffff880`009a9d40 fffff800`032c5906 : fffff800`0344fe80 fffffa80`018e6040 fffff800`0345dcc0 00000000`00000000 : nt!PspSystemThreadStartup+0x5a
fffff880`009a9d80 00000000`00000000 : fffff880`009aa000 fffff880`009a4000 fffff880`009a93f0 00000000`00000000 : nt!KiStartSystemThread+0x16


STACK_COMMAND:  kb

FOLLOWUP_IP:
nt!ExpSystemErrorHandler2+5ff
fffff800`0352332f cc              int     3

SYMBOL_STACK_INDEX:  1

SYMBOL_NAME:  nt!ExpSystemErrorHandler2+5ff

FOLLOWUP_NAME:  MachineOwner

DEBUG_FLR_IMAGE_TIMESTAMP:  5147d9c6

FAILURE_BUCKET_ID:  X64_0xc0000221_VRF_nt!ExpSystemErrorHandler2+5ff

BUCKET_ID:  X64_0xc0000221_VRF_nt!ExpSystemErrorHandler2+5ff

Followup: MachineOwner
---------
As you can see, this one was fairly unforgiving and did not provide a 'look!!! I know what caused it!!'. Now, if this ever happens to you, here's what you can do.

1. Take a look at the four parameters. All of them but the 1st are 0000000000000000.

2. Copy the first parameter and run a 'da' on it (this will display the ASCII strings). For example: da fffff8a000227450 

Here's the output:

0: kd> da fffff8a000227450
fffff8a0`00227450  "\SystemRoot\System32\ntdll.dll"
As you can see, the problematic file here is 'ntdll.dll' which is the dynamic link library that is in charge of exporting the Windows Native API.

Once you find the file in question, you can generally fix it by running System File Checker or inserting your Windows installation disc and repairing (you can also use this method to replace it manually).

2 comments: