PDA

View Full Version : XP Home, Logon Logoff loop, how to export log file?



michaelh
2008-09-03, 12:05
During last successful logon session:
I changed two spybot/teatimer accept/deny pop-ups and now suspect that this action may have caused this problem. Anti Malware updates and scans are frequently carried out using AVG 8, ZoneAlarm, Windows Defender and Spybot S&D 1.60.

Current Symptoms include:
Unable to login to Admin or other two Limited user accounts (Admin account is password protected). After attempted login the welcome screen status runs as follows:-
Loading your personal settings; Logging off; Saving your settings; back to welcome screen.

Action already tried:
In Safe mode I am also unable to login to Admin or other two Limited user accounts.
I have also followed your thread 33280 ‘Logon – Logoff loop, also caused by BlazeFind’ using the Recovery Console to copy userinit.exe to wsaupdater.exe successfully even though the file wsaupdater.exe did not list in the system32 directory beforehand.

I have been able to run a Mandriva Live cd on the pc without Windows booted and could try to make a backup of data but ideally I would like to avoid the ‘format c: drive’ route and export the last log file created by your application first, how can I do this for you to see?

chi-va
2008-09-03, 13:59
Hello,

please boot with your mandriva life cd and navigate to this folder in your Windows partition:

"..\Windows\system32\config\"


Rename the file "software" to "software.bak" first (so that we won't overwrite the old registry) and then copy the file "software" from the folder:


"..\Windows\repair\" into the folder "..\Windows\system32\config\"
(default registry files)


If you like you can already find the log files from Spybot in this folder:
"..\Documents and Settings\All Users\Application Data\Spybot - Search&Destroy\Logs\"

Search for the last created "fixed" log file and also search for the Teatimer log file "Resident.log".
These files could probably clarify the cause of the problem.


(Please note that the Application Data folder is hidden in Windows. So if you cannot find this folder please check your folder properties.)

After that you should be able to restart your system in Windows Safe Mode. Now you have the option to use the Windows restore point
in order to recover your registry easily or if you know what have caused this you can also manually edit the old registry.
Restart the system in normal mode if everything is done.

michaelh
2008-09-03, 22:16
Hi Chi-va,

I have been able to create software.bak and copy as suggested (a 35Mb file was replaced with one only 8Mb). Before unloading the Mandriva Live cd I was able to copy and attach the two files as requested.
When I rebooted into Windows (safe mode) I was able to logon succesfully but no restore points were available to go back to.
When I rebooted (normal) and logged in I was presented with an unfamiliar desktop minus access to my Documents and Settings and associated personal data, likewise for the other two users.
I have just checked the properties of the Documents and Settings folder (as I am currently using the live cd) and realise that it is significantly smaller in size (less than 1Gb) compared to over 15Gb before!
How can I recover access to this original folder?

regards, Michael

michaelh
2008-09-03, 22:43
Addition to previous reply:
I have rechecked the Documents and Settings folder and the content is still there.

chi-va
2008-09-04, 02:13
The Teatimer log file(resident.log) doesn't tell us very much. This is the reason why we need the latest
fix log of Spybot as well.

The problem is that your report is "generated: 2008-07-17 18:39 ---" and we are looking for information for
01/09/2008 because the Teatimer has indicated these changes on this date:

01/09/2008 21:00:51 Denied (based on user decision) value "UserInit" (new data: "C:\WINDOWS\system32\userinit.exe,") added in Winlogon!
01/09/2008 21:11:08 Denied (based on user decision) value "Shell" (new data: "Explorer.exe") added in Winlogon!
01/09/2008 21:11:17 Denied (based on user decision) value "System" (new data: "") added in Winlogon!

As already written these don't tell us if these changes are good or bad without any further information. What we can tell
is that a wrong registry entry in any of these locations could cause problems. Although you should have allowed this change:

01/09/2008 21:00:51 Denied (based on user decision) value "UserInit" (new data: "C:\WINDOWS\system32\userinit.exe,") added in Winlogon!

It is a legitimate entry if it is the original Windows userinit.exe file. Now a wrong entry is probably causing the logon logoff.

By the way, the change for Explorer.exe is probably necessary as well. E.g. for opening and viewing files with a graphical user interface. It is located in the registry here:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Shell

Start Windows in safe mode. The reason for the other desktop background is that this is the default system which doesn't contain your normal user profile.

1. Type "regedit" in the run prompt

2. Navigate to the path "HKEY_LOCAL_MACHINE" window and Highlight/Select the line

HKEY_LOCAL_MACHINE

3. Go to menu "File - load hive..."

4. Select your damaged registry file which should be in your case

C:\Windows\system32\config\software.bak

5. It will ask for a name it should load in your registry. Just choose "Test". It really doesn't matter what name you choose as long as it is not already in use. We choose "Test" so that we can easily find it later. Your damaged registry should be loaded now.

6. Navigate to the new hive which should be

HKEY_LOCAL_MACHINE\test\microsoft\windows nt\currentversion\winlogon

Each click on the "+" should open a subfolder. Open all the subfolder from "Test" to "Winlogon".

7. Search for the entry "userinit:..." and make a doubleclick with the mouse on it.

8. Enter this line if the path for userinit.exe is wrong or missing

c:\Windows\system32\userinit.exe,

and confirm it with OK.

9.Navigate to the path:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Shell

and confirm if there is an "explorer.exe" entry. There are various possible locations for the "explorer.exe" entry and in Shell should be normally one as well. If not add it.
(Menu "New value" and chooses "REG_SZ")

10. An entry for:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Systems

is not necessary. So it should be empty.

11. Now highlight/select the "Test" hive and unload it, menu "File - unload hive..."

Shutdown the system and boot with Mandriva again and delete the file "software" in the path:
..\Windows\system32\config\

After that rename "software.bak" back to "software" and start your Windows in normal mode. Just a little precaution. Make sure that you allow the above two(three) changes with the Teatimer this time.

rscomp
2008-09-04, 02:30
I may have missed the point on this thread, but I suspect that there is a better solution. If you copy the original Software file back, you'll have your data back, but you'll not be able to login (because of the immediate logoff). There's a handy fix for one cause of this that can be found at:
http://windowsxp.mvps.org/peboot.htm

Basically, you use Bart's PE to edit the registry key that was blanked out by whatever caused the problem.

I hope this helps!

michaelh
2008-09-04, 20:50
chi-va
I followed your instructions and found as follows:
1-7 carried out
8. the userinit line was not found here but it was found here
My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
9. Found okay
10. Empty, found in folder System not Systems.

I did not make any alterations. Do you want to amend the instructions you gave me in any way?

chi-va
2008-09-04, 21:31
So you have found the Winlogon path here but the userinit.exe line was missing:

HKEY_LOCAL_MACHINE\test\microsoft\windows nt\currentversion\winlogon

In this case, you have to add the line yourself. Please choose in the regedit menu "Edit->New" and choose this:

String Value (Reg_SZ)

Give it the name:

Userinit

Hit "Enter"

make a doubleclick on the new Userinit entry and enter the path with the location of the file.

c:\Windows\system32\userinit.exe,

Don't forget the comma.

michaelh
2008-09-05, 00:57
chi-va

Thank you for your excellent advice and support, it is very much appreciated, we are up and running again. I will be making a donation.:bigthumb:

best regards, Michael