PDA

View Full Version : Windows login bug - use S&D backups?



functio
2008-07-07, 17:09
Hi all

I posted this question here recently but the forum seems to have lost it!

Anyway, I've been hit by the same bug others have experienced recently where they can no longer log into Windows machines. Luckily my PC has two hard drives, and so I've swapped the former slave drive and master drive around. The former master drive is the one affected by the bug.

As I can still access my S&D files on the problem drive, I was wondering whether I could activate regLocal and regUsers on that drive to fix the problem?

I'm using Win2K pro and am not very savvy with PCs to use the fixes suggested by this site, nor can I burn anything onto a CD to help me.

chi-va
2008-07-07, 17:51
Hi!

The server was down and most of the data from sunday is lost. So I have to write this again. You cannot use regLocal and regUsers in an offline registry. At least not without the knowledge of the registry.

If I remember it correctly your system drive is now c: and the drive with the damage registry is e:(formerly c: ), right? Both systems are Windows 2000 Pro, aren't they?

Do you have read my post with the repair instruction before the server was down?

md usa spybot fan
2008-07-07, 17:55
functio:

I suggest that you attempt to edit the damaged registry using the following technique. Please note: I am running on a Windows XP system and have not actually tested the following procedure to repair the problem caused by the HellzLittleSpy detection.

Note: The following procedure was written for Windows 2000.

The registry is comprised multiple hives, stored in files in the \%systemroot%\ System32\config folder. In a Windows 2000 system that is x:\Winnt\system32\config. Using regedt32 it is possible to edit the damaged registry entry because you are on a working system and have access to the damaged registry. Note: I am using drive letter "x" for the drive containing the damaged registry.

The damage occurred to this registry entry:


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
"Userinit"="C:\Winnt\system32\userinit.exe,"
The HKEY_LOCAL_MACHINE\SYSTEM registry hive is stored in this file:
x:\Winnt\system32\config\system
For safety sake, I suggest that you backup that file.

To edit that entry:
Go into Start » Run » in Open entry area type "regedt32" (no quotes) » click OK.
When Registry Editor opens click on HKEY_LOCAL_MACHINE.
In the File menu select Load hive…
Navigate to the file containing the hive with the damaged registry entry (x:\Winnt\system32\config\system) and open it.This loads the damaged hive into the local registry as a subkey of the selected key. You will be asked for a keyname, name it "Fixit" for example.
Make the changes to the damaged key:
Navigate to the following registry key:

HKEY_LOCAL_MACHINE\Fixit\Microsoft\Windows NT\CurrentVersion\Winlogon
The entry for "Userinit" most likely looks like this:

Userinit REG_SZ
Where:
Name: Userinit
Type: REG_SZ
Data: is blank
Right click on the "Userinit" entry and select Modify.
In value data type (note: the drive letter should be the original drive letter not the one currently in use if you changed it):
C:\Winnt\system32\userinit.exe,
When you are done the entry for "Userinit" should look like this:

Userinit REG_SZ C:\WINDOWS\system32\userinit.exe,
Where:
Name: Userinit
Type: REG_SZ
Data: C:\WINDOWS\system32\userinit.exe,
With the following key highlighted HKEY_LOCAL_MACHINE\Fixit, go to the file menu and select Unload hive…
Use the disk with the fixed registry entry and attempt to boot your system.

chi-va
2008-07-07, 18:10
@md usa spybot fan
Hi! We appreciate your help.:bigthumb: A general solution is not suitable because there are too many risk to make an error. Apart from that, regedt32 works a little bit different in comparison to regedit and so the user could be confused by general solutions.

@functio
Please confirm the questions so that I can guide you.

functio
2008-07-07, 18:14
How do I find the key 'HKEY_LOCAL_MACHINE\Fixit\Microsoft\Windows NT\CurrentVersion\Winlogon'? If I follow your instructions, I can't see anything within 'Fixit' which shows an entry for 'Microsoft'. The list below 'Fixit' in regedt32 just has:

ControlSet001
ControlSet002
ControlSet003
Creative Tech
Mounted Devices
Select
Setup
Software

If I search for the key, nothing comes up.

functio
2008-07-07, 18:16
Hi!

The server was down and most of the data from sunday is lost. So I have to write this again. You cannot use regLocal and regUsers in an offline registry. At least not without the knowledge of the registry.

If I remember it correctly your system drive is now c: and the drive with the damage registry is e:(formerly c: ), right? Both systems are Windows 2000 Pro, aren't they?

Do you have read my post with the repair instruction before the server was down?

No, I didn't see your instructions before the server went down.

Yes, both drives are Win2K Pro. And you're right about the drive names changing. E:/ is currently the problem drive and was formerly the master drive.

md usa spybot fan
2008-07-07, 18:21
chi-va's original reply reproduced from a Google Cached copy (http://64.233.169.104/search?q=cache:TaAF-wov5VIJ:forums.spybot.info/showthread.php%3Fp%3D209952+chi-va+2000+regedt32&hl=en&ct=clnk&cd=2&gl=us) of the thread:

Proceed as following(only Windows 2000):

1. Type "regedt32" in the run prompt

2. Click on the "HKEY_LOCAL_MACHINE" window and Highlight/Select the line


HKEY_LOCAL_MACHINE
with the mouse

3. Go to menu "File - load hive..."

4. Select your damaged registry file which should be in "E:\winnt\system32\config\software"
(registry location of the damaged drive and select the file "software")

5. It will ask for a name it should load in your registry. Just choose "Test". It really doesn't matter what name you choose as long as it is not already in use. We choose "Test" so that we can easily find it later. Your damaged registry should be loaded now.

6. Navigate to the new hive which should be


HKEY_LOCAL_MACHINE\test\microsoft\windows nt\currentversion\winlogon
7. Search for the entry "userinit:..." and make a doubleclick with the mouse on it.

8. Enter this line(if your default system letter is C: )


c:\winnt\system32\userinit.exe,
and confirm it with OK. It should be the exact line, the "," included.


9. Now highlight/select the "Test" hive and unload it, menu "File - unload hive..."

After that you can change the master and slave again and try to boot the system. Try it step by step. If you have any questions please don't hesitate to ask.

chi-va
2008-07-07, 18:27
WARNING: This Instruction is only for Windows 2000 Pro and only for functio's case.

Thanks! I have change it a little bit.

1. Type "regedt32" in the run prompt

2. Click on the "HKEY_LOCAL_MACHINE" window and Highlight/Select the line



HKEY_LOCAL_MACHINE

3. Go to menu "File - load hive..."

4. Select your damaged registry file which should be in your case
E:\winnt\system32\config\software

5. It will ask for a name it should load in your registry. Just choose "Test". It really doesn't matter what name you choose as long as it is not already in use. We choose "Test" so that we can easily find it later. Your damaged registry should be loaded now.

6. Navigate to the new hive which should be



HKEY_LOCAL_MACHINE\test\microsoft\windows nt\currentversion\winlogon
Each click on the "+" should open a subfolder. Open all the subfolder from "Test" to "Winlogon".

7. Search for the entry "userinit:..." and make a doubleclick with the mouse on it. If you don't find the "userinit" entry
then the reason is probably because it is not visible. Go to the menu of regedt32 and change the view to "Data and Structure".

8. Enter this line(if your default system letter is C: )


c:\winnt\system32\userinit.exe,
and confirm it with OK.

9. Now highlight/select the "Test" hive and unload it, menu "File - unload hive..."

Change the master and slave drive again and then you should be able to boot the normal system.

PS.: If you have tried md usa spybot fan's solution it is very important that you find where you loaded the "Fixit" and unload it before going on.

functio
2008-07-07, 18:33
Hi - thanks!

One question: Should I change the 'c' in 'c:\winnt\system32\userinit.exe,' to 'e', so that it works with the E:/ drive? After all, the E:/ drive is the problem one. If I then swap it back to being the master C:/ drive to test if this all works, will Windows take that into account?

If I unload the 'Fixit' version, will it cause any problems?

functio
2008-07-07, 18:38
BTW, I didn't actually complete the changes with the 'Fixit' version as various things didn't show up. Does this still mean it's okay to unload it?

chi-va
2008-07-07, 18:40
Should I change the 'c' in 'c:\winnt\system32\userinit.exe,' to 'e', so that it works with the E:/ drive?

C: is correct. Because this is the location of the file "userinit.exe" then you change the drives again.


If I unload the 'Fixit' version, will it cause any problems?
You have to unload the 'Fixit' AND the 'Test' hive. Otherwise it will stay in your second system registry which could probably cause some problems.

Remember unload:

Fixit\Microsoft\Windows NT\CurrentVersion\Winlogon
Test\Microsoft\Windows NT\CurrentVersion\Winlogon

and NOT
HKEY_LOCAL_MACHINE\...

Do you understand what I mean?

PS.:Was you able to follow all the steps?

functio
2008-07-07, 18:45
How do I unload just the Winlogon parts? I didn't make a Winlogon change to the 'Fixit' version at all, as the various things didn't show up.

chi-va
2008-07-07, 18:49
Wait a few minutes. I will start my Windows 2000 system so that I can make some screenshots for you.

chi-va
2008-07-07, 19:15
There they are:

P.S.:Too small.

functio
2008-07-07, 19:22
I think I can see what you've done. All I think I need to know now is how to unload fixit and test. Do I just click on both (where their name is at the top of each tree) and go to 'Registry---> Unload Hive'?

chi-va
2008-07-07, 19:24
Next try. I'm not allowed to upload too much. I hope this is better.

functio
2008-07-07, 19:26
I don't have winzip installed on the drive I'm using at the moment. Is the question I asked in my previous post correct? And do I have to unload Fixit if I made no changes to it?

chi-va
2008-07-07, 19:29
second:

Yes, just select/highlight the hives which you want to unload and choose 'Registry-Unload hive'. After that, it should look like the screenshot 'Openandselect_HKLM' again. With other words, it should like the beginning because we don't want to change the registry of your second system, don't we.

functio
2008-07-07, 19:30
Do I need to unload Fixit if I didn't make any changes with it? I can't see what's in the zip files as I don't have Winzip on this drive.

lobuej
2008-07-07, 19:33
Functio and chi-va,

I am experiencing the same EXACT problem on my Windows XP Pro Dell after running Spybot on 7/3/2008. All of my Windows account will not login. They begin, then immediately logoff.
I followed your directions to the "T' and was unsuccessfull. I booted from a 3rd party utility CD which allowed me to browse my hard drive. I ran the regedt32 and followed your recommmendations by loading hive called "TEST". Continued with your steps until complete, rebooted from my HD and attempted to login. It started by displaying my desktop then immediately logged off. Am I missing a step or are there additional steps to follow that I may have missed. PLEASE HELP

chi-va
2008-07-07, 19:35
Fixit must be unloaded as well even if you don't have changed anything there. The reason is simple, loading a hive means adding the hive to the current registry. If you don't unload the hives which we have added they will just be still there. This is not what we wanted because this is your second system registry and it is not necessary to change anything there.

The reason why we have to load the hive in the first case is because we wanted to edit it. I know, it is really a little bit confusing.:spider:

chi-va
2008-07-07, 19:39
@lobuej

You know, I have inserted a warning at the beginning. I will only works on systems similar to functio's one. Please open a new threat and describe your system and what tools and hardware you have available. I will take a look there later.

chi-va
2008-07-07, 19:43
@functio

I trying my best. Does it make sense now?

functio
2008-07-07, 19:43
Okay, I unloaded both and am now going to swap the drives and see if this all works! Even if it doesn't, thanks chi-va! I will return!

chi-va
2008-07-07, 19:45
Good luck and see you later!:wink:

chi-va
2008-07-07, 19:57
@all, especially lobuej

Please never enter your private email address in a public post if you don't want to get unwanted spam.:grandpa:

I will request the admin(Tashi) to delete your email address. If you want that someone send you an email please exchange it via PM.

chi-va
2008-07-07, 20:19
@lobuej

I hope you will read this because I'm not really here. Quite busy right now. Sorry, but I won't send you an email.

Warning only for Windows XP systems with BootCD with Windows PE support

Please take a look here:
http://windowsxp.mvps.org/peboot.htm


7. In order to fix the Userinit value in the loaded hive, navigate to the following location:

HKEY_USERS \ MyXPHive \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon

Please be careful. If you want to repair all the profiles it should be this key:

HKEY_LOCAL_MACHINE\MyXPHive\microsoft\windows nt\currentversion\winlogon

It is better to post your problem in the forum in order to get assistance.

lobuej
2008-07-07, 20:34
Chi-va and functio,

My apologies for posting my email address. IF that can be removed from this forum, I would certainly appreciate it. Thank you but I was desperate for some answers and/or replies.

Your recommendation worked for me with a slight change for Windows XP Pro users.

I revised the path in your step #8
The directory structure is not winnt. It is windows

C:\windows\system32\userinit.exe,:)

lobuej
2008-07-07, 22:00
Chi-va. Can you remove the post containing my email?

Thank you:eek:

chi-va
2008-07-07, 22:04
No, I can't. I'm not an administrator nor a moderator on this forum. Sorry! But I have already send a PM to an admin.

functio
2008-07-07, 23:56
Hooray! My old drive is now accessible via Windows login, so everything is back to normal :D

Thanks very much indeed for your help chi-va! :present:

functio
2009-01-21, 17:10
I have to bump this thread again as the bug has reappeared on a friend's PC. I now have an XP machine and tried to fix his problem by slaving his Win2K hard drive to my machine. Unfortunately it didn't work. Should I instead try to fix his drive using a PC with Win2k? I still have my old Win2k PC and could slave his drive to it.

md usa spybot fan
2009-01-21, 20:36
functio:

I would like to suggest that you consider starting a new thread with your current problem since this thread is over six months old since it is hard to follow exactly what is meant by "... the bug has reappeared on a friend's PC ..." without trying to re-analyze the thirty one (31) posts that proceed your current post.

Please note: If your post is not directly related to Spybot, the new thread should probably be started in the Tavern (http://forums.spybot.info/forumdisplay.php?f=19) forum.