[SOLVED] PROCESS1 INITIALIZATION FAILED. FIX: loaded the corrupt system hive and changed the start value of WOF.SYS driver from 4 to 0 (zero).

M

MPeti1

Active member
Joined
Feb 23, 2019
Posts
42
Hi!

Every time I try to boot the system I'll get this BSOD at the end of the 3rd stage of loading the NT kernel (according to this illustration from the Microsoft Docs), so when I see the Windows logo and see the progress ring. At this time observing the HDD LED it seems like if the OS would periodically retry to access a file for a few times before giving up.
I've read the posting instructions, but currently I can only boot into WinRE and WinPE, and these say that I can't run the collector on them, so not sure how to provide the needed information. Until that problem gets solved, I did my research which I'll show for you, but I got into a dead end, and I need the help of professionals to continue.

Here are some important information about my config:
OS: Windows 10 Pro 1903 64 bit (18362.719, more on that later)
No memory dumps found, but maybe I just haven't searched in the right place. windir\minidumps\ is empty for sure.
Not sure what else to include, hardware does not seam to be important. If you need anything else please ask for it. Don't be afraid to use technical terms, I'm not the user who scares about them :)


The stop code is PROCESS1 INITIALIZATION FAILED, for which Microsoft has a basic documentation here.
The first param is 0xFFFFFFFFC0000279
The second param is 0x2 (trimmed the leading zeros)
The third and fourth params are full zeros.

The documentation says that the first param is an NT status code, and that the other 3 are preserved.
Starting from that, if I don't consider the first 8 F's, then it's the code for STATUS_IO_REPARSE_TAG_NOT_HANDLED. hresult.info translates that to ERROR_CANT_ACCESS_FILE
And if I look at the comments at the documentation of said BSOD, it turns out that we may know the meaning of the second parameter. Geoff Chappell wrote a study about the parameters of this BSOD for 32 bit systems. It says that if the second parameter is 2, then the problem is with loading system DLL's.
He concluded that at the writing of the study the second parameter being 2 could only mean a problem with ntdll.dll, but it may not be accurate because it's about 32 bit systems, and it's fairly old

Looking at ntdll.dll it looks to be correct. It has a correct size, it's signature is valid (so if I understand correctly, it can't be corrupted), and it's version number matches the version of the system. It does not seem to be a link, but maybe it was only an extension of my main OS to show if the file is a symbolic/other link, which has difficulties now.

If you need more information on the context I will provide it, but for now I don't want to overcomplicate it if the problem can be solved without that. In short I have a Windows Update problem at the same time (pending update from 18362.719 to 720), but it might be solved if the OS gets to the point to integrate the .720 package(s).

Could you help in solving this problem? I have never seen this BSOD before, and it's a miracle that I found that link of that study, I usually don't even remember MS Docs have a comment section. I don't think I'll find any more information on that by myself, but I don't want to give up this system, it would take a lot of time to set everything up from scratch as it was in this system, more so because there are a lot of settings which I found and set in a time when I didn't do bookmarking properly, or at all
 
Forgot to write a few things. I have a backup of the system from when the problem started occurring, so I can experiment on it without consequences if needed. After loading that backup running sfc /scannow will report that there are corrupted system files, and running it for a second time will report that everything is OK. dism /image:C:\(*) /cleanup-image /scanhealth reports that the component store is OK too.

*the os partition kept it's drive letter for some reason
 
Hi!
Make a copy/backup of the corrupted files in c:\windows\system32\config (Sam, software, default, system, security).
Then get the good files of the good backup and put them in the config folder of the corrupted system.
 
xilolee said:
Hi!
Make a copy/backup of the corrupted files in c:\windows\system32\config (Sam, software, default, system, security).
Then get the good files of the good backup and put them in the config folder of the corrupted system.
Click to expand...

Sorry, but currently I don't know which files are corrupted, and I don't have a better version of any of them. Registry hives seem to be OK, they can be easily mounted-operated-unmounted in WinRE and WinPE.
Actually, you made me realize I forgot to tell you something. Startup repair never succeeds (of course), but it says this in windir\system32\logfiles\srt\srttrail.txt: "A recently serviced boot binary is corrupt." After that line, it does not write any details like a file name or a HRESULT, and for all of the checks ran it writes 0 as HRESULT, which is just "ok, no problem here"

I may have explained the situation badly. If you tell from which part did you thought that I have corrupt reg hives then I could explain it better
 
MPeti1 said:
Forgot to write a few things. I have a backup of the system from when the problem started occurring, so I can experiment on it without consequences if needed. After loading that backup running sfc /scannow will report that there are corrupted system files, and running it for a second time will report that everything is OK. dism /image:C:\(*) /cleanup-image /scanhealth reports that the component store is OK too.
Click to expand...

I assume SFC mentions the first time that it found corrupted files but repaired them since the second run reports everything is fine?
To be clear, using this backup you can use Windows?
 
axe0 said:
I assume SFC mentions the first time that it found corrupted files but repaired them since the second run reports everything is fine?
To be clear, using this backup you can use Windows?
Click to expand...

For the first question, not sure about that now, but I just restored it so I'll try it out
For the second question, with this backup I can't use Windows
 
It seems I misremebered it a bit. right after restoring the backup sfc doesn't do anything, because "there is a system repair pending, which requires a reboot to complete"

sfc will only work if I convince the system that it has no pending actions, which means renaming the windir\WinSxS\pending.xml file and modifying the registry, so that Exclusive and TotalSessionPhases at [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\SessionsPending] is set to 0.
I think I should mention too that where I read this, the guy had 1 as TotalSessionPhases, whereas I had it on 0 by default. Exclusive has 4 by default. Also, there are 2 other values that the guy didn't mention, it's CrossRebootHresult and LastForwardExecuteState, which both are 0
 
Well, I wasn't able to provide you dump files, but I was able to use the debugger to collect information about the BSOD.
The attachment has the output of !analyze -v and ln commands
 

Attachments

Today I found out I can make dump files from WinDBG.
I've uploaded the dump file here: memorydump.7z
This is the password to the 7z file: windows1903-process1-initialization-failed-áúadúőasődéasáfkas

I've set the password because at first I thought I need to upload it to a less trustworthy cloud storage because of it's size, but then compressing it reduced it's size very much
 
Load the hive system.
Then launch the following command from an elevated command prompt, zip the file you'll find on your desktop and upload it here.
Code: 
reg query HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services /s /t reg_dword /v start > "%userprofile%\desktop\services-start-values.txt"

NB: You have to change "system" with the name you gave to your loaded system hive.
 
xilolee said:
Load the hive system.
Then launch the following command from an elevated command prompt, zip the file you'll find on your desktop and upload it here.
Code: 
reg query HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services /s /t reg_dword /v start > "%userprofile%\desktop\services-start-values.txt"

NB: You have to change "system" with the name you gave to your loaded system hive.
Click to expand...

Here is the file
I've installed a regular system in the meantime with the exact same version to a different drive, so it's easier to do what's needed
 

Attachments

Started checking the file against what is outputted from when ran for the temporary system.
I thought that I've uninstalled a lot of these unneeded crap.. after fixing the system I'll need not just to overhaul how I do backups, but also to remove the unnecessary programs.. disabling them is not enough, because when solving problems they will add to the complexity

Actually I think we're on the right track. In the first few days when I thought about "what did I done in the last 1,5 months?" I remembered that I made changes in the start type of some services, but there were so much other possibilities for the problem (pending system update, updated AV, maybe I installed printer drivers too but not sure) that I totally forgot about it.
 
Well I don't remember disabling that one, but it pretty much seems to be essential. Now I'll try to reboot.
 
This worked! Thank you much for helping!
Could I ask how did you find out from the crash dump that a boot critical driver has been disabled?
 
MPeti1 said:
This worked! Thank you much for helping!
Could I ask how did you find out from the crash dump that a boot critical driver has been disabled?
Click to expand...

No, you could not.


































You wrote it in the first (and fourth) post: I only checked the start values of your drivers (using the reg command). 😜
 
Last edited:

Has Sysnative Forums helped you? Please consider donating to help us support the site!

Back
Top