Re: BSOD during log in

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

From: David Wang [Msft] (someone_at_online.microsoft.com)
Date: 02/23/04 

Date: Sun, 22 Feb 2004 21:59:47 -0800

I realize that you have reservations about setting up a KD, but I believe
it's the most direct way to resolution.

Right now, we *know* something is crashing inside of winlogon.exe right
after you log in.

Your suggestion of comparing registry keys between two users *assumes* that
the registry has info on what is loaded, but that may not be true.

However, if we catch the crash before the BSOD happens (the crash will jump
to the KD if available -- only when no debuggers are available do you see
the Blue Screen -- the "last resort" of sorts), it will identify the module
at fault, which *will* help determine a solution.

There was a time, long ago, when I'd shy away from directly debugging an
issue and try to find some other indirect method of determining the issue.
On reflection, it is MUCH faster to directly attack the problem and requires
only a little bit more of understanding. It may not be the most "customer"
friendly thing to do since there's no pretty UI and lots of scary
hexadecimal numbers, but it is the fastest way to results. :-)

Microsoft Debugging Tools are at:
http://www.microsoft.com/ddk/debugging
There are instructions there on how to set up such a kernel debugger,
retrieve public symbols, and awaiting for the crash. 

-- 
//David
IIS
This posting is provided "AS IS" with no warranties, and confers no rights.
//
<anonymous@discussions.microsoft.com> wrote in message
news:113d601c3f589$1263f050$a101280a@phx.gbl...
>-----Original Message-----
<snip>
>Are you running custom company login module of some sort?
No - nothing like that.  No VPN, no nothing.
>You can hit  F8 and start Windows with logging, which is
analogous to Win98.
But didn't Win98 let you say Yes/No to each driver?  I had
already done as you suggested but did not get the option
to choose what got loaded. Also I haven't a clue what the
log file is called or where it is.
> You will need a KD to figure out why.
That sounds like more fun than I want to have <grin> - not
to mention that I haven't a clue where to begin.
Is there no way to compare the registry entries for the
User that _can_ log on (Administrator) with the one that
can't?  This is what confuses me - there must be some
difference in what is loaded and since it happens so
quickly after entering the password etc. Hopefully the
list insn't too long.  But what settings control what gets
loaded for whom?
>The sudden-nature of your issue makes me suspect that
it's some sort of
>attack, or you're running some custom code in
lsass/winlogon with a bug
>related to network access.
I guess attack is possible, but I'm behind a hardware
firewall and have not loaded anything non-standard, opened
any attachments, etc.
Thanks again for your help David - we may not have an
answer yet but I appreciate the effort.
>-- 
>//David
>IIS
>This posting is provided "AS IS" with no warranties, and
confers no rights.
>//
>"Jon Paris" <anonymous@discussions.microsoft.com> wrote
in message
>news:118fd01c3f506$0db17b50$a601280a@phx.gbl...
>Thanks for the reply David - comments in-line
>
>><clip>
>> If the error
>>occurred after the installation of a new or updated
>device driver, system
>>service, or third-party application, the new software
>should be removed or
>>disabled. Contact the manufacturer of the software about
>a possible update.
>
>As I noted in my original messagte I had installed an
>Adobe update and one other application BUT both have now
>been removed with no effect.
>
>
>>Also, I would suspect that your computer was attacked via
>the network,
>>causing a shutdown in a critical Windows process and
>triggering this BSOD.
>
>Coule this really happen _during_ sign-on?
>
>>I would first disable networking for you PC access and
>then try to boot.
>
>As I noted before - I can sign on to that Id in Safe mode
>without Networking.  By _why_ does the Administator work
>just fine with networking? but other Admoin level users
>fail?
>
>>Then, make sure this computer stays off the network (or
>at least run a
>>firewall so that your machine isn't blatantly accessible
>via the network)
>
>I have been behind a full firewall for some years - plus I
>am running Norton AV.
>
><snip>
>
>In Win 98 you could monitor each device driver etc. and
>determine the problem that way.  How do I do that with
>W2K??
>
>
>
>.
>

Relevant Pages

  • Re: Dynamic Firewall/IDS System
    ... > (firewall, IDS, etc.) and reacting appropriately could be a good thing. ... > I don't think this is a description of snort. ... the network guys from the colo -- that they get or got attacked. ... we deploy packet filter log rules that indicate the attack. ...
    (FreeBSD-Security)
  • Re: Neither, buy a router.
    ... router for a home network? ... Would I still need a software firewall too? ... broadband-capable Virtual Private Network firewall is a true ... spoofing, land attack, tear drop attack, IP address sweep attack, Win Nuke ...
    (comp.security.firewalls)
  • Re: Can I protect myself against network attacks?
    ... > I guess that was one purpose of the attack. ... > had happened if you just used the SP2 firewall which does not warn you ... back, I've seen the firewall crash before my eyes, without warning. ... network attacks, or trojans. ...
    (comp.security.firewalls)
  • Re: What does a firewall do?
    ... [cutting away lots of interesting stuff on AdaOS] ... > my question is, in essence, is there a form of attack that can be launched ... > arrangements) be preventable by using a firewall? ... is especially true if you consider the system to act as a network ...
    (comp.security.firewalls)
  • RE: most avtive attack type
    ... >firewall setup was outsourced and hasn't been touched since install. ... >> I was wondering what the most common type of attack to expect to get hit ... >> I will be protecting a MS based network. ... School Guide! ...
    (Focus-Microsoft)