Jump to content

Tonester

Member
  • Posts

    7
  • Joined

  • Last visited

  • Donations

    0.00 USD 
  • Country

    United States

About Tonester

Tonester's Achievements

0

Reputation

  1. System is back Things are back (mostly) in order, though I have no idea what caused the problem. The lazy flusher was turned off so the registry was not flushing to disk, and since the system could not be shutdown it wasn't flushing then either. I know there is a free "sync" program (SysInternals) that forces a disk flush but I don't know if that works on the registry. Hello Microsoft - it would be nice if Windows included this sort of thing because so many people need it for databases and other purposes. With some reading I found the NT process of creating an Emergency Repair Disk was supposed to flush the registry. XP has the Automated System Recovery process which I hoped would do the same, but that wouldn't run - either it doesn't like safe mode or the same issue stopping the flusher in the first place caused ASR to abort. I looked at my user profile and saw it has 1.37GB of data. I thought maybe I've blown some limit, or maybe the profile itself was corrupted. To reduce the size I moved large files to other virtual drives on the system. Through TweekUI I disabled autologon so that on reboot I could get into another user - maybe to reset the registry, flush, then come back. After taking all of those steps, I was able to logoff, login, create an ASR image, restart, etc. Again, no idea what the problem was or which remedy really fixed it. Because I used msconfig to disable non-Microsoft services I needed to reset required services to start automatically. There is still some minor weirdness that I can live with but I suspect a re-install is prudent at some point soon. Summary To answer one of my own questions: After reloading HKLM\Software\Classes, the registry self-mirrored the data to HKEY_CLASSES_ROOT. People here and elsewhere suggested that I do a repair installation, but I'm not using ntbackup and haven't been generating ASR images - but I will now. Despite all of my backups I was only half-prepared for this event, which could have been much more of a disaster. Follow-ups are welcome from anyone who sees this and has a clue - the reason I turned this into a diary is that I've seen others stuck with no other option than a reinstall. My experience shows that's not 100% required, provided you have data and registry backups, a little knowledge, and a lot of determination.
  2. Update After restoring the entire HKLM\Software\Classes structure in safe mode and waiting for a while, I was able to run explorer, which returned the desktop icons, task bar, start menu, etc. I ran Norton AntiVirus, Ad-aware, and SpyBot, all of which showed a clean system. The system looked fine, except that I still could not shutdown/reboot by any means. I had to hard reset. Coming back into safe mode the system was back to the corrupted state, with the same 50 or so keys under HKLM\Software\Classes. Something is stopping a clean shutdown and something is zapping the registry on boot. I'm not a registry guru by any stretch and I'm all out of tricks. Any ideas at this point? This info on the registry says "The setup phase of the Windows boot process automatically retrieves data from these supporting files. You can also retrieve data manually using the Import Registry File menu item of the Registry Editor (Regedit.exe). When you shut down Windows, the operating system automatically writes the hive data to the supporting files." Since I can't shutdown, is this data simply not getting written to disk, even though I leave it sit for a few hours? How do I flush hive data to disk!? Is there some other part of the registry I need to check? Is it safe to just restore the entire HKLM? Do I need to restore the corresponding keys in HKEY_CLASSES_ROOT for Windows to verify HKLM\Software\Classes? Does the system replace HKLM\Software\Classes with the contents of HKEY_CLASSES_ROOT, or the other way around? This has to be a solvable problem, I don't want to do a repair install except as a very last resort. Thanks!
  3. Update The system was stuck in safe/networking mode because boot.ini overrides whatever you select from F8 options. Since I had a network, I was able to copy boot.ini to another system, remove the /safeboot:network switch, then simply copy the file back. With another reboot I got a command prompt back. Using my registry backup to restore the registry was a good idea, using notepad to break up the massive .reg file into smaller pieces wasn't good. With the command prompt back I used Wordpad to edit and save sections of my massive .reg file into smaller Unicode files - wordpad also doesn't insert it's own CRLF at line wraps. For each file I then used "regedit filename.reg" to reload small sections back. It looks like regedit is done as soon as you OK the load, but you need to wait until you get a confirmation that it's done (I may not have done that the first time around either). Bottom line on this, I fully restored the Classes section and it looked OK before rebooting. On reboot into normal mode, I got the same thing as when I started, no desktop or icons. Going back to safemode with command prompt I saw the classes section got hit again. It looks like one of my primary startup routines has been compromised into corrupting the registry. I used msconfig to prevent all non-Microsoft Services and Startup processes from starting at boot, then reloaded the Classes registry from backup. I want to do a clean reboot but Restart doesn't work from Task Manager, and the Shutdown command (w/wo -r option) doesn't bring the system down either. I have to hard-reset the box in order to reboot. Power-up into safe mode with command prompt again, I see the exact same Classes keys are no longer in the registry, but others that were there before are - it looks like the registry isn't flushing. The system flushes to disk because file changes are persisted across reboots. Either the registry is not saving because I hard crash it, or something is hammering it every time I reboot, even into safe mode. Is there some command to flush the registry? How long does it wait between flushes? http://support.microsoft.com/?kbid=839562 shows that there is a key to set the lazy flush for the registry, I'll try this later. For now, my challenge is to figure out how to make registry changes stick. Sigh. I think this system can be salvaged, and maybe we can find out what causes this condition.
  4. Thanks for the responses so far guys. I'm hoping that documenting the diagnostic here will help someone else later, so I'm dumping everything I can here. I'll do the repair install as a last resort, and since this is my primary development system, that time is drawing near. I really hate major upates like that though, based on horror stories we find everywhere. I'd almost rather buy a new hard drive, install a new system, then mount this drive and pull over the data - major PITA there though, and days of downtime. This system can see another system over the network. If there is some way I can get a Copy command working, then I can copy boot.ini to the other system, modify it to safe boot with the command prompt, then copy it back. But Copy is a function of cmd.exe and I can't execute any .exe files. If I can get a command line back, there may be hope. Because there is a network connection I was thinking about the network feature in regedit to update the registry from another system. Unfortunately, while this system can see out, for some reason other systems can't see it. Does anyone have an idea why a registry import would fail (assuming nothing re-zapped it)? I was importing thousands of key/values. Maybe I imported too much. If I can get back to Notepad and Regedit from the command line, maybe I can try just a few at a time. Regedit exports in unicode and Notepad saves as plain ASCII. I wonder if something happened there, or if Notepad wrapped text at margins - maybe I shouldn't use Notepad again if I get another command line. Does any of that ring a bell with anyone? So my priority at the moment is being able to edit boot.ini to get a command line back. Thanks again.
  5. [uPDATE] Going through the registry, so far I see most of the registry keys under this key have been deleted: HKEY_LOCAL_MACHINE\SOFTWARE\Classes The ones obviously missing are the "extension" keys beginning with ".", then there are just other sporadic ones, but out of the hundreds of keys that should be there, I only have about 50. I created several .reg files from my registry backup to restore this tree. Then I used "regedit name.reg" to import the data from the backup. I guessed at that point that I'd need to reboot in order for Windows to see and use the new registry keys. I executed msconfig and set the boot to Safe with Networking. Now when I boot I get into safe/networking mode, but I can't manually boot into safe with command prompt or into normal mode anymore. The boot.ini overrides whatever I do at the F8 menu. Also, despite importing a ton of registry keys the system still does not recognize any file extensions - including important ones like .exe, so now I can't even execute cmd.exe - I no longer have any control. Three things are on my mind now: 1) Getting control: What can I do from task manager File>Run to get some control back, assuming I can't execute .exe files, meaning I can't even execute regedit.exe anymore to manually add file associations? How can I reset boot.ini without msconfig and without an editor, so that I can boot and get back a command prompt? What happens if we select the "go back to last known good configuration setting"? Does that mess with profiles? Will that reset the registry? Will that reset boot.ini? 2) Cleaning up: Is anyone aware of a virus that targets this Classes tree? And what other damage should I look for in the registry if this is a known issue? 3) What else do I need to do/restore in order to have .reg files update the registry? Apparently the import didn't "take", or something deleted the entries again after I imported them - still active virus?? Thanks again!
  6. Thanks dog, but no cigar. The userinit value is correct, including the trailing comma. It appears that the logon process does initiate and that the right user is being invoked, but something is stopping logonui from moving forward. Keep the suggestions coming folks!
  7. I see people in forums everywhere posting on this, including TomcaT from this forum, but no resolutions. Let's find out what this is! Symptoms My XP SP1 with full patches was working fine. I booted this morning and saw a warning that there was an invalid registry key, but that a prior version of the registry was available and it was going to use that. I had to OK it. Then nothing. I hard reset. I have auto-login to a user in group admin. I see the desktop wallpaper, hear the music, then it goes back to windows logon and stays there. The only thing active is ctrl-alt-delete which brings up task manager. The desktop under that shows wallpaper with no icons. logonui.exe is running and a few other services, explorer.exe is not. I cannot run explorer.exe manually from File>Run because there are no program associations. I can't see any recent errors because (no associations) I can't run control panel (any other way to do this?). I can't regedit for the same reasons. Shutdown>Restart and Shutdown>TurnOff from the Task Manager menu do not work. I figured a good boot may require a clean wrapup. If I close task manager, there are no icons on the desktop. Right-clicking shows no context menu, so I can't "Show desktop icons", "Arrange icons by", etc. Ctrl-alt-delete again doesn't re-open task manager, hard reset is the only option. Safe Boot IS available F8 does work, and I can select "with Command prompt" from the menu. While it shows the same logonui issue, I now have a command prompt, and can execute Notepad, and regedit! I still have no icons or context menu from the desktop, and browsing with the notepad Open dialog only shows some folders depending on how I drill down into them. I did not do any system configuration or installs of new software yesterday. I have fully updated NAV 2004 but it's possible that I got hit with a nasty virus (don't know how, this is a development machine and "surfs safe"). Problem is that I can't do a scan/check in this condition. I have daily backups of critical data, my last save of the registry was done a couple weeks ago. I can backup the registry now but am not sure how to do a check to get a delta and see what happened. Please provide some suggestions for how to get logonui to finish whatever it's doing, launch explorer.exe, and otherwise get this system back to normal. Any tips on what to look for in the registry or logs are welcome. I don't know if there is a way to boot into safe mode with a command prompt AND with networking. I'd really like to be able to extract my backups off of this system through the network, just in case the system can't be salvaged. Thanks!!
×
×
  • Create New...