Problem

A client notebook is getting a Blue Screen of Death with the code 0000002c. It happens when the Windows XP boots complete and trying to load the Welcome interface.

What I've done so far

• It's not a hardware issue, as I already tested HD (Victoria Scan, Manufacture (Samsung) HD Diagnostic Tool), RAM (Memtest86+ 24hr) and CPU (stresstest) with no error.
• Safe Mode: BSOD 2c
• Windows Repair: BSOD 2c (While installing drivers)
• Used the HD in a complete different Notebook (different chipset), even in virtual environment: BSOD 2c.
• Replaced all logonui.exe and ntkrpamp.exe with the original.

Diagnostic

• If I boot the Notebook with a Windows PE (Hirens Boot CD 15.1) and want to see what programs and drivers are loading at start up (autorun.exe by Sysinternals), im getting the same BSOD 2c in the PE environment.

I can upload the *.dmp file of latest minidump if requested.

Minidump

z:\TOOLS\windbg_6.12.0002.633_x86\debugger_x86>kd -y srv*c:\symbols*http://msdl.
microsoft.com/download/symbols -i c:\windows\i386 -z z:\TMP\User\Mini052512-07.
dmp

Microsoft (R) Windows Debugger Version 6.12.0002.633 X86
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [z:\TMP\User\Mini052512-07.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: srv*c:\symbols*http://msdl.microsoft.com/download/symbols

Executable search path is: c:\windows\i386
Windows XP Kernel Version 2600 (Service Pack 3) MP (4 procs) Free x86 compatible

Product: WinNt, suite: TerminalServer SingleUserTS Personal
Built by: 2600.xpsp.080413-2111
Machine Name:
Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055d720
Debug session time: Fri May 25 18:48:44.218 2012 (UTC + 2:00)
System Uptime: 0 days 0:19:39.765
Loading Kernel Symbols
...............................................................
.................................................
Loading User Symbols
Loading unloaded module list
...................
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck C2, {43, c68a4000, 0, 0}

Probably caused by : ntkrpamp.exe ( nt!CmpFree+17 )

Followup: MachineOwner
---------

0: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

BAD_POOL_CALLER (c2)
The current thread is making a bad pool request.  Typically this is at a bad IRQ
L level or double freeing the same allocation, etc.
Arguments:
Arg1: 00000043, Attempt to free a virtual address which was never in any pool
Arg2: c68a4000, Address being freed.
Arg3: 00000000, 0
Arg4: 00000000, 0

Debugging Details:
------------------


FAULTING_IP:
nt!CmpFree+17
8063beef 5d              pop     ebp

BUGCHECK_STR:  0xc2_43

CUSTOMER_CRASH_COUNT:  7

DEFAULT_BUCKET_ID:  COMMON_SYSTEM_FAULT

PROCESS_NAME:  setup.exe

LAST_CONTROL_TRANSFER:  from 80548c2d to 804f9f33

STACK_TEXT:
ba2979e4 80548c2d 000000c2 00000043 c68a4000 nt!KeBugCheckEx+0x1b
ba297a24 8054b49a c68a4000 e1cc3640 e1c97000 nt!MiFreePoolPages+0x8b
ba297a64 8063beef c68a4000 00000000 ba297ad0 nt!ExFreePoolWithTag+0x1ba
ba297a74 8063eaf6 c68a4000 00001000 00000000 nt!CmpFree+0x17
ba297ad0 8063eedb 9d308b60 00000000 00000000 nt!HvpRecoverData+0x3ec
ba297b1c 80630854 9d308b60 00000000 00000001 nt!HvMapHive+0x133
ba297b34 8063837f 9d308c01 00000005 00000000 nt!HvInitializeHive+0x416
ba297ba0 80625bcf ba297bdc 00000005 00000000 nt!CmpInitializeHive+0x26d
ba297bf8 8062ad61 ba297d04 00000000 ba297c64 nt!CmpInitHiveFromFile+0xa3
ba297c20 80631efa ba297ccc ba297c6c ba297c5c nt!CmpCmdHiveOpen+0x21
ba297cac 8062578a ba297ce4 ba297ccc 00000000 nt!CmLoadKey+0x90
ba297d40 80625994 0641a62c 0641a614 00000000 nt!NtLoadKey2+0x1fc
ba297d54 8054161c 0641a62c 0641a614 0641a658 nt!NtLoadKey+0x12
ba297d54 7c91e4f4 0641a62c 0641a614 0641a658 nt!KiFastCallEntry+0xfc
WARNING: Frame IP not in any known module. Following frames may be wrong.
0641a658 00000000 00000000 00000000 00000000 0x7c91e4f4


STACK_COMMAND:  kb

FOLLOWUP_IP:
nt!CmpFree+17
8063beef 5d              pop     ebp

SYMBOL_STACK_INDEX:  3

SYMBOL_NAME:  nt!CmpFree+17

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: nt

IMAGE_NAME:  ntkrpamp.exe

DEBUG_FLR_IMAGE_TIMESTAMP:  4802516a

FAILURE_BUCKET_ID:  0xc2_43_nt!CmpFree+17

BUCKET_ID:  0xc2_43_nt!CmpFree+17

Followup: MachineOwner
---------

0: kd>

So, what exactly is causing the BSOD?

Call to HvpRecoverData suggests corrupted registry. Fault during recovery process points to damaged hive log file (according to Windows Research Kernel sources). When I had this problem, deleting all C:\Documents and Settings\<USERNAME>\NTUSER.DAT.LOG files helped. No user data or settings were lost in process in my case.