Page 1 of 4 1234 LastLast
Results 1 to 10 of 33

Thread: Windows login bug - use S&D backups?

  1. #1
    Junior Member
    Join Date
    Jul 2008
    Posts
    14

    Default Windows login bug - use S&D backups?

    Hi all

    I posted this question here recently but the forum seems to have lost it!

    Anyway, I've been hit by the same bug others have experienced recently where they can no longer log into Windows machines. Luckily my PC has two hard drives, and so I've swapped the former slave drive and master drive around. The former master drive is the one affected by the bug.

    As I can still access my S&D files on the problem drive, I was wondering whether I could activate regLocal and regUsers on that drive to fix the problem?

    I'm using Win2K pro and am not very savvy with PCs to use the fixes suggested by this site, nor can I burn anything onto a CD to help me.
    Last edited by functio; 2008-07-07 at 17:11.

  2. #2
    Senior Member
    Join Date
    Oct 2005
    Posts
    202

    Default

    Hi!

    The server was down and most of the data from sunday is lost. So I have to write this again. You cannot use regLocal and regUsers in an offline registry. At least not without the knowledge of the registry.

    If I remember it correctly your system drive is now c: and the drive with the damage registry is e:(formerly c: ), right? Both systems are Windows 2000 Pro, aren't they?

    Do you have read my post with the repair instruction before the server was down?

  3. #3
    Spybot Advisor Team [Retired] md usa spybot fan's Avatar
    Join Date
    Oct 2005
    Posts
    5,859

    Default

    functio:

    I suggest that you attempt to edit the damaged registry using the following technique. Please note: I am running on a Windows XP system and have not actually tested the following procedure to repair the problem caused by the HellzLittleSpy detection.

    Note: The following procedure was written for Windows 2000.

    The registry is comprised multiple hives, stored in files in the \%systemroot%\ System32\config folder. In a Windows 2000 system that is x:\Winnt\system32\config. Using regedt32 it is possible to edit the damaged registry entry because you are on a working system and have access to the damaged registry. Note: I am using drive letter "x" for the drive containing the damaged registry.

    The damage occurred to this registry entry:

    Code:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
    "Userinit"="C:\Winnt\system32\userinit.exe,"
    The HKEY_LOCAL_MACHINE\SYSTEM registry hive is stored in this file:
    • x:\Winnt\system32\config\system

    For safety sake, I suggest that you backup that file.

    To edit that entry:
    • Go into Start » Run » in Open entry area type "regedt32" (no quotes) » click OK.
    • When Registry Editor opens click on HKEY_LOCAL_MACHINE.
    • In the File menu select Load hive…
    • Navigate to the file containing the hive with the damaged registry entry (x:\Winnt\system32\config\system) and open it.This loads the damaged hive into the local registry as a subkey of the selected key. You will be asked for a keyname, name it "Fixit" for example.
    • Make the changes to the damaged key:
      • Navigate to the following registry key:
        Code:
        HKEY_LOCAL_MACHINE\Fixit\Microsoft\Windows NT\CurrentVersion\Winlogon
        The entry for "Userinit" most likely looks like this:
        Code:
        Userinit REG_SZ
        Where:
        • Name: Userinit
        • Type: REG_SZ
        • Data: is blank
      • Right click on the "Userinit" entry and select Modify.
      • In value data type (note: the drive letter should be the original drive letter not the one currently in use if you changed it):
        • C:\Winnt\system32\userinit.exe,

        When you are done the entry for "Userinit" should look like this:
        Code:
        Userinit REG_SZ C:\WINDOWS\system32\userinit.exe,
        Where:
        • Name: Userinit
        • Type: REG_SZ
        • Data: C:\WINDOWS\system32\userinit.exe,
      • With the following key highlighted HKEY_LOCAL_MACHINE\Fixit, go to the file menu and select Unload hive…
    • Use the disk with the fixed registry entry and attempt to boot your system.
    Last edited by md usa spybot fan; 2008-07-07 at 18:01.

    Getting an answer is one thing, learning is another.


    Microsoft Windows XP Home Edition running on a 2.40GHz Intel® Pentium® 4 Processor with 512 MB of RAM and a 533 MHz System Bus.

  4. #4
    Senior Member
    Join Date
    Oct 2005
    Posts
    202

    Default

    @md usa spybot fan
    Hi! We appreciate your help. A general solution is not suitable because there are too many risk to make an error. Apart from that, regedt32 works a little bit different in comparison to regedit and so the user could be confused by general solutions.

    @functio
    Please confirm the questions so that I can guide you.

  5. #5
    Junior Member
    Join Date
    Jul 2008
    Posts
    14

    Default

    How do I find the key 'HKEY_LOCAL_MACHINE\Fixit\Microsoft\Windows NT\CurrentVersion\Winlogon'? If I follow your instructions, I can't see anything within 'Fixit' which shows an entry for 'Microsoft'. The list below 'Fixit' in regedt32 just has:

    ControlSet001
    ControlSet002
    ControlSet003
    Creative Tech
    Mounted Devices
    Select
    Setup
    Software

    If I search for the key, nothing comes up.

  6. #6
    Junior Member
    Join Date
    Jul 2008
    Posts
    14

    Default

    Quote Originally Posted by chi-va View Post
    Hi!

    The server was down and most of the data from sunday is lost. So I have to write this again. You cannot use regLocal and regUsers in an offline registry. At least not without the knowledge of the registry.

    If I remember it correctly your system drive is now c: and the drive with the damage registry is e:(formerly c: ), right? Both systems are Windows 2000 Pro, aren't they?

    Do you have read my post with the repair instruction before the server was down?
    No, I didn't see your instructions before the server went down.

    Yes, both drives are Win2K Pro. And you're right about the drive names changing. E:/ is currently the problem drive and was formerly the master drive.

  7. #7
    Spybot Advisor Team [Retired] md usa spybot fan's Avatar
    Join Date
    Oct 2005
    Posts
    5,859

    Default

    chi-va's original reply reproduced from a Google Cached copy of the thread:

    Proceed as following(only Windows 2000):

    1. Type "regedt32" in the run prompt

    2. Click on the "HKEY_LOCAL_MACHINE" window and Highlight/Select the line

    Code:
    HKEY_LOCAL_MACHINE
    with the mouse

    3. Go to menu "File - load hive..."

    4. Select your damaged registry file which should be in "E:\winnt\system32\config\software"
    (registry location of the damaged drive and select the file "software")

    5. It will ask for a name it should load in your registry. Just choose "Test". It really doesn't matter what name you choose as long as it is not already in use. We choose "Test" so that we can easily find it later. Your damaged registry should be loaded now.

    6. Navigate to the new hive which should be

    Code:
    HKEY_LOCAL_MACHINE\test\microsoft\windows nt\currentversion\winlogon
    7. Search for the entry "userinit:..." and make a doubleclick with the mouse on it.

    8. Enter this line(if your default system letter is C: )

    Code:
    c:\winnt\system32\userinit.exe,
    and confirm it with OK. It should be the exact line, the "," included.


    9. Now highlight/select the "Test" hive and unload it, menu "File - unload hive..."

    After that you can change the master and slave again and try to boot the system. Try it step by step. If you have any questions please don't hesitate to ask.

    Getting an answer is one thing, learning is another.


    Microsoft Windows XP Home Edition running on a 2.40GHz Intel® Pentium® 4 Processor with 512 MB of RAM and a 533 MHz System Bus.

  8. #8
    Senior Member
    Join Date
    Oct 2005
    Posts
    202

    Default

    WARNING: This Instruction is only for Windows 2000 Pro and only for functio's case.

    Thanks! I have change it a little bit.

    1. Type "regedt32" in the run prompt

    2. Click on the "HKEY_LOCAL_MACHINE" window and Highlight/Select the line
    Code:
    HKEY_LOCAL_MACHINE
    3. Go to menu "File - load hive..."

    4. Select your damaged registry file which should be in your case
    Code:
    E:\winnt\system32\config\software
    5. It will ask for a name it should load in your registry. Just choose "Test". It really doesn't matter what name you choose as long as it is not already in use. We choose "Test" so that we can easily find it later. Your damaged registry should be loaded now.

    6. Navigate to the new hive which should be
    Code:
    HKEY_LOCAL_MACHINE\test\microsoft\windows nt\currentversion\winlogon
    Each click on the "+" should open a subfolder. Open all the subfolder from "Test" to "Winlogon".

    7. Search for the entry "userinit:..." and make a doubleclick with the mouse on it. If you don't find the "userinit" entry
    then the reason is probably because it is not visible. Go to the menu of regedt32 and change the view to "Data and Structure".

    8. Enter this line(if your default system letter is C: )
    Code:
    c:\winnt\system32\userinit.exe,
    and confirm it with OK.

    9. Now highlight/select the "Test" hive and unload it, menu "File - unload hive..."

    Change the master and slave drive again and then you should be able to boot the normal system.

    PS.: If you have tried md usa spybot fan's solution it is very important that you find where you loaded the "Fixit" and unload it before going on.

  9. #9
    Junior Member
    Join Date
    Jul 2008
    Posts
    14

    Default

    Hi - thanks!

    One question: Should I change the 'c' in 'c:\winnt\system32\userinit.exe,' to 'e', so that it works with the E:/ drive? After all, the E:/ drive is the problem one. If I then swap it back to being the master C:/ drive to test if this all works, will Windows take that into account?

    If I unload the 'Fixit' version, will it cause any problems?

  10. #10
    Junior Member
    Join Date
    Jul 2008
    Posts
    14

    Default

    BTW, I didn't actually complete the changes with the 'Fixit' version as various things didn't show up. Does this still mean it's okay to unload it?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •