2003 Server logging in then logging right back out...

[Corbett]

Just wondering if anyone has ever seen this problem.

No matter what usename i use to login to my 2003 server it logs me right back out. I cant get in in safe mode or last good known configuration. Any suggestions would be greatly appreciated. Thanks!

 

[RebateMonger]

It's not SBS 2003, is it?
Any error messages at all?

 

[Smilin]

you add a drive recently?


Search the ms kb for the keyword userinit.

Your winlogon process is unable to launch userinit to bring up your desktop.

 

[Thor86]

Is this a member server on a domain?

I've seen this behaviour on Member servers that were restored from backup.

If this is the case, you will need to login using the local administrative account, and possibly remove the system from the domain and re-add it afterwards as it seems like the security identification (SID) of the machine has become corrupted.

 

[Smilin]

I don't think he's talking about a logon failure due to a broken machine account. That produces an useful error message.

If this is a problem with userinit then no account will be able to logon. You'll have to fix the registry by connecting regedit across the network.

 

[Corbett]

Yes I did add an external drive recently but I unplugged it before I rebooted and now I cannot login. It is 2003 server standard edition. No matter what local usename i use to login diretly to the server, it logs in thne immediately kicks me right back out to the login prompt. How would I go about editing my server registry from another pc? If I boot the server up and dont login I can still get to my mapped drives on the server from a client pc.

EDIT : Also, No i do not receive any type of error message. Its just immediately logs me right out after I login.

 

[Smilin]

Yeah you drive letter shifted.

you'll need to edit your mountedevices regkey to correct this but first you'll want to get logged on. Leave the busted box sitting at the logon screen. Jump on a different box on the network and fire up regedit. From the File menu Connect to remote registry and specify the busted boxes name.

Find this regkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

In the Userinit value on the right just clear out the path so that it just says, "userinit.exe," (with ending comma, no quotes of course).

you should then be able to immediately logon to the busted box.

Now you gotta fix mounted devices. Again there is a great KB article on it. Search on "mounteddevices" and "drive letter". It and the userinit article are cross linked to each other.

If you have some balls you can just do what I would do: backup the mountedevices key and then clear everything in it except (default) at the top. Reboot. The reboot will be a bit longer than normal as the key is rebuilt automatically. With just the tiniest bit of luck it will repopulate just the way you had it ...assuming you have that extra drive taken back out. If this works it's a much easier route. If not you can always take the long way mentioned in that KB.

Note that the mountedevices regkey is outside of your control sets so if you fat finger something a lastknowngood won't help you. If something horrible does goes wrong you can just boot with a windows\repair copy of your system hive, open the now bad hive and paste that mounteddevices regkey you backed up back in. Quite a bit of a hassle but can definately be done.

 

[SoulAssassin]

I would remotely check the sys log before making any of the changes listed above just to CYA.

 

[Smilin]

Yep, that's never bad advice.

I'll betcha mucho beer I nailed this one tho It's a common call into MS.

 

[Corbett]

Originally posted by: Smilin
Yep, that's never bad advice.

I'll betcha mucho beer I nailed this one tho It's a common call into MS.

Pardon my ignorance but how would i check the sys logs without being logged in?

Also, I will get back to you on this issue and let you know.

Are you sure its going to work? LIke I said, I plugged an external drive into this system and then unplugged it. Seems odd that would cause something like this.

Thanks again!

 

[SoulAssassin]

Originally posted by: Corbett

Originally posted by: Smilin
Yep, that's never bad advice.

I'll betcha mucho beer I nailed this one tho It's a common call into MS.

Pardon my ignorance but how would i check the sys logs without being logged in?

Also, I will get back to you on this issue and let you know.

Are you sure its going to work? LIke I said, I plugged an external drive into this system and then unplugged it. Seems odd that would cause something like this.

Thanks again!

From regedit, file/connect network registry....enter '\\nameofbustedserver'.

 

[Smilin]

Originally posted by: Corbett

Originally posted by: Smilin
Yep, that's never bad advice.

I'll betcha mucho beer I nailed this one tho It's a common call into MS.

Pardon my ignorance but how would i check the sys logs without being logged in?

Also, I will get back to you on this issue and let you know.

Are you sure its going to work? LIke I said, I plugged an external drive into this system and then unplugged it. Seems odd that would cause something like this.

Thanks again!

Yep, positive. This is how it happens:
234048 How Windows 2000 Assigns, Reserves, and Stores Drive Letters
http://support.microsoft.com/default.aspx?scid=kb;EN-US;234048

To get logged on so you can fix mounted devices use method 3 from this KB (same thing I was saying earlier):
249321 Unable to log on if the boot partition drive letter has changed
http://support.microsoft.com/default.aspx?scid=kb;EN-US;249321

If you are a bit shaky on how to regedit and check system logs remotely you're probably a better candidate for fixing this per the KB rather than just whacking mounted devices all together:
223188 How to restore the system/boot drive letter in Windows
http://support.microsoft.com/default.aspx?scid=kb;EN-US;223188

Both Regedit and Event Viewer can be used remotely from another computer. Like soulassasin said, just specify the busted computer with \\computername.

Good luck, let us know how it goes.

 

[Corbett]

Ok I am going back to the site where the server is located this afternoon. If this works I owe you big time!

 

[Corbett]

Well, unfortuneately this did not solve the problem. I am going to try to do a repair install. Let me know if you has any other suggestions. It still logs me in and then right back out.

 

[Smilin]

Originally posted by: Corbett
Well, unfortuneately this did not solve the problem. I am going to try to do a repair install. Let me know if you has any other suggestions. It still logs me in and then right back out.

Bummer. Check to see if userinit.exe got clobbered. Chkdsk as well.

 

[Corbett]

I will check. Also, it seems on the server at the logon screen, the shut down button is grayed out.

 

[Corbett]

Screw it. Im running repair install right now. I will update this thread. If this doesnt fix it gotta reload from scratch. Thanks either way for all the good information. Good to know for future calls like this!

 

[Smilin]

Sorry I couldn't help more. Good luck with the repair!

fyi: that shutdown button being grayed out is normal. It defaults that way on servers unless you change the policy. Stops people from walking up an shutting down a server without credentials.

 

[SoulAssassin]

So what does the sys log say?

Open computer manager, right click on local computer, connect to remote machine and check the event logs. Also, just curious if you can login via RDP. I'm guessing no, but give it a try.

 

[Corbett]

Didnt check sys logs. Here is what I did :

Ran repair install on 2003 Server.
Noticed no anti-virus.
Installed Symantec 10.1 and SSC.
Rebooted and logged in fine.
Immediately Symantec finds about a ton of infected files.
W32.pinfi is the culprit.
Install Symantec on 10 other pcs in office.
Entire office in infected.

And they have only had the internet for 2 weeks there!

 

[Corbett]

Originally posted by: SoulAssassin
So what does the sys log say?

Open computer manager, right click on local computer, connect to remote machine and check the event logs. Also, just curious if you can login via RDP. I'm guessing no, but give it a try.

Sry didnt try to check sys logs. However, I did try RDP and it logged me in then right back out.

 

[Fineghal]

Good luck cleaning all of that out. I can only imagine the spyware...

 

[Corbett]

Yeah, 1 pc i had to completely reload. I believe it is where the virus originated from. Was getting popups galore. To teach them a lesson i shut off the internet completely on that machine.

After reading up on symantecs site it seems like I just have to turn off system restore and run a scan in safe mode and that should take care of it. Will update when done tomorrow.