Userinit Issue

This is about a serious issue that disables users from logging on to their computers.
The cause for this issue may be one of the following:
  • Spybot S&D 1.3 with current detection rules without HellzSpy infection.
  • Spybot S&D 1.4 with current detection rules and HellzLittleSpy infection
These are errors caused by dated versions of Spybot S&D in combination with detection rules designed for the current Spybot S&D 1.5.2.
Symptom:
Logoff will occur directly after login.

Now the important part: How to regain login to the computer without the need for a reinstall. Please note that there are more methods to do this, the following have been chosen by me because they do have some advantages over other approaches.

1.Method: Remote Registry
The fastest and easiest way is to remotely connect the Windows Registry and edit it.
Requirements:
  • 2nd Computer in Network
  • remote registry service must run (default)

First you will need to start regedit on the 2nd computer.

Then select "File" - "Connect Network Registry..."
You will see the next screen where you can enter the network name or the IP Adress of the computer affected by the userinit issue.
In this example the IP is 192.168.13.172, yours is usually a different one. You may be prompted for user name and password, enter a user with administrative rights.


The next step is to navigate to the required location within the registry.
Code: 
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

The required default value and data:
Code: 
for Windows XP
Userinit=c:\windows\system32\userinit.exe,

for Windows 2000
Userinit=c:\winnt\system32\userinit.exe,

Now edit the Value "Userinit"


As soon as the correct data has been entered the user can log on to the computer which had the userinit issue.

2. Method : Offline registry tools and password resetter
Requirements:
This tool requires a 2nd computer to download and create a bootcd, there are no further requirements.

The download can be found here
Download size is about 3 MB, which is quite small and makes this method recomendable

Once the CD is created the userinit affected computer needs to be started with this CD.

After the boot procedure has been completed, the system asks for the boot partition.
Usually the choice would be "1".
In my example it is "2".

Screenshot 1

After that the path to the registry is asked. By default the correct path is already given, so this can be accepted by pressing the enter key.

Screenshot 2

Next choose "2" : RecoveryConsole parameters [software]

Screenshot 3
On the next prompt choose "9" Registry editor

Screenshot 4
The system now enters a bash console like navigation for the Software key of the Registry.
Following commands may be helpful:
Code: 
note that Names are case sensitive
ls - will list the current key contents
cd <$keyname> - will open the key given in <$keyname>
cd .. - will go up one layer of the key structure
ed <$valuename> - will open prompt to edit the value specified in <$valuename>

So entering:
Code: 
cd Microsoft\Windows NT\CurrentVersion\Winlogon
Will lead you to the required location.
Screenshot 5
The command ls will list the contents.
Type
Code: 
ed Userinit
Screenshot 6

Now enter the required Data for the Userinit Value:
Code: 
for Windows XP
c:\windows\system32\userinit.exe,

for Windows 2000
c:\winnt\system32\userinit.exe,

Screenshot 7

With the following command the Data of the Userinint Value can be confirmed:
Code: 
cat Userinit

Screenshot 8

If the data is correct you can now enter q to quit the registry editor mode.
Enter q again to exit the Software Hive.
You will now be prompted to save, enter y to save.

Screenshot 9

After that a prompt for a new run appears, enter n for no.
Screenshot 10
Reboot normally and log on to Windows.


Method 4:

This Method can be used in conjunction with Method 2 to restore login. The main issue with Method 2 is that it does not work if the NTFS file system is flagged as "dirty". Method 4 will remove this:
This option is valid for both Windows 2000 and Windows XP, only paths differ on both systems.

Requirements:
  • NTFS capable boot disk like NTFS4Dos
  • Offline Rcovery tool from Method 2
  • both tools can be found on the Ultimate Boot CD: Filesystem tools - NTFS Tools

Overview of steps:
  1. Start NTFS4Dos
  2. Copy and Backup of Software registry key (note: it is possible to end here)
  3. reboot and shut down properly
  4. restore latest Software registry key
  5. reboot directly to bootcd and apply method 2

Detailed description:

1. Start NTFS4Dos
If you start NTFS4Dos from the Ultimate BootCD (~115 MB download will require CD) you will find it in Filesystem Tools - NTFS Tools
Once started you will be required to enter "yes" to confirm that you use it for personal use only.

NTFS4Dos is owned by Avira and can also be downloaded from Aviras (~1.2 MB download, will require floppy disk)website.

2. Copy and Backup of Software registry key
What you need to do here is to backup the current software registry key and copy the backup software registry key.
Enter the lines in code according to your OS.

Windows 2000:
Code: 
cd c:
or
c:


cd c:\Winnt\system32\config
rename software software.bak
copy c:\Winnt\repair\software software

Windows XP:
Code: 
cd c:
or
c:


cd c:\Windows\system32\config
rename software software.bak
copy c:\Windows\repair\software software

3. reboot and shut down properly
At this point it is possible to get a proper login for Windows again. But since the Software key has been replaced by an old version most software is not properly registered anymore. If the latter does not matter to you, you may stop here otherwise follow the next steps.
You will need to properly shut down Windows, to make sure that the dirty flag is not set again. A safe way to ensure this, is to boot into safe mode twice and shut down using Windows functions namely "restart".

4. restore latest Software registry key
Now boot with NTFS4Dos again.
This time we will restore the file we renamed to software.bak earlier:

Windows 2000:
Code: 
cd c:
or
c:

cd c:\Winnt\system32\config
rename software software.oldbackup
rename software.bak software

Windows XP:
Code: 
cd c:
or
c:


cd c:\Windows\system32\config
rename software software.oldbackup
rename software.bak software

Remember that you now have a corrupted Registry again , so do not try to boot Windows now or the NTFS may get "dirty" again.


5. reboot directly to bootcd and apply method 2
Now follow the steps described in Method 2.
Changes should be writeable now.

edit3: corrected paths as reported by shame2
edit4: added Method 4 , removed Method 3 to save space
edit5: corrected wrong path for Windows XP
edit6: added further instructions for method 4
 
Click to expand...
Sorry Yodama...this NTFS4dos has a lot of problems of it's own. If you download from the Avira site and boot to this floppy you will see what I mean. At least in accessing a Win 2000 Pro machine, the coordination with the files is not what you expect. It can take quite a few tries just to change the directory....and it doesn't accept the commands the first time. I do not know the reason for this.

(Also, the disk does not boot up to the question about commercial vs. private use......you have to answer about 20 boot questions in dos before you even get to this point)

That said, we all appreciate you trying to help.
 
I have used method 2 numerous times with success, I don't know what walkere problem is, but maybe a basic computer course would be a good place to start.
Thank you
 
I need help

hi, i read all this and i tried to reboot my computer, but is still not working
here is the situation: i have 2 disks in my pc, and i reinstaled another windows in the 2nd one, so i can start from there, but, when i do the regedit, his only looks on D, not on the C drive. so how can i have access to the userinit file, and correct it from the second drive. i tried to login on safe mode, and i can't do any changes, so how can i go to dos mode, or another way? Thank you
 
Yodama,

Thank you for your help.

I was able to boot the NTFS4dos disc and follow your procedure. However when I did all the steps (restoring latest registry key then using method 2 and the boot cd) I still had the logon logoff problem.

When I stopped after copying and backing up the registry key I could log on, but encountered an error and though logged on could not do much more than move around. I tried to backup my files and burn a CD but the computer could not find the CD burner.

After lots of tries and learning a lot I pulled the harddrive and slaved it to another computer and saved my files. Now I am trying to repair my computer with the reinstall disc.

Thanks to all for your advice.
 
It seems that after all....you get to wipe out your registry....and get an injured registry that has programs trying to install, program errors, cannot find files errors......and drives that cannot be found. It takes hours to fix all the problems, making a clean install the only way to go. I wonder if Spybot realizes this?
 
I wasn't able to use the 2nd Method at all, since the utility stopped at some point and I didn't even get to the boot partition selection (1st screenshot).
So I had either to get earlier version of BootCD (and I guess - to conclude this doesn't work too) or to try some nice suicide.

Luckily I was able to go without using "offline registry editor" stuff. So the steps I made: (as far I got, works only for Windows XP Pro)

1. Did the first two steps of Method 4
2. Logged in the Windows XP
3. Exported the "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" to a file "a.reg", located it in the windows folder
4. Created a BAT file, named it "a.bat", located it in the Windows folder
5. Edited the "a.bat" as follows, without qoutes:
"regedit /s a.reg"
6. Start -> Run, typed "gpedit.msc", OK
7. Opens Group Policy window, there choosed "Computer Configuration", "Windows Settings", "Scripts (Startup/Shutdown)", double click on "Startup" on the right pane
8. Click "Add", then choose "Browse", where the "a.bat" file must be choosen
9.Click OK everywhere, shut down Windows
10. Now the step 4 must be done (from Method 4)
11. Now try to start Windows normally. At the first time, nothing appears to be changed: there is shown wallpaper, after some time - again one must login into the system.
12. But now clicking on the username, you are not logged off anymore.

This worked for me, hopefully it will work for someone else with similar problems to mine. After all this I exported all the registry to a single file, from which I could probably restore it already after the 2nd step in Method 4 - if I had earlier exported the registry! Now it's just a backup for the future.
Now I'm gonna to update the SpyBot. One can choose to uninstall it from the system, and it would be an understandable choice. After all, this time Spybot was far worse than any malware I have ever encountered. Seriously.
 
Your method is very nice for someone with good computer skills and Windows XP. For the average person this "virus" destroys any possibility of getting the system back without a complete new install. Again, thanks Spybot for all you have done and the close and carefull monitoring of this blog (NOT!)
 
I have this same problem on an xp machine. The system is on 2 striped sata drives, usung Promise raid. The problem is when I use method 2 and boot using the password/registry tool, it sees my array as mirrored not striped and creates an error message. I have a driver on floppy for promise raid but I don't know how to get the password boot disk to use it.
I am able to see my drives using the recovery console. Can I fix this problem from there without the password tool?
 
XP pro...I didn't try method 4 because it involves using method 2 as well. If the password tool doesn't see my array as striped, it won't recognize the data. I could be wrong as I am very rusty at this and am trying to avoid doing more damage.
 
You may be willing to try my method then - see a bit above.
I wasn't able to use the second method as well, but managed to get my registry OK.

The key is the fact you must add the correct lines to the registry before the logon. This means - running Windows Registry Editor before logon. XP Pro provides doing that by using Group Policies.

See my post above, if there are unclear things (how to export registry entries or how to create a .bat file) feel free to ask. I didn't describe this very well as I'm just an average user, too. :)

Actually Yodama could take a look at that post and try to write it down clearly and step-by-step.

Or, you can choose to get some friend with good computer skills, slave your hard disk to his comp, and copy tour files. Seems some folks have already done that. I considered this, too, since the solution I found took me 4 hours one day, and about 5 hours the following day (and a lot of surfing the net with my mobile phone!)
 
It has been awhile since I have worked from a comand prompt so... once I am booted on ntfs4dos and try to change directories with "cd E:" ....E is where I found the system files in the recovery console.......it displays E:\ and then reverts back to an a prompt. So I did a dir E:\winnt\system32\config and the files that I need to backup are included in the files displayed.
.......by the way for some reason even though this is xp, system 32 is in winnt and there is no windows directory I believe this is because it was upgraded fron 2k but Iam not sure. I found this out in the recovery console......
so from the a prompt I tried rename e:\winnt\system32\config\software software.bak
I recieved the error message not enough memory


I can get into these directories from the recovery console. Is there a reason I shouldn't change these fikes from there?
 
Phirounded.....Well I tried step 2 of method 4 from the recovery console, rebooted in safe mode twice and I can now log into windows.
Now it has been awhile since I created a batch file........was this done from notepad?
 
So, you got that you have to type "e:" in console first, and only afterwards you can use the "cd" command?

OK, if you are able to log into windows,
1) you must export the correct registry entry.
1a) "Start"->"Run...", type "regedit"
1b) opens the "Registry Editor" window, there in the left pane (it's similar to Windows Explorer left pane, if you explore folders) you have to go to "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon"
1c) there in the right side you should see an entry "Userinit"; for me the value is "C:\WINDOWS\system32\userinit.exe," but in your case I suspect it could be "e:\winnt\system32\userinit.exe," or something else. Anyway - if you logged into windows, this value work, right?
1d) Click File-Export, make sure that "Export Range" is "Selected branch" and it is "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
1e) name the file as "a.reg" (I do love short names), and save it in your windows folder (since there is also the "regedit.exe")
2) Now you have to create a BAT file. Indeed, open Notepad, type the line "regedit /s a.reg", save the file in windows folder as "a.bat" - type also the quotes, to force Notepad save it as a .bat file, not as .txt one.
3) I would recommend you to open the Windows folder and take a look, if the files "a.reg", "a.bat", "regedit.exe" are there (maybe windows hides the system file regedit - at least I have disabled this at Folder Options).
4) If everything is OK, now you can move on the following steps I described. I would maybe recommend you to reboot the computer after you add this startup event in Group Policy - just to check out that you don't receive some error messages or anything else. If not, than shut down windows, and try the latter points.
 
Pirounded...Well I made it through all of your steps and then performed step 4 in method 4 and when I rebooted it was back.......
 
Pirounded....I went back and reversed step 4 of method 4 and It boots again. Just to verify my entry in the bat file it is.....regedit(space)/s(space)a.reg.....
 
Strange.. first time nothing was changed also for me; appeared the login screen, but after that I clicked on my name and I could log in...

Well, one thing you could check out - if your bat file is being executed. Anyway you will have to make the first two steps of Method 4 in order to log into windows.

Afterwards, I would recommend you to change the bat file (right click on it and choose edit) as follows (without qoutes)
"@echo off
echo Hello this is a test batch file
regedit /s a.reg
start /max notepad"

and the a.reg file (right click on it and choose edit) - add just before the line "Userinit"="C:\\WINDOWS\\system32\\userinit.exe," (BTW - is that the value you have there? or

another one?) an extra line "TEST"="TEST"

By doing so, you will be able to check, if the bat file is executed.
Now just restart your computer (don't take the step 4) and see:
1) if the notepad window appears
2) if the "Test" entry is added in the registry, in

"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"

Maybe Spybot has changed something else in your system? at least for me this worked.
And Yodama could review this, and maybe give some useful comments!!! Is that called program support????
 
You must log in or register to reply here.
Back
Top