Resolving Azure VM 'Boot Error Code 0xC0000005' on Startup
Azure Virtual Machines encountering 'Boot Error Code 0xC0000005' during startup signal a critical access violation, often indicating issues within the Windows NT kernel or the Boot Configuration Data (BCD) loader. This guide provides immediate mitigation and robust repair strategies to restore your VM's operational status.
🚨 Symptoms & Diagnosis¶
When your Azure VM fails to boot, you may observe the following error signatures in boot diagnostics or related logs:
- Boot Error Code 0xC0000005 - Access Violation during kernel load
0xC0000005 (STATUS_ACCESS_VIOLATION)- Boot diagnostics screenshots may show general boot failures or specific codes like
0x80070002or0x80070490, preceding the 0xC0000005 error.
Root Cause: This error typically stems from corrupted Windows kernel files (like
ntoskrnl.exeorxosload.exe), problematic drivers such asoem-drv64.sys, or a damaged Boot Configuration Data (BCD) store or disk partitions leading to an access violation during the boot loader's operation. An incompatible DLL loaded via theAppInit_DLLsregistry mechanism can also trigger this violation.
🛠️ Solutions¶
The following solutions are designed to address the underlying causes of Boot Error Code 0xC0000005. They involve attaching the problematic OS disk to a rescue VM for offline repair.
Immediate Mitigation: Disable AppInit_DLLs via Registry¶
This quick fix deactivates a DLL loading mechanism that frequently causes access violations if it tries to load incompatible DLLs during the kernel's startup phase.
Immediate Mitigation: Disable AppInit_DLLs via Registry
This approach bypasses a common trigger for 0xC0000005 errors by preventing the loading of third-party DLLs early in the boot process.
1. Stop the affected VM in the Azure Portal.
2. Attach the OS disk of the problematic VM as a data disk to a healthy "rescue VM" (e.g., a Windows Server VM). Ensure the rescue VM is in the same region as the OS disk.
3. Establish an RDP session to the rescue VM with administrator privileges.
4. Open RegEdit (Registry Editor) as an Administrator.
5. Load the affected VM's registry hive:
* Select HKEY_LOCAL_MACHINE.
* Go to File > Load Hive....
* Navigate to the mounted OS disk (e.g., D:\Windows\System32\config) and select the SOFTWARE file.
* Provide a temporary name for the loaded hive (e.g., ProblemVM_SOFTWARE).
6. Navigate to the key within the loaded hive:
ProblemVM_SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
7. Modify LoadAppInit_DLLs:
* Locate the LoadAppInit_DLLs DWORD value.
* Double-click it and set its Value data to 0.
8. Unload the registry hive:
* Select the ProblemVM_SOFTWARE key you loaded.
* Go to File > Unload Hive... and confirm.
9. Detach the OS disk from the rescue VM in the Azure Portal.
10. Reattach the OS disk to its original, problematic VM.
11. Start the original VM and monitor boot diagnostics.
Best Practice Fix: Rebuild Boot Files & SFC via PowerShell¶
This comprehensive solution addresses corrupted boot files, kernel components, and system integrity issues for a stable Azure VM boot.
Best Practice Fix: Rebuild Boot Files & SFC via PowerShell
This method systematically repairs critical boot-related files, ensuring the integrity of the Windows installation and its ability to start correctly.
- Stop the affected VM in the Azure Portal.
- Detach the OS disk of the problematic VM in the Azure Portal and attach it as a data disk to a healthy rescue VM.
- Establish an RDP session to the rescue VM with administrator privileges.
- Open PowerShell as Administrator.
- Identify and mount the attached disk: The attached disk will usually appear offline. Use Disk Management (
diskmgmt.msc) or PowerShell commands to bring it online and assign a drive letter (e.g.,D:).Get-Disk | Where-Object IsOffline -eq $true | Set-Disk -IsOffline $false # Bring offline disks online # Assign a drive letter (e.g., D:) if not automatically assigned after bringing online # You may need to use Disk Management or cmd: diskpart -> list disk -> select disk <num> -> list partition -> select partition <num> -> assign letter=D - Execute repair commands: Carefully run the following commands, ensuring you replace
D:with the actual drive letter of the attached OS disk.
Potential Data Loss / System Instability Warning
The following commands involve deleting system files and modifying boot records. Incorrect execution or targeting the wrong disk can lead to data loss or further system corruption on your rescue VM or the target OS disk. Double-check your drive letters before proceeding.
# Remove potentially corrupted kernel files and drivers
Remove-Item 'D:\Windows\System32\ntoskrnl.exe' -Force -ErrorAction SilentlyContinue
Remove-Item 'D:\Windows\System32\xosload.exe' -Force -ErrorAction SilentlyContinue
Remove-Item 'D:\Windows\System32\drivers\oem-drv64.sys' -Force -ErrorAction SilentlyContinue
# Backup and rebuild Boot Configuration Data (BCD)
# Corrected path for attached disk (assuming D: is the OS disk)
attrib 'D:\Boot\BCD' -h -r -s
Rename-Item 'D:\Boot\BCD' 'BCD.old' -Force -ErrorAction SilentlyContinue
# Recreate the BCD store. This command is typically run from WinRE,
# but can sometimes function in this context by scanning for Windows installations.
# For robust BCD recreation on an attached disk, consider 'bcdboot D:\Windows /s D: /f ALL'
& bootrec /rebuildbcd
# Check and repair disk errors
chkdsk D: /f /r
# Scan and repair corrupted Windows system files
sfc /scannow /offbootdir=D:\ /offwindir=D:\Windows
🧩 Technical Context (Visualized)¶
The 0xC0000005 error typically occurs during the critical transition phase when the Windows NT kernel (ntoskrnl.exe) and associated boot loader components (xosload.exe) are being loaded and initialized, or when the Boot Configuration Data (BCD) is being processed. An access violation at this stage often indicates a corrupted file, an incompatible driver attempting to load, or an issue with the boot loader's ability to access required system resources.
graph TD
A[Azure VM Startup] --> B(BIOS/UEFI Initialization)
B --> C{Load Boot Loader}
C -- "Failed (0x80070002/0x80070490)" --> X[Check Azure Boot Diagnostics]
C -- Success --> D{"Load Boot Configuration Data (BCD)"}
D -- Corrupted BCD Store --> X
D -- Success --> E(Load Windows NT Kernel: ntoskrnl.exe)
E -- "Failed (Corrupted ntoskrnl.exe/xosload.exe)" --> F[0xC0000005 - Access Violation]
E -- AppInit_DLLs Enabled --> G{Load Incompatible DLLs?}
G -- Yes --> F
G -- No --> H[Windows OS Booted Successfully]
F --> I[VM Boot Failure Screen]
I --> J["Remediation: Disable AppInit_DLLs (Registry Fix)"]
I --> K["Remediation: Rebuild Boot Files & SFC (PowerShell Fix)"]
J --> H
K --> H✅ Verification¶
After implementing the solutions, perform the following steps to verify successful resolution:
- Boot the VM and confirm that it reaches the Ctrl+Alt+Del sign-in screen, visible via Azure Boot Diagnostics screenshots.
- RDP into the VM and open Event Viewer (
eventvwr.msc). Navigate toWindows Logs > SystemandWindows Logs > Application. Confirm the absence of new0xC0000005errors,Event ID 1001relating tontoskrnl.exe, or other critical boot-related errors. - Run administrative commands to confirm system health:
- Open an elevated PowerShell or Command Prompt.
bcdedit /enum: Verify the BCD store is valid and lists your Windows installation correctly.sfc /verifyonly: Perform a system file check to confirm system file integrity (this will only verify, not repair).
📦 Prerequisites¶
To effectively apply these solutions, ensure you have:
- Azure Portal access with a Contributor role or higher for managing VMs and disks.
- A Rescue VM (Windows Server 2022+ recommended) within the same Azure region as the affected VM's OS disk.
- PowerShell 7+ installed on the rescue VM (though Windows Server's built-in PowerShell is usually sufficient).
- Administrative RDP access to the rescue VM.
- Azure Boot Diagnostics enabled for the problematic VM to monitor its boot process and view error screenshots.