133 replies to this topic

[arfon.jones]

hello here is the look.txt ! REG.EXE VERSION 3.0 HKEY_LOCAL_MACHINE\_REMOTE_SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShowLogonOptions REG_DWORD 0x0 ! REG.EXE VERSION 3.0 HKEY_LOCAL_MACHINE\_REMOTE_SOFTWARE\Microsoft\Windows\CurrentVersion\Setup DriverCachePath REG_EXPAND_SZ %SystemRoot%\Driver Cache BootDir REG_SZ C:\ PrivateHash REG_BINARY 6F1E5F262D4244136B16D3FE9FF58088 Installation Sources REG_SZ C: SourcePath REG_SZ C:\WINDOWS ServicePackSourcePath REG_SZ c:\windows\ServicePackFiles CDInstall REG_DWORD 0x0 LogLevel REG_DWORD 0x0 ServicePackCachePath REG_SZ c:\windows\ServicePackFiles\ServicePackCache HKEY_LOCAL_MACHINE\_REMOTE_SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\BaseWinOptions HKEY_LOCAL_MACHINE\_REMOTE_SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents HKEY_LOCAL_MACHINE\_REMOTE_SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Migration DLLs HKEY_LOCAL_MACHINE\_REMOTE_SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager HKEY_LOCAL_MACHINE\_REMOTE_SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\OOBE HKEY_LOCAL_MACHINE\_REMOTE_SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\OptionalComponents HKEY_LOCAL_MACHINE\_REMOTE_SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\WindowsFeatures Volume in drive C is system Volume Serial Number is 4C24-1144 Directory of c:\05680d73bf944828f163c4fc37c5 08/06/2009 12:56 PM <DIR> i386 0 File(s) 0 bytes Directory of c:\Program Files\APC\PowerChute Business Edition\jre142_11\lib 07/13/2008 04:14 PM <DIR> i386 0 File(s) 0 bytes Directory of c:\Program Files\Java\jre1.5.0_06\lib 03/18/2006 01:08 PM <DIR> i386 0 File(s) 0 bytes Directory of c:\Program Files\Java\jre1.6.0_03\lib 12/19/2007 06:36 PM <DIR> i386 0 File(s) 0 bytes Directory of c:\Program Files\Java\jre6\lib 02/12/2009 10:13 PM <DIR> i386 0 File(s) 0 bytes Directory of c:\WINDOWS 11/24/2004 02:53 PM <DIR> I386 0 File(s) 0 bytes Directory of c:\WINDOWS\Driver Cache 08/06/2009 12:56 PM <DIR> i386 0 File(s) 0 bytes Directory of c:\WINDOWS\ServicePackFiles 09/17/2008 07:51 PM <DIR> i386 0 File(s) 0 bytes Directory of c:\WINDOWS\ServicePackFiles\ServicePackCache 09/17/2008 07:51 PM <DIR> i386 0 File(s) 0 bytes Directory of c:\WINDOWS\system32\ReinstallBackups\0000\DriverFiles 08/25/2007 05:39 PM <DIR> i386 0 File(s) 0 bytes Directory of c:\WINDOWS\system32\ReinstallBackups\0001\DriverFiles 07/13/2008 04:13 PM <DIR> i386 0 File(s) 0 bytes Directory of c:\WINDOWS\system32\ReinstallBackups\0002\DriverFiles 09/17/2008 07:42 PM <DIR> i386 0 File(s) 0 bytes Directory of c:\WINDOWS\system32\ReinstallBackups\0003\DriverFiles 09/17/2008 07:42 PM <DIR> i386 0 File(s) 0 bytes Directory of c:\WINDOWS\system32\spool\XPSEP 08/06/2009 12:56 PM <DIR> i386 0 File(s) 0 bytes Directory of c:\WINDOWS\system32\spool\XPSEP\i386 08/06/2009 12:56 PM <DIR> i386 0 File(s) 0 bytes Total Files Listed: 0 File(s) 0 bytes 15 Dir(s) 139312013312 bytes free Volume in drive X is MiniXP Volume Serial Number is CC91-18C3

[noahdfear]

Sorry, I need you to load Registry Editor PE once more for another export.
Copy the contents of the code box below and paste it into a command window while the editor is open and minimized.

reg query "HKLM\_REMOTE_SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v LogonType >"%userprofile%\desktop\look.txt"
reg query "HKLM\_REMOTE_SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Background >>"%userprofile%\desktop\look.txt"
start notepad "%userprofile%\desktop\look.txt"
exit
cls

Post the new log that opens.

Edited by noahdfear, 05 November 2009 - 04:23 PM.

[arfon.jones]

no problem ! REG.EXE VERSION 3.0 HKEY_LOCAL_MACHINE\_REMOTE_SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon LogonType REG_DWORD 0x1 ! REG.EXE VERSION 3.0 HKEY_LOCAL_MACHINE\_REMOTE_SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Background REG_SZ 0 0 0

[noahdfear]

The previous exports were to;

1. determine if the system would look for replacements on the drive or prompt you for the XP cd when the System File Checker is run
2. determine the method used to logon to your user account

What I propose to do next is attempt to force Windows to run a System File Check on startup by merging a reg file.
If corrupted system files are found they should be automatically replaced with good copies found on the drive.
I also intend to enable the Windows Classic Logon dialog to help verify the bootup process (tells me bootup goes at least to the logon stage).
If you do not use a password to logon, you need only hit Enter or click OK to logon.
The System File Checker should start and be visible after logon, if successful, even if the screen remains in the same state it has been in on previous attempts to logon.
Be patient - it may take quite a while to complete.
You may need to restart the computer when the scan completes to verify any changes.

* The following will create backups of the affected registry keys prior to making any changes and save them to the hard drive*

With Registry Editor PE loaded and minimized, copy the contents of the code box below and paste it into a command window.

@echo off
reg save "HKLM\_REMOTE_SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" c:\winlogon.hiv
reg save HKLM\_REMOTE_SOFTWARE\Microsoft\Windows\CurrentVersion\Setup c:\setup.hiv
reg add "HKLM\_REMOTE_SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v SFCDisable /t REG_DWORD /d 00000000 /f
reg add "HKLM\_REMOTE_SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v SfcScan /t REG_DWORD /d 00000002 /f
reg add "HKLM\_REMOTE_SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v SFCShowProgress /t REG_DWORD /d 00000001 /f
reg add "HKLM\_REMOTE_SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v LogonType /t REG_DWORD /d 00000000 /f
reg del "HKLM\_REMOTE_SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Background /f
reg add HKLM\_REMOTE_SOFTWARE\Microsoft\Windows\CurrentVersion\Setup /v "Installation Sources" /t REG_SZ /d C:\WINDOWS /f
exit
cls

When the command window closes, close the editor and wait for the All Finished message, then restart and boot the hard drive.
Let me know the results.

[arfon.jones]

hello I followed your last instruction,I hope! tried boot up goes to win xp logo with strobing light, then to the black screen with mouse cursor. left it running for about an hour befor replyng no change sorry.

[noahdfear]

Boot to MiniXP and click Start>Programs>ERD System Restore In the opening dialog expand My Computer and click (C:) Local Disk to select it, then click OK. Click Next then select 'Roll back to an existing restore point' and click Next again. This should bring up a calendar which you need to look for and select days bolded. If one is located, select it in the right pane then click next. The next screen will show you what files will be affected. Click Next When it completes, restart and try a normal boot. *Note - in my testing, I was often told that no restore points existed in the disk I selected. I canceled out and ran it again, this time selecting the C:\Windows folder, which gave me the same message. I then ran it once more, this time selecting Local Disk C: again and it was able to find restore points. In other words, if unsuccessful on the first run, try it a few times, changing locations to look and finally going back to C: ** I previously had you do a search for registry hives in the system restore folder which came up blank, so I'm not extremely hopeful that a restore point will be found.

[arfon.jones]

hello I tried your last sugestion in as many ways icould think of and several times and i kept getting the no system restore points exist Maybee the only sollution is to re- format ?? is there any way of saving anything with the mini xp system? many thanks for your effort.

[noahdfear]

Hi arfon,

Sorry for the late reply!

I should have suggested this before - please disconnect all unnecessary peripherals, such as speakers, printers, cameras or any other usb devices. If it's within your means, I would also suggest physically removing any pci devices if they exist, that the computer does not need to boot, such as a network card, modem or add-on graphics/sound card. If there is no change in behavior, I do have one or two other things we can maybe try if you're game. That said;

formatting is an option, though if you prefer to try avoiding a complete re-install of all your programs, you could attempt a repair installation of Windows, provided you have a Windows XP Operating System disc as opposed to a Recovery cd. A repair installation leaves the current file system intact, meaning if the repair is successful, the system will still require cleansing of malware.

You can backup files from within the MiniXP environment. You can burn cds, attach usb hard drive or another physical internal hard drive to be used for data storage.

[arfon.jones]

Hi Dave I disconected all components you sugested including the sound card but made no differance. maybe we can try the one or two other things you have in mind .

[noahdfear]

In MiniXP, download Regmon from the following link and save it to the desktop.

http://download.cnet...4-10020841.html

Right click the Regmon.zip file and select 7-zip>Extract to "\Regmon".
Open the Regmon folder and double click regmon.exe
Agree to the license.
When regmon opens, click the magnifying glass icon on the toolbar to stop the screen capture.
Click Options>Log Boot then click OK on the message box that opens.
Close regmon and the regmon folder.

Start Registry Editor PE, no user hive necessary, then minimize it to the taskbar.
Highlight and copy to text the contents of the code box below.

@echo off
md c:\Regmon
copy "%userprofile%\Desktop\Regmon\*.*" c:\Regmon
copy X:\i386\System32\drivers\REGSYS701.SYS C:\WINDOWS\system32\drivers\REGSYS701.SYS
reg save HKLM\SYSTEM\CurrentControlSet\Services\REGMON701 c:\regmon.hiv
reg add HKLM\_REMOTE_SYSTEM\ControlSet005\Services\REGMON701
reg restore HKLM\_REMOTE_SYSTEM\ControlSet005\Services\REGMON701 c:\regmon.hiv
reg add "HKLM\_REMOTE_SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /t REG_SZ /d C:\Windows\system32\userinit.exe, /f 
exit
cls

Open a command window and paste the copied text in.
Exit Registry Editor PE and restart the computer, allowing it to boot from the hard drive.
Once the boot process goes as far as it will, restart back into MiniXP and locate C:\Windows\regmon.log
Right click the log and select 7zip>Add to "Regmon.zip"
It will create the regmon.zip file in C:\Windows
Open a browser and go to my submission channel, then browse to and upload the regmon.zip file.
Close all Explorer windows.

Open a command prompt and type chkdsk /r c: then hit Enter.
Do not access the C: drive while checkdisk is running.
When checkdisk completes, restart and see if the computer will boot properly.

Was the operating system pre-installed from the factory on this computer?

[arfon.jones]

Hello I have downloaded regmon and ran it . then tried opening registry editor pe but it wont open with the message ( sam file not found please verify the correct file name was given ) not sure how to proceed .

[noahdfear]

Did it appear to look in the C:\Windows\system32\config folder, where all of the other hive files are located? When asked for the SAM hive, do you see it in the browse window?

[arfon.jones]

I go to hirens boot cd win tools. select menu- registry-registry editor pe,( browse for folder box opens) Iselect C system then click ok, then another box opens (select the remote sam hive!) opens . with desktop ini in the top corner i click open and get the fail mesage. i also tried changing the desktop ini to c in the drop down menu and get the fail mesage

[noahdfear]

You need to select the C:\Windows folder.

[noahdfear]

Just received the file. It's going to take me a while to analyze and I'd like another log to compare. If you would please, delete the regmon log and regmon zip file in C:\Windows, restart to the hard drive once more and this time leave it sit for at least 10 minutes on the gray screen. Go back to MiniXP, and zip the log again, then submit it as well. If the log is not created, let me know and I'll post instructions for repeating the procedure (it will be slightly different than the first time).