• Welcome Guest, to the Spybot Forums! It's 2025, and we just upgraded our forum software.

    Today is Safer Internet Day, and with our new forum, you can finally use passkeys to login. That was about time!

    Of course, you could ask if a forum is still useful, with so many social media networks out there where you might already have an account, and met a lot of users. You can now use your login from some of those networks to log in here. And by posting here, your question and data is stored on our servers and not automatically shared with a whole social media network.

    We'll also start using the forum for small bits of information, announcements and more again.

Windows login bug - use S&D backups?

F

functio

New member
Hi all

I posted this question here recently but the forum seems to have lost it!

Anyway, I've been hit by the same bug others have experienced recently where they can no longer log into Windows machines. Luckily my PC has two hard drives, and so I've swapped the former slave drive and master drive around. The former master drive is the one affected by the bug.

As I can still access my S&D files on the problem drive, I was wondering whether I could activate regLocal and regUsers on that drive to fix the problem?

I'm using Win2K pro and am not very savvy with PCs to use the fixes suggested by this site, nor can I burn anything onto a CD to help me.
 
Last edited:
Hi!

The server was down and most of the data from sunday is lost. So I have to write this again. You cannot use regLocal and regUsers in an offline registry. At least not without the knowledge of the registry.

If I remember it correctly your system drive is now c: and the drive with the damage registry is e:(formerly c: ), right? Both systems are Windows 2000 Pro, aren't they?

Do you have read my post with the repair instruction before the server was down?
 
functio:

I suggest that you attempt to edit the damaged registry using the following technique. Please note: I am running on a Windows XP system and have not actually tested the following procedure to repair the problem caused by the HellzLittleSpy detection.

Note: The following procedure was written for Windows 2000.

The registry is comprised multiple hives, stored in files in the \%systemroot%\ System32\config folder. In a Windows 2000 system that is x:\Winnt\system32\config. Using regedt32 it is possible to edit the damaged registry entry because you are on a working system and have access to the damaged registry. Note: I am using drive letter "x" for the drive containing the damaged registry.

The damage occurred to this registry entry:

Code: 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
"Userinit"="C:\Winnt\system32\userinit.exe,"
The HKEY_LOCAL_MACHINE\SYSTEM registry hive is stored in this file:
  • x:\Winnt\system32\config\system
For safety sake, I suggest that you backup that file.

To edit that entry:
  • Go into Start » Run » in Open entry area type "regedt32" (no quotes) » click OK.
  • When Registry Editor opens click on HKEY_LOCAL_MACHINE.
  • In the File menu select Load hive…
  • Navigate to the file containing the hive with the damaged registry entry (x:\Winnt\system32\config\system) and open it.This loads the damaged hive into the local registry as a subkey of the selected key. You will be asked for a keyname, name it "Fixit" for example.
  • Make the changes to the damaged key:
    • Navigate to the following registry key:
      Code: 
      HKEY_LOCAL_MACHINE\Fixit\Microsoft\Windows NT\CurrentVersion\Winlogon
      The entry for "Userinit" most likely looks like this:
      Code: 
      Userinit REG_SZ
      Where:
      • Name: Userinit
      • Type: REG_SZ
      • Data: is blank
    • Right click on the "Userinit" entry and select Modify.
    • In value data type (note: the drive letter should be the original drive letter not the one currently in use if you changed it):
      • C:\Winnt\system32\userinit.exe,
      When you are done the entry for "Userinit" should look like this:
      Code: 
      Userinit REG_SZ C:\WINDOWS\system32\userinit.exe,
      Where:
      • Name: Userinit
      • Type: REG_SZ
      • Data: C:\WINDOWS\system32\userinit.exe,
    • With the following key highlighted HKEY_LOCAL_MACHINE\Fixit, go to the file menu and select Unload hive…
  • Use the disk with the fixed registry entry and attempt to boot your system.
 
Last edited:
@md usa spybot fan
Hi! We appreciate your help.:bigthumb: A general solution is not suitable because there are too many risk to make an error. Apart from that, regedt32 works a little bit different in comparison to regedit and so the user could be confused by general solutions.

@functio
Please confirm the questions so that I can guide you.
 
How do I find the key 'HKEY_LOCAL_MACHINE\Fixit\Microsoft\Windows NT\CurrentVersion\Winlogon'? If I follow your instructions, I can't see anything within 'Fixit' which shows an entry for 'Microsoft'. The list below 'Fixit' in regedt32 just has:

ControlSet001
ControlSet002
ControlSet003
Creative Tech
Mounted Devices
Select
Setup
Software

If I search for the key, nothing comes up.
 
chi-va said:
Hi!

The server was down and most of the data from sunday is lost. So I have to write this again. You cannot use regLocal and regUsers in an offline registry. At least not without the knowledge of the registry.

If I remember it correctly your system drive is now c: and the drive with the damage registry is e:(formerly c: ), right? Both systems are Windows 2000 Pro, aren't they?

Do you have read my post with the repair instruction before the server was down?
Click to expand...

No, I didn't see your instructions before the server went down.

Yes, both drives are Win2K Pro. And you're right about the drive names changing. E:/ is currently the problem drive and was formerly the master drive.
 
chi-va's original reply reproduced from a Google Cached copy of the thread:

Proceed as following(only Windows 2000):

1. Type "regedt32" in the run prompt

2. Click on the "HKEY_LOCAL_MACHINE" window and Highlight/Select the line

Code: 
HKEY_LOCAL_MACHINE
with the mouse

3. Go to menu "File - load hive..."

4. Select your damaged registry file which should be in "E:\winnt\system32\config\software"
(registry location of the damaged drive and select the file "software")

5. It will ask for a name it should load in your registry. Just choose "Test". It really doesn't matter what name you choose as long as it is not already in use. We choose "Test" so that we can easily find it later. Your damaged registry should be loaded now.

6. Navigate to the new hive which should be

Code: 
HKEY_LOCAL_MACHINE\test\microsoft\windows nt\currentversion\winlogon
7. Search for the entry "userinit:..." and make a doubleclick with the mouse on it.

8. Enter this line(if your default system letter is C: )

Code: 
c:\winnt\system32\userinit.exe,
and confirm it with OK. It should be the exact line, the "," included.


9. Now highlight/select the "Test" hive and unload it, menu "File - unload hive..."

After that you can change the master and slave again and try to boot the system. Try it step by step. If you have any questions please don't hesitate to ask.
 
WARNING: This Instruction is only for Windows 2000 Pro and only for functio's case.

Thanks! I have change it a little bit.

1. Type "regedt32" in the run prompt

2. Click on the "HKEY_LOCAL_MACHINE" window and Highlight/Select the line
Code: 
HKEY_LOCAL_MACHINE

3. Go to menu "File - load hive..."

4. Select your damaged registry file which should be in your case
Code: 
E:\winnt\system32\config\software

5. It will ask for a name it should load in your registry. Just choose "Test". It really doesn't matter what name you choose as long as it is not already in use. We choose "Test" so that we can easily find it later. Your damaged registry should be loaded now.

6. Navigate to the new hive which should be
Code: 
HKEY_LOCAL_MACHINE\test\microsoft\windows nt\currentversion\winlogon
Each click on the "+" should open a subfolder. Open all the subfolder from "Test" to "Winlogon".

7. Search for the entry "userinit:..." and make a doubleclick with the mouse on it. If you don't find the "userinit" entry
then the reason is probably because it is not visible. Go to the menu of regedt32 and change the view to "Data and Structure".

8. Enter this line(if your default system letter is C: )
Code: 
c:\winnt\system32\userinit.exe,
and confirm it with OK.

9. Now highlight/select the "Test" hive and unload it, menu "File - unload hive..."

Change the master and slave drive again and then you should be able to boot the normal system.

PS.: If you have tried md usa spybot fan's solution it is very important that you find where you loaded the "Fixit" and unload it before going on.
 
Hi - thanks!

One question: Should I change the 'c' in 'c:\winnt\system32\userinit.exe,' to 'e', so that it works with the E:/ drive? After all, the E:/ drive is the problem one. If I then swap it back to being the master C:/ drive to test if this all works, will Windows take that into account?

If I unload the 'Fixit' version, will it cause any problems?
 
BTW, I didn't actually complete the changes with the 'Fixit' version as various things didn't show up. Does this still mean it's okay to unload it?
 
Should I change the 'c' in 'c:\winnt\system32\userinit.exe,' to 'e', so that it works with the E:/ drive?
Click to expand...

C: is correct. Because this is the location of the file "userinit.exe" then you change the drives again.

If I unload the 'Fixit' version, will it cause any problems?
Click to expand...
You have to unload the 'Fixit' AND the 'Test' hive. Otherwise it will stay in your second system registry which could probably cause some problems.

Remember unload:

Fixit\Microsoft\Windows NT\CurrentVersion\Winlogon
Test\Microsoft\Windows NT\CurrentVersion\Winlogon

and NOT
HKEY_LOCAL_MACHINE\...

Do you understand what I mean?

PS.:Was you able to follow all the steps?
 
Last edited:
How do I unload just the Winlogon parts? I didn't make a Winlogon change to the 'Fixit' version at all, as the various things didn't show up.
 
Last edited:
I think I can see what you've done. All I think I need to know now is how to unload fixit and test. Do I just click on both (where their name is at the top of each tree) and go to 'Registry---> Unload Hive'?
 
I don't have winzip installed on the drive I'm using at the moment. Is the question I asked in my previous post correct? And do I have to unload Fixit if I made no changes to it?
 
Last edited:
second:

Yes, just select/highlight the hives which you want to unload and choose 'Registry-Unload hive'. After that, it should look like the screenshot 'Openandselect_HKLM' again. With other words, it should like the beginning because we don't want to change the registry of your second system, don't we.
 
Last edited:
Do I need to unload Fixit if I didn't make any changes with it? I can't see what's in the zip files as I don't have Winzip on this drive.
 
Unsuccessful after following your recommendation

Functio and chi-va,

I am experiencing the same EXACT problem on my Windows XP Pro Dell after running Spybot on 7/3/2008. All of my Windows account will not login. They begin, then immediately logoff.
I followed your directions to the "T' and was unsuccessfull. I booted from a 3rd party utility CD which allowed me to browse my hard drive. I ran the regedt32 and followed your recommmendations by loading hive called "TEST". Continued with your steps until complete, rebooted from my HD and attempted to login. It started by displaying my desktop then immediately logged off. Am I missing a step or are there additional steps to follow that I may have missed. PLEASE HELP
 
Last edited by a moderator:
You must log in or register to reply here.
Back
Top