SYSTEM registry file is corrupted

[Cixert]

I have 2 computers with the same problem, a desktop and a laptop.
When starting Windows 2000 it says that the SYSTEM registry file is corrupted.
I restore a previous registry backup made automatically with the WinRescue 2000 program and then Windows starts again.
But when I restart the computer the problem returns.
I think I don't have any rare software installed that I don't have on other computers.
What can be?

[Dave-H]

Have you tried replacing all of the registry files from the backup?
They would normally all be written to simultaneously I would have thought, and the system may not like the fact that the SYSTEM hive has a different timestamp to the others.
Just a thought.

[jaclaz]

Is the disk and filesystem working?

NTFS may have some (hopefully minor) corruption, that may prevent from accessing the registry backing file.

What I would do personally would be:

1) make a forensic sound or dd-like copy of the whole disk
2) run chkdsk (in steps, once without parameters and if errors are found with the /F)
3) defrag the file system
4) re-reun chkdsk

BUT - BEFORE that - what size is the system file (the one that won't load)?

There used to be a size limit on "system" on 2000 OS, should be 16 MB:

https://superuser.com/questions/271240/how-to-test-whether-a-windows-2000-registry-hive-is-corrupt

or maybe it is 16 MB including system file and kernel size:

https://social.technet.microsoft.com/Forums/windowsserver/en-US/bed7bb0b-f203-4e91-9cf2-92d361889e46/how-to-fix-windows-2000-server-registry-windirsystem32configsystem-limits-?forum=winservergen

since it is happening to you on two systems this latter is more likely than two hard disks/filesystems failing at the same time.

jaclaz

 

[Cixert]

The hard drive is 500 GB Sata II with 4 primary partitions in Fat32, in the second partition Windows 2000 is installed.
The SYSTEM size does not reach 6 MIB.
I have executed Chkdsk / f / r and has no errors.
I have executed the Victoria test and does not find defective sectors.
S.M.A.R.T. It is not very healthy, but it does not say that the status is critical, I have Windows XP in the third partition running without problems.
I have defragmented the Windows 2000 partition and now the system does not start though I restore any registry copy complete.
This says that all SYSTEM copy is damaged.
Edit:
After executing Victoria I can restore copies System file and I return to the initial problem

Edited October 26, 2022 by Cixert

[WinWord2000]

On 10/25/2022 at 2:41 AM, Cixert said:

I have 2 computers with the same problem, a desktop and a laptop.
When starting Windows 2000 it says that the SYSTEM registry file is corrupted.
I restore a previous registry backup made automatically with the WinRescue 2000 program and then Windows starts again.
But when I restart the computer the problem returns.
I think I don't have any rare software installed that I don't have on other computers.
What can be?

this problem occur to me in the past With Windows XP  , it require formatting and reinstall if it not resolved with these steps:

https://neosmart.net/wiki/fix-registry/ 

it require CD of Windows 2000 

 But you must know the cause of the error, do not return it , if any damaged driver installed before this error remove it ,

Edited October 27, 2022 by WinWord2000

[Cixert]

5 hours ago, WinWord2000 said:

this problem occur to me in the past With Windows XP  , it require formatting and reinstall if it not resolved with these steps:

https://neosmart.net/wiki/fix-registry/ 

it require CD of Windows 2000 

 But you must know the cause of the error, do not return it , if any damaged driver installed before this error remove it ,

Thanks, but I have copies of the registry made with WinRescue2000.

After defragmenting it seems strange to me that after restoring a previous version of the registry sometimes it starts and sometimes it doesn't

Edited October 27, 2022 by Cixert

[jaclaz]

SInce you are multibooting you could attempt an old-school defrag, i.e. copying everything to a folder on another volume, delete the contents of the old volume and then copying the data back, this way all files will be contiguous.

Still, having a dd-like copy of the volume would be advisable.

As said I find it queer that you are having this behaviour on two different computers (that both have filesystem or disk issues at the same time and that both create the same issues seems to me very improbable).

Maybe you could compare the two Registries (the backup one that once restored allows to boot against the one that fails to boot) I think Regshot works also on 2000, the Nirsoft RegistryChangesView officially supports only starting from XP.

Another attempt could be to try using ERUNT (and the NTREGOPT) to compact the Registry.

BUt right now these are just shots in the dark, I have no idea what the actual issue could be.

jaclaz

[Cixert]

On 10/28/2022 at 1:31 PM, jaclaz said:

SInce you are multibooting you could attempt an old-school defrag, i.e. copying everything to a folder on another volume, delete the contents of the old volume and then copying the data back, this way all files will be contiguous.

Still, having a dd-like copy of the volume would be advisable.

As said I find it queer that you are having this behaviour on two different computers (that both have filesystem or disk issues at the same time and that both create the same issues seems to me very improbable).

Maybe you could compare the two Registries (the backup one that once restored allows to boot against the one that fails to boot) I think Regshot works also on 2000, the Nirsoft RegistryChangesView officially supports only starting from XP.

Another attempt could be to try using ERUNT (and the NTREGOPT) to compact the Registry.

BUt right now these are just shots in the dark, I have no idea what the actual issue could be.

jaclaz

The problem happened to me on a laptop a few years ago. Now the problem is on a desktop computer.
After defragmenting, at this time without any further operations, even though I restore any registry copy, Windows 2000 does not start due to the error in SYSTEM.
I have cloned a copy on another hard drive with R-Drive Image and it doesn't boot either. I have also created an image in a file and later restored it, with the same result.
I can only think that Windows is not looking for SYSTEM in the correct path.
how can i check it?

[Cixert]

He logrado iniciar Windows 2000.
En este momento, las copias antiguas del registro no fallan después de reiniciar Windows 2000.
La última copia del registro es la única que falla al reiniciar Windows 2000.
Pero sé que, aunque el antiguo las copias funcionan ahora, en cualquier momento vuelve el error.

Con los programas de comparación de registros no veo un cambio en el archivo SYSTEM que determine el error. Quizás alguien más lo vea.
Nirsoft no funciona en Windows 2000.
Lo he ejecutado en Windows XP, el problema es que no funciona para comparar el registro actual de Windows 2000, solo funciona con las copias.

Nirsoft con las 2 últimas copias del registro
https://anonfiles.com/42VbQ2F1y8/Nirsoft_jpg

Regshot con las 2 últimas copias del registro
https://anonfiles.com/S76aReF8yb/dos_ultimos_winrescue_txt

Regshot con la última copia del registro que no reinicia y el registro actual de Windows 2000 que no inicia
https://anonfiles.com/Ecq1RaFbyf/No_arranca_y_ultimo_winrescue_para_compartir_txt

Edited November 4, 2022 by Cixert

[mina7601]

Translation for the above post for people who don't understand Spanish:

"I have managed to start Windows 2000.
At this time, old copies of the registry do not fail after a Windows 2000 restart.
The last copy of the registry is the only one that fails when you restart Windows 2000.
But I know that even though the old copies work now, anytime the error returns.

With log comparison programs I don't see a change in the SYSTEM file that determines the error. Maybe someone else will see it.
Nirsoft does not work on Windows 2000.
I've run it on Windows XP, the problem is that it doesn't work to compare the current Windows 2000 registry, it only works with the copies.

Nirsoft with the last 2 copies of the registry
https://anonfiles.com/42VbQ2F1y8/Nirsoft_jpg

Regshot with the last 2 copies of the registry
https://anonfiles.com/S76aReF8yb/dos_ultimos_winrescue_txt

Regshot with the latest copy of the non-booting registry and the current non-booting Windows 2000 registry
https://anonfiles.com/Ecq1RaFbyf/No_arranca_y_ultimo_winrescue_para_compartir_txt"

[Cixert]

14 minutes ago, mina7601 said:

Translation for the above post for people who don't understand Spanish:

"I have managed to start Windows 2000.
At this time, old copies of the registry do not fail after a Windows 2000 restart.
The last copy of the registry is the only one that fails when you restart Windows 2000.
But I know that even though the old copies work now, anytime the error returns.

With log comparison programs I don't see a change in the SYSTEM file that determines the error. Maybe someone else will see it.
Nirsoft does not work on Windows 2000.
I've run it on Windows XP, the problem is that it doesn't work to compare the current Windows 2000 registry, it only works with the copies.

Nirsoft with the last 2 copies of the registry
https://anonfiles.com/42VbQ2F1y8/Nirsoft_jpg

Regshot with the last 2 copies of the registry
https://anonfiles.com/S76aReF8yb/dos_ultimos_winrescue_txt

Regshot with the latest copy of the non-booting registry and the current non-booting Windows 2000 registry
https://anonfiles.com/Ecq1RaFbyf/No_arranca_y_ultimo_winrescue_para_compartir_txt"

sorry, the post was originally written in english from the computer.
But I have gone to edit the post from the phone and when I hit send it has been automatically translated from English to Spanish.
There is a problem with Chromium's automatic translators on smartphones and non-native language forums.

I wanted to add that I have checked the Windows 2000 startup files, before loading SYSTEM.  I am surprised that the file kdcom.dll says to load at startup without errors but this file does not exist in the Windows 2000 directory

Edited November 4, 2022 by Cixert

[jaclaz]

At first sight, you have both a ControlSet003 and a ControlSet004 which is not "standard", normally there are only ControSet001 and ControlSet002, I have seen Windows 2000 installs with several (up to 20 or so) ControlSets, but it is a sign of previous corruption of this (or that) ControlSet.

The CurrentControlSet is one among the ControlSetxxx's depending on the value of the HKEY_LOCAL_MACHINE\SYSTEM\SelectSelect key, in theory (and AFAIK) a non-selected ControlSet should not normally be modified, yet the Nirsoft image you shared show that both #003 and #004 have changes.

Cannot say if it is normal, but that site you uploaded files to attempts to make me download an executable, no good, only retrying I can get the actual files.

The Regshot file "No arranca y ultimo winrescue para compartir.txt" has changes in ControlSet013!

No idea as what could be the root cause, let alone about possible way to fix it for good, unfortunately. 

jaclaz

 

[AstroSkipper]

Hello @Cixert! A very good tool for defragmenting the registry files and the pagefile is PageDefrag 2.32 from Sysinternals. It solved in several cases starting problems that I had in the past. Another approach is an examination of the integrity of your hard disks with tools from outside. As you wrote in the first post, two different computer are concerned. If so, maybe both are infected by the same malware, or you have installed a program on both computers causing this corruption. In any case, a very deep investigation is necessary if the simple solutions don't work.

Cheers, AstroSkipper 

[Cixert]

Fixed:
It was a worm. I use Service Pack 3 with the Blaster, Sasser & Conficker update packs, but on both computers I had been messing around with changing the hal and because of this old copies version of the hal layers were restored.

On the desktop computer I fixed it by restoring copies of ntldr, hal.dll BOOTVID.dll and especially ntkrnlpa.exe
Interestingly on this computer it worked by restoring a previous version copy of the hal layer and connecting to the internet did not reproduce the problem again.
At that time I still did not know the problem cause.
In the laptop that did not work for years, after resetting the registry, it stopped booting only after connecting to the Internet.
I've restored a registry copy, reinstalled the updates anti-blaster, Sasser...
And the problem has not returned.
It is curious that neither Avast nor Malware Bytes detected any virus in the scan performed.
On the other hand, the registry change comparator files showed different results when comparing both registries.
But on the laptop they showed 2 very suspicious keys with FAT32 format.
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed: AB 3C CD E7 5A 38 7D 97 07 0C F0 9F E6 6A B2 3F E8 EC 7F 61 06 98 D2 2E FA 3D 1A A4 52 54 40 7C 1F 43 E2 7A 9C 02 94 13 C8 64 9F D8 F8 20 19 35 50 A2 F4 6A DC 06 95 6A 1F A2 0E 1C 2F 53 1C F1 01 28 52 81 A7 51 39 91 A4 9A 85 06 2C B3 84 E9
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed: 97 93 BC 79 5D DE C2 4F C3 E9 0B AF F8 A7 90 B7 9D 16 EF E8 C0 F6 EB C1 8A 58 45 6A D6 B4 73 E2 03 9E B8 BB 75 50 4A 9F 28 9D B0 07 AE 64 6A 20 07 4B BB 13 20 F9 C0 F6 1D C7 DE 6D 94 7B A0 FC 12 EC 4D E0 BC 52 D8 00 1C 93 5E 0A 85 67 D6 74
 

edit
For the exposed:
-Desktop computer ---> The problem arises with or without an Internet connection.
Fixed restoring ntkrnlpa.exe previous version

-Laptop ---> The problem occurs only when the system is connected to the Internet.
Fixed updating ntkrnlpa.exe

After writing the previous lines I have gone to upgrade Windows 2000 on both computers with:
-KB824146-x86 Anti-Blaster
-KB835732-x86 Anti-Sasser
-KB828741-x86 Anti-attack by RPCSS

On the laptop I haven't had any problems, but on the desktop the problem returned after installing KB824146-x86 Anti-Blaster and restarting the system.
I haven't checked if it updates ntkrnlpa.exe
Then I went to install KB835732-x86 Anti-Sasser, but it gave me the error "The installation program could not verify the integrity of the Update.inf file"
In Internet forums it says that it is because the encryption service is not running. I do not see this service installed in Windows 2000. It is possible that I have uninstalled it in the past.
The problem has been solved by restoring a fairly old version of the registry, from 18 months ago, on which I have been able to install the updates.

Edited November 8, 2022 by Cixert