Windows 10 0xc00021a boot error, i had tried almost everything... Its possible to repair Win10 without losing system settings?

[ruthan]

Hi,
im struggling for quite a long time with 0xc00021a Windows 10 boot error, its UEFI version of WIndows 10, if it matters and i have only EFI partition and one 1 machines not Recovery partition and not ESR 128 Mb service partition, i never needed it for anything and when i upgraded install it was not create, its probably not mandatory same as Recovery partition, because recovery enviroment is in C:\Recovery hidden folder too.

I have tried a lot of things, sfc - is fine, dism is fine. Error description is for lots of source of this error.. I have tried to enable ntbtlog.txt, but it seems that its happening before log is create, so i dont have any clues to fix it.
It seems to new bug.
  It happened after some update, i might get out of space during updating, because of app generated 30 GB error file.  I had some restore points, but during restoring i got error, maybe because of now enough space and after restore point data disappered and my last full backup is quite old.

  I have tried manaul BCDedit fixing, all boot fixing utilities which i found - Paragon, EasyUS, Aomie, Dual boot repait, VisualBCD, Bootice, Lazesoft. Bootsec, Hasleo Easy UEFI, including deleting and rebuild EFI partition.
  I haved tried all boot modes - enable logging, safe mode, recovery, autorepair - there is error hardisk not found..

   What is more interesting, i even managed to replicate error on Windows 10 togo on USB-NVME driver, on different hardware.. (intel Z370 + AMD 450 - Ryzen 2600 )Its probably again cause by some recent update, or by some BCD change, because some tools are updating try to fix, all connected BCD by mistake... and im unable to fix it even on USB-NVME install on other computer.

  Hardware is ok for sure, because its happening on multiple devices, liveCD are booting fine. Im quite sure that is not because some virus.

  Only thing which im able to ""fix" it is restore whole NVME-USB installation EFI + System partition, restore EFI partition alone is not enough its somehow connected.
  I googled alot, but found only generic tutorials for classic - sfc/dism / bcd fixing.. Disabling some addional disk or disconning devices is not helping too.  I did not found success stories, just people who git complete reinstall or machine reset.

Its possible somehow repair WIndows 10 without losing system settings - installed programs, registry settings and normal files?
I saw some /auto setup.exe settings, but when i tried setup.exe /auto othre commands, i always get unknow option /auto error.

 

Edited August 2 by ruthan

[ruthan]

I was experimenting with NVME-USB install, this time and recovered only main windows partition and used EFI partition adjusted by lots of experimenting and this time it booted fine. Right before partition recovery i tried to boot, so did nothing new with EFI partition to make system bootable.

  I can also say that its crashing before graphical BCD metro menu with multiple enteries its loaded, its loading for while, its not quick crash, like 10 second.. I have multiple BCD enteries because of my experiments.
  

  Im not aware that i did something extra with WIndows install on main parition its stuck to 1803 version, because USB version upgrading problem, some security roll up updates where installed, also constant upgrading update which is failing its running.. and i installed a few "normal" problems to make it more usable, nothing suspicious, i also doubt that i have some virus and same one on my 2 machine. It has to be something ugly.

   Only thing which i read online about this error is that it could be related to winlogon.exe and csrss.exe but when DISM and SFC run fine, they should be fine.
   
   If someone know how Windows 10 UEFI boot sequence is working step by step, it may be helpful. 

   I have bad memory but i maybe tried to set number of processors through msconfig to make boot a bit faster before it broke, i saw it some video.. but because i recreated EFI partition if its some parameter there it should be gone, unless its something saved in registry or other system file.
   But i have tried the same thing with NVME-USB and its still booting, so its probably not it.. im not sure if WIndows boot its by default multithreaded. 
   When i removed bcd experiments to avoid BCD menu, whole boot is now like 15 second vs 10 second crash before, it be in more advanced phase of booting, but even when bootlog is force for every boot entry and i use textstyle bootmenu instead of metro one, its still crashing the same way.

  BTW i met this they there is not binary, but source code and way to compile it, in other MS / Intel projects on github, its Linux way and its good way.. That illusion that user will learn something significant form setuping and building all again and again is nonsense.  Its waste of users time, if you multiply it by all users, its man years wasted and its even waste of power and earth resources.. and if not even to make it to wrong at 99%.. anything between 1%..99% mean not working application and you get angry during this process, its not fun for 90% of users, so its even generator of bad mood, which is not good for anyone mental health.

Edited September 3 by ruthan

[ruthan]

One more clue, this crashing short after i hear some sound card initialization sound.. So its probably in driver inicialization phase, but in otherhard its strange that there is not ntbtlog.txt without is enabled and i would expect that it would be created when drive loading phase started..

[ruthan]

I find out where is the problem with ntbtlog.. Its created later after some basic files are loaded:

Before it only some other log is created its named mesasured log, but i need to find some way to parse it.. I have desibled TPM device in BIos and set Secure boot to Custom, becaues there is only Enabled and Custom option in bios, but its the same only measured log is created and not ntbtlog.txt..

Measured log :
https://www.dropbox.com/scl/fi/rhtyws3f4ijupuovje3q4/0000000124-0000000000.log?rlkey=xghuhxtpsoix41huprm471lvj&st=5uw1s653&dl=1
I have tried but so far im failing, to get more that header.

    MS has article about analysis these logs:
https://learn.microsoft.com/en-us/troubleshoot/windows-client/windows-security/decode-measured-boot-logs-to-track-pcr-changes 

  It needs some big ADK package, or compile the code for PCPTool.exe . I dont really dont understand why its not distributed as executable, maybe it needs some machine specific variables in exe, but i doubt it. I have tried to find some VS online compiler, but i have failed, i found only single C++ compiler.. There was some preview of Visual Studio compiler, but links are dead..
   First solution use Hardware drivers kit for change require Windows server - but i need only 1 executable from it probably not whole driver debugging enviroments.
   So MS debugging tools for debubing these boot problems really sucks, when i add not classic install repair in Windows 10, its really bad design all is hidden, in comparision to Linux when booting process progress is transparent..

There is also bootstat.dat, which is something like flag that something is wrong with booting and it seem its can cause boot repair loop.. 
For some reason i hit situation when even for valid BCD i was getting 0x0000001 error when i tried to star Win10, it seem there is some broken install flag somewhere, its unclear how to remove it.

I found out that is Autoruns from Window PE / other Windows install - load offline log, to edit drivers and services, only problem is seems that it could enable /disable only some items for other it reports error and i have log hive and edit it manually by using registry path form autoruns. 
  Otherw way to edit drivers+service is be Dism+ utility, it has some updates uninstall options too, but its failing for some for some reason. There is also MS Dart which is some WinPE cds.   

   I now decided to try other approach recover old back and try to add files from current broken install.. to merge it. Does someone experience with this way on fixing? 

Edited August 11 by ruthan

[user57]

its not a security measure, its security against the user or "non-microsoft" (if i remember right they had always a grude against a bootkit (even when it was totally legal)) 

so they decide what you do there - that would describe it right

i would not call it security for that reason - its a missleading term that trys to confuse and lead it to a different discussion point

 

its a old talk like about the monopol position microsoft is taken action for (not the first time) there was something like that even in very past times like with netscape - where microsoft where sued for taking monopol positions

after that list they doing that then is very long - its litterally about billions of money where microsoft where sued for this

 

surely this is about child-abuse or terrorism ? i dont think so - its just a company interest - calling out that is the same missleading term - if you would accept it like that you actually ruined yourself and fall for the trick 

[ruthan]

Well it would be nice, if they would provide some simple tools to analyze boot process - without some server / developer only blob and better error  code handling.. ntbtlog.txt is far from good too, especially if they removed classic installation repair from the boot media.. and automatic registry backup is also disabled by default - as far if its not included within restore point itself. I dont even speak about bcd disaster.. which is really not good idea.. as its complicated object tree, unable to handle multi EFI parititon system, multiple files with Ids (1x boot\bcd, often cloned to windows partition too ; 3x (rescue bcd + rescue.xml) once on EFI partition, once in C:\Recovery and once in recovery Partition )., full of ids which are just made up from thin air, instead of using real partition IDs as Grub2, which at least had one text config file and more only if you are using autogenerating templates and its config files in etc/default/grub.. is not 

   Otherwise if understand that diagram downgrade to MBR non UEFI and TPM install actually provide better logging.. I wonder its possible to use MBR booting - winload.exe instead of winload.efi on disk which is actually GPT? If i remember correctly i was using this with Windows 7 for quite a long time, but i tough that UEFI would be upgrade.

   It should be better with newer versions not worse, but they rather aim on start button position and new not backward compatible user interface API.
   
   So only real solution is make system partitions often.. with is not better in these days too, because every second application creating zillion of small cache files, instead of some big cache file. 

[ruthan]

I have gave up on my main machine for now and restored old backup.. and moved experimenting into Vmware virtual machine, here i connected this machine as MBR disk, its not UEFI / TPM machine, its single partition install, but its failing exactly the same way  
  Only difference is that on such simple setup, automatic start up repair worked right away, i mean that Windows bootloader started, without fidling with bcd files.. and still not ntbtlog.. so its something really ugly, i have tried to run lots of live antivirus and antimalware stuff, it ran for ages, because i have like like 6 millions of files on my disk.. i got some malware / adware reports, but i found say false possitives, because other tools not reported them.. I disabled them anyway, no change.
   I also found out that i could enable / disable drivers through dism+ .. but without any clue is really hard to find out the root of this problem.. and it seems to be same for a lot of people which encountered it..

   I wonder there is msconfig mode to enable MS services Only, im not sure if different from safe mode, but i there wonder some way how to set it on.. i found try it.. i can probably disable services / drivers one by one, its problematic..

Edited August 19 by ruthan

[ruthan]

Hmm, it have tried to remove drivers and services, but only end up with inaccessible boot device, its strange because its 1 partition MBR install, i have tried all bcd fixes, but its still there.. Im not even sure, if this error happens before or after 0xc00021a.. and again not ntbootlog, it really seems that starting Windows 10 procedure is rotten by design.. once its broke, there is very hard to debug it.

[Tripredacus]

I'm not necessarily sure about the error code that you had received, but there have been some instances where I have encountered a seemingly unsolveable boot error on Windows 10/11 like this without being able to fix it. My last resort solution is to image the OS partition and redeploy the entire system. It is time consuming but so far that ends up working.

[ruthan]

Well, all this would be ok.. if they would not removed option to refresh system files and keep system setting from boot installer.

 I experimented a bit more, but through drivers disabling if i dont get this error, i get 2 errors which probably happens before this one:
1) Inaccesible boot device - which is normal and fixable in previous Windows but im not able to fix it there, i have tried all Vmware storage options - IDE / SCSI/ SATA / NVME but its not enough. Fixing bcd files is not enough and Paragon P2V adjust or P2P adjust too. Im not sure if this error is related only to boot storage drivers, or its reported if any system driver is has boot problem, again nothing logged and only way is kernel debugger through serial port and second PC, not thing for standard user, its more for hardware drivers creators.
2) Boot freeze, infinite cog animation and safe mode freeze without cog, maybe again its happening before original error, again no ntbootlog..

  I have found that Vmware convertor has nice drivers / service enable and disable option and probably it has some HW registry fix to boot in virtual, unfortunately its failing with my virtual disk image, there again some unhandled situation and Vmware convertor is picky and works only for typical scenarios (im getting typical disk geometry related pseudo errors like Unable to find system volume, or VSS snapshots cannot be stored because is not enough space on source volumes, or they are not NFTS, well of course EFI is FAT32 and there is lots of space.. ). Some as Acronis Trueimage 2021 universal restore, its refuse to recognize by Windows install, even when all other tools like Lazesoft recovery, dart, DISM managers etc, are fine with it. 
  I also tried to run redetection of new HW during boot, as Windows to go are doing for offline installation, through boot dvd and sysprep, but i failed too, its not started, im not sure if could be made for offline installation in theory it could, but did not find right tutorial for it. 
 
  It seems that only way to debug would be that TPM log parser, but even that is not provided as standard package for advanced users. 
  This seems as typical result of excessive security, same as"National" security parallel virus in USA government. They would claim that make boot process logging as something helping hackers, but i as standard users really value usability over security and like to have options to use security / usability trade offs.. Especially when hackers are always 1 step ahead from security guys and is virus / spyware is "properly" done execute 1 wrong file and use network tool with 1 unfixed security hole with its communication protocol, its enough to get it anyway.

Edited September 3 by ruthan

[Tripredacus]

Refresh still exists but it only works in specific circumstances. In my previous testing, refresh only can work if the WinRE components are the same exact build as the installed OS, but the installed OS build changes with updates. So Refresh can work in a system that doesn't update but that is not typical in a modern system. I also prefer that option as well, as it reminds me of the repair install you could do with XP.

I don't understand the TPM requirement either, especially in regards to the retail market. Probably it was just easier to include an Enterprise feature in all editions and be done with it. 

[ruthan]

Hmm, its almost impossible to get all with right version, unless Microsoft would release tool to make such installation / repair image.

TPM, its fine in Windows 10, its not required, problem is just not logging part of starting process and provide some better error numbers and messages.

TPM it be somehow able to recognize spyware, or maybe avoid it to flash bios.
If would be very suspicious i would say that maybe US government asked for it, because we already have zero knowledge about what it is doing same as Managed engine, which is some small Linux running on baremetal which could do anything.. Im unsure if AMD has something as it also, but good on AMD is they have some company line of their cpus with advanced security.

[Tripredacus]

AMD has something that mimmicks a TPM. When I was building out configuration requirements for Windows 11, I initially left AMD out because those boards didn't have a TPM. But they have something else that Win11 recognizes as a TPM. It just has a different name on the spec sheets and probably does the same thing. I actually have no experience with either those or IME and I never had to field any questions about them, even from USG/Mil clients. The only motherboard feature like that I've had to deal with was Secure Boot. So to my knowledge, I never have known anyone who ever used a TPM for anything.

[ruthan]

Well you can use TPM header for connection of ISA devices through ISA slot header to make modern PC able to use old soundcards for DOS, because all modern chipsets does not support needed DMA calls for PCI/ISA soundcards, or not even have such slots except few spencial boards, which still cannnot process these calls, but you can use ISA / PCI slot for other peaceful purposes.
  So its powerful interface. but last time when i checked it, 3 people on whole planet where able to do it, because it needs some additional signals / cables soldered to mainboard.. and 

 Otherwise it my not broken Windows 10 through dart, there is access to Event logs too..  There some errors directly before last reboot, when all stopped working.

Application events:

•   There is something in Windowslogs->Application source is VSS, my guess that is just something complains about not running services during shutdown process, when processes are killed.
•    There is some Sunshine.exe gaming streaming error, i will disable that service, but not expect that is the killer. // I set service startup to 4 - disabled, no change
• What is more interesting  some Microsoft->Windows->Capi2 error, i have to check what it is.. Error is: The description event ID 513 from source Microsoft->Windows->Capi2 cannot be found. Either the component that raises this even is not installed on your local computer or installation is corrupt. Install or repair the component on the local computer.. CAPI is = Cryptographic Application Programming Interface second gen
     - It details is Unable to backu up image of binary pwdrvio . The system cannout find the file specified.
     Question if this could cause 21a boot problem - its related to Minitool partition manager or Paragon partition manager..  // I set service startup to 4 - disabled, no changI will add Event system - errors later.

System events:

• Acronis problem - Minute before shudown messages in Event-Application, there was a lot of these errors, over 5 minutes after shutdown was executed by User32. error, Source Microsoft-Windows-DistributedCom - The server {id..} did not register with DCOM with the required timeout. When i searched registry for ID - i found in Apps, only this key under this object TIManagersProxy class Application.
  https://superuser.com/questions/1106927/what-process-is-running-with-processid1ef75f33-893b-4e8f-9655-c3d602ba4897-vi - this points to Acronis stuff, its know bloatware.. // If i disabled these ones, i got inaccesible boot device error, after enabling them, again 21a error.. So even these virtual devices could cause it.. those are probably some ugly filters, which are sometimes added on some other devices.. and even when you disable all acronis drivers and services, there are still called form somewhere.. I had once problem to remove some Nvidia virtual network device back in WinXP and it managed to some filter too, it was really hard to find out how to remove it and keep machine bootable.
• Secure boot - Error is The Secure boot update failed to update a Secure boot variable with error Secure Boot is not enable on this machine. // Well i would expect that this would be just Warning not Error, because if had secure boot disabled in BIOS, unless somewhere on the way it become mandatory.. I debugging it in Virtual machine without added TPM device, but i was some no physical with enable and disabled TPM.. no tried to enable Secure boot, i had it disabled because MacOS and Linux.
  • Vmware workstation seems to failing there, it need encrypt machine enable TPM, when i go to encrypt dialog there are 2 options encrypt all files and only the files needs for TPM, and are just nvram and some mem files, but when i select it, i getting message that it needs 300 GB for whole virtual disk encryption.. // Hmm, i maybe now the reason im using vhd and vmware probably needs vmdk for encryption..

 

Otherwise i was trying to recute Sysprep from live Win10 PE disk, i managed to execute its gui by copping files and dlls from normal installation, but after some processing it failed and im not even sure if it tried to Sysprep offline install or WinPE one..  Log was on offline install - in C:\Windows\System32\Sysprep\Panther , if need 2 dlls to execute for normal install copy to WinPE system32.. and after it failed on some wet*api.dll, but it run for quite a long.. From classic repain cmd sysprep  through cmd outputs nothing.. 

 Regading of Minitool guide for everything - https://www.minitool.com/data-recovery/fix-fatal-system-error-windows.html  they claim this
 - Too many invalid and bad registry keys are found.  I have no registry backups, autogenerated - they disappered during failed system restoring... and question is how to check if registry are ok, files are there..

 

Edited 9 hours ago by ruthan

[lisefipumom]

On 8/11/2025 at 7:48 PM, ruthan said:

I find out where is the problem with ntbtlog.. Its created later after some basic files are loaded:

Before it only some other log is created its named mesasured log, but i need to find some way to parse it.. I have desibled TPM device in BIos and set Secure boot to Custom, becaues there is only Enabled and Custom option in bios, but its the same only measured log is created and not ntbtlog.txt..

Measured log :
https://www.dropbox.com/scl/fi/rhtyws3f4ijupuovje3q4/0000000124-0000000000.log?rlkey=xghuhxtpsoix41huprm471lvj&st=5uw1s653&dl=drift boss
I have tried but so far im failing, to get more that header.

    MS has article about analysis these logs:
https://learn.microsoft.com/en-us/troubleshoot/windows-client/windows-security/decode-measured-boot-logs-to-track-pcr-changes 

  It needs some big ADK package, or compile the code for PCPTool.exe . I dont really dont understand why its not distributed as executable, maybe it needs some machine specific variables in exe, but i doubt it. I have tried to find some VS online compiler, but i have failed, i found only single C++ compiler.. There was some preview of Visual Studio compiler, but links are dead..
   First solution use Hardware drivers kit for change require Windows server - but i need only 1 executable from it probably not whole driver debugging enviroments.
   So MS debugging tools for debubing these boot problems really sucks, when i add not classic install repair in Windows 10, its really bad design all is hidden, in comparision to Linux when booting process progress is transparent..

There is also bootstat.dat, which is something like flag that something is wrong with booting and it seem its can cause boot repair loop.. 
For some reason i hit situation when even for valid BCD i was getting 0x0000001 error when i tried to star Win10, it seem there is some broken install flag somewhere, its unclear how to remove it.

I found out that is Autoruns from Window PE / other Windows install - load offline log, to edit drivers and services, only problem is seems that it could enable /disable only some items for other it reports error and i have log hive and edit it manually by using registry path form autoruns. 
  Otherw way to edit drivers+service is be Dism+ utility, it has some updates uninstall options too, but its failing for some for some reason. There is also MS Dart which is some WinPE cds.   

   I now decided to try other approach recover old back and try to add files from current broken install.. to merge it. Does someone experience with this way on fixing? 

Hi Ruthan, it sounds like you’ve been dealing with a pretty frustrating issue! It’s really confusing when the logs don’t show the expected results or when you're stuck trying to parse them. From what you’ve described, it seems like you're trying to work around some issues with measured boot logs and the boot repair process.

One thing that might help is focusing on resolving the bootstat.dat issue first, since it seems to be one of the key causes of your boot repair loop. Have you tried clearing the bootstat.dat file manually using the recovery environment or the Command Prompt in WinPE? Sometimes that can break the loop.

Also, regarding the NTBTLog and measured logs, if the tools you're using are failing to give you the details, you might want to try a fresh install of the Windows ADK tools, as they usually have the right utilities like PCPTool.exe and others for analyzing boot logs. I get what you're saying about not wanting the entire driver kit – you might only need the specific parts related to the boot process. Alternatively, it could be worth trying the "Offline" options in Autoruns from WinPE, though as you’ve mentioned, some entries may be locked down.

Lastly, regarding merging files from the broken install with the old backup, I’d suggest carefully checking the system partitions and making sure everything is in sync before trying a merge, as it can get tricky. If you've got a system image or a restore point from before the issue started, it might be worth trying that too.

Hope this helps or at least gives you another direction to go in! Let me know if anything else comes up or if you need more clarification.