BSOD Session Server

Discussion in 'FirstDefense-ISR Forum' started by starfish_001, Feb 4, 2007.

Thread Status:
Not open for further replies.
  1. starfish_001

    starfish_001 Registered Member

    Joined:
    Jan 31, 2005
    Posts:
    1,041
    Not sure if this is a FD problem or not but ....

    I installed Shadow protect desktop - tried to create a couple of images of my o.s partition BSOD 0x ... 8b - so I un installed shadow protect.

    My fun starts now - at the point where the logon screen should appear BSOD Session Manager initialization system process error with winXP - 0xc 26c .... No problem I think I'll boot to my shadow snapshot offset by a couple of days - exactly the same problem.

    All snapshots did work ....

    booted to one of my test snapshots - success.

    I then deleted on of the unbootable snapshots and imported an archive of the same snapshot from 3 days ago this is my main snapshot so pretty clean normally no problems - archive taken before the shadow protect install. No errors during copy boot to snapshot same problem again .....

    How can these snapshots all be BSOD - when All snapshots did work ... and one has been an archive.

    Now a bit worried as I have no explanation for the un bootable snapshots they boot in safe mode but ... as of now I have not worked out what is causing the problem - guess it could be nod or outpost auto updating

    Have uninstalled SSM , Outpost - I guess I should remove nod as well.

    How do I change FD to RSS instead of VSS


    Suggestions welcome ....
     
  2. Long View

    Long View Registered Member

    Joined:
    Apr 30, 2004
    Posts:
    2,295
    Location:
    Cromwell Country
    Go to the command line: start - run - type cmd and click ok.

    At the prompt type: cd \$ISR\$APP\Setup -- press enter

    At the next prompt type: ISRSetup -install -rss --- press enter

    After the installation, you may be prompted to reboot. If you are not prompted to restart then manually restart the machine after the install -rss command is successfully executed.

    Screamer told me this and it worked for me - good luck
     
  3. starfish_001

    starfish_001 Registered Member

    Joined:
    Jan 31, 2005
    Posts:
    1,041
    Thanks - gonna change over to RSS for now


    But I would still my to fix the damaged snapshots
     
  4. Long View

    Long View Registered Member

    Joined:
    Apr 30, 2004
    Posts:
    2,295
    Location:
    Cromwell Country
    I don't know much about FD-ISR but I don't see how the snapshots can be damaged. My guess is that shadow protect has messed things up.

    Do you have a copy of the MBR you could restore or an image that you could restore ? perhaps then you could reinstall FD-ISR and build your snapshots up again
     
  5. Atomas31

    Atomas31 Registered Member

    Joined:
    Sep 7, 2004
    Posts:
    923
    Location:
    Montreal, Quebec
    Sorry for my ignorance but what is RSS and VSS? Is this like FAT32 and NTFS and only one of the two can be use on a system or can you have both RSS and VSS on your system (whatever is RSS and VSS)?

    I know that ShadowProtect need "clean" VSS to work properly so if FD-ISR need RSS and that your system can only have VSS or RSS, does that mean that FD-ISR (needing RSS) is incompatible with ShadowProtect (needing VSS)?

    Thanks,
    Atomas31
     
  6. starfish_001

    starfish_001 Registered Member

    Joined:
    Jan 31, 2005
    Posts:
    1,041

    At the moment I'm thinking that Shadow Protect is a catalyst - and that the problem is coming from SSM, Outpost or NOD. Just don't understand why an older snapshots and an archives are effected.

    I thought I had a fairly safe set of snapshots
    Main
    3-4 day offset
    30 day offset
    Various test archives
    Archives at various points back about 6 months
    TI or Paragon images every once in a while - about 1 per month


    So I do have images and a copy of the mbr - but at this stage don't believe that FD is compromised - changing to RSS just to be sure...
     
  7. starfish_001

    starfish_001 Registered Member

    Joined:
    Jan 31, 2005
    Posts:
    1,041
    https://www.wilderssecurity.com/showthread.php?t=126193&highlight=shadow copy

    See post 12
     
  8. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,039
    Hi Starfish

    I also had a problem when ShadowProtect was installed, and I had FDISR set to VSS. In my case when I updated a snapshot, FDISR deleted the files, in the target. Not cool. Changing FDISR to RSS, solved problem and it's faster.

    Pete
     
  9. starfish_001

    starfish_001 Registered Member

    Joined:
    Jan 31, 2005
    Posts:
    1,041
    Right - another tick for RSS.

    To be fair I think the problem is SSM. I have now finally recovered the set of snapshots that BSOD at logon.

    I uninstalled SSM in safe mode - rebooted Bsod - rebooted again BSOD - rebooted again BSOD - rebooted into windows.

    Strange as the only thing I changed was Shadow protect - I guess it changed the order drivers or services loaded causing a disaster at logon -

    I am still a bit confused why that would apply to independant snapshots that have never seen shadow protect that have seen no changes as they have not been booted for a few days ...

    VSS and shadow protect?
     
  10. Atomas31

    Atomas31 Registered Member

    Joined:
    Sep 7, 2004
    Posts:
    923
    Location:
    Montreal, Quebec
  11. starfish_001

    starfish_001 Registered Member

    Joined:
    Jan 31, 2005
    Posts:
    1,041

    Well its not SSM or Outpost -

    0xC000021A: STATUS_SYSTEM_PROCESS_TERMINATED

    This occurs when Windows switches into kernel mode and a user-mode subsystem, such as Winlogon or the Client Server Runtime Subsystem (CSRSS), is compromised and security can no longer be guaranteed. Because Win XP can’t run without Winlogon or CSRSS, this is one of the few situations where the failure of a user-mode service can cause the system to stop responding. This Stop message also can occur when the computer is restarted after a system administrator has modified permissions so that the SYSTEM account no longer has adequate permissions to access system files and folders.
     
  12. grnxnm

    grnxnm Registered Member

    Joined:
    Sep 1, 2006
    Posts:
    391
    Location:
    USA
    Wow, that's a new one. Never seen it before. I know Pete uses FDISR with ShadowProtect without issues. Maybe he has some advice for you.

    Incidentally, ShadowProtect makes no changes to the MBR, so after you uninstall ShadowProtect I'm at a loss as to how your system can continue to experience BSODs. After you have uninstalled ShadowProtect and rebooted, there are not active components of ShadowProtect on your system, so it seems likely that something else is causing the BSOD. Very strange.

    What's SSM?
     
  13. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,187
    Location:
    Sydney, Australia
    http://www.syssafety.com/
    HIPS / Application Firewall
    Sets deep hooks = occasional conflicts
    Do a thread search here and you will see :)
    Very popular
    Not always easy to use
    Very effective
    :)
     
  14. starfish_001

    starfish_001 Registered Member

    Joined:
    Jan 31, 2005
    Posts:
    1,041

    As far as I can tell - there is nothing wrong with the MBR or FD -ISR apart from Shadow Protect stopping VSS from working correctly when installed but .... it copies fine without shadowP installed. i have now changed to RSS just to be sure.

    The thing that bothers me is that the BSOD seems to be linked to the install of ShadowP. 3 snapshots that were all perfectly stable now BSOD at logon screen with exactly the same error - no installs have been made other than ShadowP.

    It seems to be driver related because 1:3 or 1:5 boots succeeds?

    I have removed the obvious kernel level suspects SSM, Outpost but I guess it could be something else ......... nod. But nod is present in the test snapshots that still work - they are based on a snapshot from about 20 days ago in any case.


    I don't understand why a previoulsy good archive should now no longer work.
     
  15. starfish_001

    starfish_001 Registered Member

    Joined:
    Jan 31, 2005
    Posts:
    1,041
    "STOP C000021A (Fatal System Error)
    The session manager initialization system process terminated unexpectedly with a status of 0xC000026C (0x00000000, 0x00000000).

    I guess this is the problem
    The STOP 0xC000021A error occurs when either Winlogon.exe or Csrss.exe fails. When the Windows NT kernel detects that either of these processes has stopped, it stops the system and raises the STOP 0xC000021A error. This error may have several causes, including, but not limited to the following:

    • Mismatched system files have been installed.
    • A Service Pack installation has failed.
    • A backup program that as used to restore a hard disk did not correctly restore files that may have been in use.
    • An incompatible third party program been installed.

    http://support.microsoft.com/default.aspx?scid=kb;en-us;156669

    So it looks like it is something to do with ShadowP uninstall?
     
    Last edited: Feb 5, 2007
  16. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,039
    Hi Starfish

    When I had the problem I described I don't remember exactly what two security programs I had running, but I always had two kernel mode flavors running, and saw no particular issue. The one thing I can think of that might affect all snapshots was something I had happen with a KAV beta.

    They had a bad driver update on the server, so when you logged in you got the download automatically, and then on reboot, the system real dodgy. Drove me clean up a wall, cause if I logged into another snapshot it went bad, if I restored a know good image, both snapshot went bad. Finally figured out what was going on and then was able to restore a good image (with cable modem off) and get current with FDISR Archive, and then get into KAV and turn of Autoupdate.

    You might have or had something like this going on that trashed all the snapshots as you checked them.

    I've had SSM back on since you first posted, but I don't run Outpost. Maybe....

    Pete
     
  17. starfish_001

    starfish_001 Registered Member

    Joined:
    Jan 31, 2005
    Posts:
    1,041
    Thanks as you say this type of problem - drives me nuts too ......

    I am grateful that I use a system OS disk , Data Disk , and Backup Disk. At this point I have only lost my favourite snapshot - I could just switch to my one of my test snapshots (15 days old seems ok, 3 days just breaks the same) or just revert to a clean xp install.

    Initially I thought SSM then Outpost now I think I'll try

    removing nod
    sfc /scannow
    chkdisk
    or
    If that does not work - restore the archive again with no N/W
    Maybe swap the SAM files around.

    That is all I can think of at the moment
     
    Last edited: Feb 5, 2007
  18. starfish_001

    starfish_001 Registered Member

    Joined:
    Jan 31, 2005
    Posts:
    1,041
    out of ideas for now .... even the archive fails with no nw
     
  19. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,039
    Hi Starfish

    Next thing I'd try is to delete your snapshot, and then uninstall FDISR, and start over. That may be your best course of action. Taking an image here wouldn't be a bad idea, just incase.

    Pete
     
  20. screamer

    screamer Registered Member

    Joined:
    Apr 14, 2006
    Posts:
    921
    Location:
    Big Apple USA
    Starfish,

    Check your Event Viewer for Application & System. I'll bet that it was an issue w/ VSS.

    ...screamer
     
  21. starfish_001

    starfish_001 Registered Member

    Joined:
    Jan 31, 2005
    Posts:
    1,041
    Screamer, Peter,

    The Event log has no VSS error - but I suspect that VSS has something to do with the way the BSOD propogate. I can copy other snapshots/archives around without any problems or errors.


    so my problems are linked to my primary snapshot, and its shadow and the archive. If newer than a couple of weeks.

    I have created a new set of snapshots and archives out of my 2 week old build for now.

    And I have deleted the damaged snapshots - they do seem to install a driver on first boot. Which is strange as the HW config would not have changed in the 3 days since the archive.

    - import the archive - boot snapshot - installs a driver for something - reboot BSOD - If I upade this snapshot from the archive again and then reboot bsod. It seems that the change that causes the BSOD is not refreshed from the archive


    So Peter was correct the act of booting is changing a previously good archive to unusable.


    I'm going create a new image tonight - using either Paragon or DirveSnapshot just to be safe.
     
  22. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,039
    Hi Starfish

    a) Is FDISR still running with VSS
    b) Do you know what is installing the driver.

    Pete
     
  23. screamer

    screamer Registered Member

    Joined:
    Apr 14, 2006
    Posts:
    921
    Location:
    Big Apple USA
    Starfish,

    you can take a look at the "detail logs" that FD-ISR creates:

    FD-ISR -> Help -> About -> Support Info: Include detail log for "X" days.

    Substitute the number of days since your issue began for X.

    Hopefully it wasn't long ago since these logs tend to be quite long.

    hth,

    ...screamer
     
  24. starfish_001

    starfish_001 Registered Member

    Joined:
    Jan 31, 2005
    Posts:
    1,041
    Thanks for your continued support and interest...

    A)
    Last night I spent a while trying to fix the BSOD - and then created a new set of working snapshots from older backups.

    I'm still using VSS for now - I did plan to change to RSS late last night but - when I set explorer to reveal hidden system files and folders - no $ISR dir.
    As it was late I did not investigate further - something else for tonight.


    B) Not not sure what but it is one of those unprompted device installs like you might get if you installed a new disk or partition.

    Now as The STOP 0xC000021A error may have several causes, including, but not limited to the following:

    • Mismatched system files have been installed.
    • A backup program that as used to restore a hard disk did not correctly restore files that may have been in use.

    I followed the MS advice to delete any pendingfilecopy operations so that leaves a file system problem or driver as possible causes.


    So I need to create and empty snapshot and restore the archive reboot and then catch the install to check this.


    This is more out of interest than necessity not as - I am not hopeful of fixing that snapshot set
     
  25. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,039
    First thing I'd do is get that VSS off, and switch to RSS. You might be trying to put the fire out with gasoline
     
Thread Status:
Not open for further replies.