- May 7, 2013
- 10,400
Rich (BB code):
CRITICAL_SERVICE_FAILED (5a)
Arguments:
Arg1: 0000000000000001
Arg2: ffff9306a338e8e0
Arg3: ffff8007674475a0
Arg4: ffffffffc0000103Again, another rare and undocumented bugcheck, there is no parameter descriptions and Microsoft have provided no details about the bugcheck other than it occurs infrequently. Fortunately, I've managed to discover what all the parameters mean apart from the first one which a suspect is the value for the start type enumeration of the failed service.
There isn't too much to say as to what the bugcheck means other than a boot service has failed to start correctly. The reason for the failure is given in the fourth parameter:
Rich (BB code):
0: kd> !error c0000103
Error code: (NTSTATUS) 0xc0000103 (3221225731) - A requested opened file is not a directory.It mentions that the file requested to be opened is not a directory. The file in question is given in the third parameter as a unicode string:
Rich (BB code):
0: kd> !du ffff8007674475a0
\SystemRoot\system32\drivers\filecrypt.sysAs we can see, the filecrypt.sys driver appears to not be able to loaded for some reason. We can also see evidence of this within the call stack too.
Rich (BB code):
0: kd> knL
# Child-SP RetAddr Call Site
00 ffffa38c`04e06a78 fffff802`33816d58 nt!KeBugCheckEx
01 ffffa38c`04e06a80 fffff802`33a4efa3 nt!IopLoadDriver+0xebd58
02 ffffa38c`04e06c50 fffff802`33a4392a nt!IopInitializeSystemDrivers+0x157
03 ffffa38c`04e06cf0 fffff802`33787fcb nt!IoInitSystem+0x2e
04 ffffa38c`04e06d20 fffff802`33355a15 nt!Phase1Initialization+0x3b
05 ffffa38c`04e06d50 fffff802`333feef8 nt!PspSystemThreadStartup+0x55
06 ffffa38c`04e06da0 00000000`00000000 nt!KiStartSystemThread+0x28Let's investigate a little further and then examine the unicode string in the second parameter of the bugcheck.
Rich (BB code):
0: kd> !du ffff9306a338e8e0
\FileSystem\FileCryptAs we can see, it appears to correspond to an object directory which symbolically points to the driver which we saw in the third parameter. We can dump the FileSystem directory using the !object command.
Rich (BB code):
0: kd> !object \FileSystem
Object: ffff8007675375e0 Type: (ffff9306a1873380) Directory
ObjectHeader: ffff8007675375b0 (new version)
HandleCount: 0 PointerCount: 18
Directory Object: ffff80076741e740 Name: FileSystem
Hash Address Type Name
---- ------- ---- ----
04 ffff9306a326dd60 Driver Wof
11 ffff9306a3293530 Device CdfsRecognizer
12 ffff9306a31b8c40 Device UdfsDiskRecognizer
ffff9306a3273a70 Driver Fs_Rec
19 ffff800767538920 Directory Filters
21 ffff9306a31b8390 Driver FltMgr
22 ffff9306a32930b0 Device FatCdRomRecognizer
23 ffff9306a31ea100 Driver Ntfs
24 ffff9306a33bbc40 Driver Mup
ffff9306a31afa70 Driver RAW
25 ffff9306a3275cb0 Device ReFSRecognizer
ffff9306a326f5c0 Driver WdFilter
28 ffff9306a326ca30 Driver FileInfo
31 ffff9306a3273c80 Device FatDiskRecognizer
32 ffff9306a31b8a00 Device ReFSv1Recognizer
33 ffff9306a3275a70 Device ExFatRecognizer
35 ffff9306a32932f0 Device UdfsCdRomRecognizerThere doesn't appear to be driver object for FileCrypt under the FileSystem directory which would explain the error message we're shown in the fourth parameter. These symbolic links are usually set up by the driver itself during it's DriverEntry routine, however, it doesn't seem to have been loaded correctly and therefore the service fails to load at boot.
If we use WinObj, we can see what should have been in the aforementioned directory:
To resolve this issue, I would suggest replacing the driver with a known good copy from either the WinSxS directory or an operating system of the same build.