error message winnt\system32\config\system is corrupt

[freshmeat]

Sianath:
Sent you a PM, but i think i forgot to username-sign it...

Curious, is not being able to log in a typical (or default?) action when Win2k can't continue its boot process at that point?
Are there any boot logs that might indicate more specifically what the problem is, or what the offending files are?

RobS@.fm

 

[Smilin]

Just after your logon, userinit.exe is being called to begin loading your desktop. The most common cause of a 'returns to the logon screen' error is that userinit.exe cannot be found due to a drive letter change. The registry entry that shows where to load userinit.exe points to C:\windows\system32\userinit.exe. Winlogon (also located in system32) actually calls userinit. If your drive letter has reenumerated or changed Winlogon can't find userinit.

If you have another computer on your network you can bring your damaged computer up, remotely connect to the registry and change HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ! Userinit to say just "userinit.exe," instead of "C:\WINDOWS\system32\userinit.exe,". You should then be able to log onto the damaged machine.

This is the most common cause of that problem but not the only one. An error about your pagefile (which has also been misplaced in a drive letter change) is usually seen if this is the cause.

Other causes include lsass errors or mismatched files due to incomplete updates or filesystem damage (likely if you've been having corrupt system errors as well).

Getting your files "level" so that they match can solve this as well. Rolling back a recent update or service pack will use a matched set of files from an $NTUninstall folder.

I believe Sianath is putting a batch file together for you that will essentially re-service pack your computer using the servicepackfiles from the recovery console. This should get your files 'level' again.

 

[Eltano1]

I found this article that might help you with your problem: http://www.pcstats.com/articleview.cfm?articleID=1139

Good luck

Eltano

 

[freshmeat]

Smilin:
Is there a log file that userinit writes to indicating what it has done?


Sianath:
Got the batch file, thanks very much for taking the time to build it!
Tried it. Output log indicated several files not found:

Copying to backup directory - files not found:
dt_ctrl.dll
fcachdll.dll
rwnh.dll
smtpapi.dll
smtpctrs.dll

Deleting from \system32 - 7 different files not found (can't tell which ones tho).
Also: g:\winnt\system32\dtcsetup.exe - Access is denied.

Copying to \system32 - files not found:
dt_ctrl.dll
fcachdll.dll
msjetoledb40.dll
rwnh.dll
smtpapi.dll
smtpctrs.dll
xenroll.dll

Exit, reboot. Login:
Same problem.

Hrumph.

Somehow, there must be a way to track down more specifically what the problem is.

I'm almost beginning to consider that the problem may not be the WinUpdate after all, but i don't remember doing anything else to the system while waiting for the updates to download.
(Heaven forbid it should end up being a stupid Administrator issue! :-O )

 

[Sianath]

If you enable boot logging, we create a log file called ntbtlog.txt in the \winnt folder. It's pulled from the registry and committed to file by smss.exe, so if you are reaching the login screen it should be there.

You can also try remotely viewing the event log files for this machine to see what errors are being logged during your login attempt. I'm assuming you are attempting login with the local admin account as well, right?

Check the drive letter paths like Smilin suggested using remote registry if you can get to the login prompt as well. Look and see if that's wrong before you change any paths for critical boot-time processes like userinit.exe.

If you aren't sure everything is ok in the registry, you can always boot to the recovery console and then create a copy of your system hive (winnt\system32\config.... type COPY SYSTEM SYSTEM.BAK) and then boot back to the login prompt. Once at the login prompt, you can connect from another machine to the default share for the root drive ( driveletter$, ex. c$) and copy the system.bak file to the good working machine and either myself or Smilin can take a look at it.

 

[freshmeat]

Hallo again,
Sorry for the hiatus, i was gone for the weekend.

My Win2k machine is dual boot, so i just copied the system hive to the other drive.
Do you want to see it (attached to a PM)?

Is there a utility i can use to check it?

Thanks again for all your help. Hopefully we will be successful by the time we are done...

 

[Smilin]

freshmeat:

Grab a copy of your system32\config\sysevent.evt file from your damaged install. Zip it up along with the system hive and call it freshmeat.zip. Upload it to ftp://ftppss.microsoft.com/Incoming/Windows. I'll take a peek for ya.

Send me a PM when the upload is complete.

 

[freshmeat]

Hullo Smilin,

I pasted the zip file there some days ago and sent you a PM at the same time...
Have you looked at it yet?

 

[Smilin]

Yes, check your email. I sent you a repaired copy of your hive back.

Your system event log file is corrupt. You should delete it from recovery console or your other install. It will recreate cleanly on boot.

 

[freshmeat]

Smilin,
Just curious, what tools do/did you use to repair the registry?

 

[Smilin]

I used an internal version of a utility called chkreg.

In your case this may have been unncecessary. The XP & 2003 version of regedit has the ability to correct minor corruption. I didn't find any corruption when I ran chkreg after using the XP regedit to load the hive.

 

[VirtualLarry]

Originally posted by: Smilin
I used an internal version of a utility called chkreg.

In your case this may have been unncecessary. The XP & 2003 version of regedit has the ability to correct minor corruption. I didn't find any corruption when I ran chkreg after using the XP regedit to load the hive.

Just curious, do you think that MS will ever make that tool available to end-users? The reason I ask is, I recently (well, about 2.5 months ago) had a similar issue with a corrupt SYSTEM registry hive in W2K. I downloaded MS's W2K registry-repair tool, that runs from a modified set of WinXP Pro install floppies.

Unfortunately, that tool claimed to repair the registry, but didn't seem to actually do that much. W2K still couldn't load. I tried "repairing" both the SYSTEM and the SYSTEM.ALT hives, but no-go on either of them. I managed to get my system running again by restoring a 6-month old copy of my SYSTEM registry hive from a backup. (Backups are a Good Thing. )

The only reason I ask is, I've used the registry-repair tool that is built into Win98se many times on client's systems to fix problems, and it has never failed to work. I was rather surprised the W2K didn't ship with such a tool, but pleased to find out that MS offered one for download. But I was again a bit surprised, that it apparently didn't work. If they have a newer version that works better, it would seem prudent to offer that version to end-users.

Do you think that it would be wise (or possible), to install the WinXP/W2K3 version of REGEDIT.EXE into a W2K installation, purely for repair purposes? Or do you need to be booted into WinXP to use it? (possible OS version dependencies?)

PS. Thanks for the detailed explaination of the failure-mode that can occur when userinit.exe fails. I learned that the hard way when Ghosting over an installed OS, and leaving the "old" disk present on the system while booting the "new" disk, as Windows has sticky drive-letter mappings, and will continue to use the "old" disk for some things. If the "new" disk was booted, even once, with the "old" disk also present, then subsequently booting with the "old" disk removed from the system, tends to result in the failure mode you described. I just never knew what exactly was going on behind-the-scenes when that happened.

 

[Smilin]

The version of chkreg you downloaded is the only one we have available to the public. *IF* a hive can be repaired this should do the trick. Sometimes the damage simply can't be repaired. The internal version of this utility is just a standalone executable and adds a few other features that we use (registry compression, exports etc..) but it doesn't have any additional repair capability. The registry compression feature would be nice to make available but the usefulness of compression is gone starting with 2003. It's ntldr can do about a 64 meg system hive. If you get that big it's usually due to some app going bonzo with adding bogus registry entries rather than excessive whitespace.

I think I may have run an XP/2003 version of regedit on 2000 before but I honestly can't remember. If you want to give it a try and it fails to run it should be otherwise harmless.


If you guys pick up anything from this thread, let it be this:

Under 2000 run NTBackup, select tools, select create an emergency repair disk, check the box to also backup the registry. Actually providing the floppy or not I leave up to you. The important part is that check box since it populates your repair\regback folder with a current copy of your registry.

Under XP make frequent system restore points. This will ensure there is a backup of your registry located in System Volume Information\_restore{ugly guid}\RP???\snapshot


It takes all of 20 seconds to do either of the above and it will make your system twice as recoverable for a whole stack of potential problems.

Kudos to VirtualLarry for keeping good backups. So many people suck at that.

 

[freshmeat]

Sad news: still no boot.

In fact, after entering name and password at the login screen the system does its thing for about 30 seconds or so and then forces a machine hard reset.


Any other options? thoughts?

Is there a way to tell if it is a registry issue or a file system issue?


If worse comes to worst, i have no qualms doing a complete reinstall, since it's not a business-critical machine or anything like that... in fact, it's been sitting unused for several months, until recently, when i had thoughts of getting it online.
But i'd much rather not reinstall, partly for the sake of avoiding reinstalling all the apps and system tweaks and such, but moreso for the sake of taking this opportunity to learn how to fix this sort of thing, and find out a lot about the system in the process.
There are some things that you just can't find in the MCSE study guides. Funny, that...

 

[Wdurr]

Hello,

I am new to this but have gotten lots of great information already. I am having this same issue but it is the software hive in question. I installed a second copy of XP home in a different folder (windows2) and I am not able to get to the recovery console. I ran a chkdsk /r on the system ( doing it now) and I see it is checking or recovering. My question is will it repair my problem or will have had other steps to go.

Thanks in advance.

 

[Sianath]

If you can't get into the recovery console, it's usually one of two issues. Either physical (or file system) corruption on the disk preventing us from finding the installation, or you have a disk that requires that you provide drivers to boot (SCSI drives, or the SATA drives that seem to becoming more popular).

If the chkdsk is finding errors, that's not good. Hopefully they are errors we can fix. When it's done, run it one more time (you want to be able to run clean through without errors detected) then try and boot. If the problem is physical, chkdsk won't be able to fix that for you.

 

[conjur]

Had this happen to me at a client site on Mon. Ended up reinstalling XP to a new folder but then, upon a subsequent reboot, got a dreaded "Error reading disk" message. Damn old IBM PCs. :frown:

 

[substance12]

Originally posted by: conjur
Had this happen to me at a client site on Mon. Ended up reinstalling XP to a new folder but then, upon a subsequent reboot, got a dreaded "Error reading disk" message. Damn old IBM PCs. :frown:

I've had 2 friends... one with xp pro sp2 and one with xp home ed that both had this issue. Is this common with old IBM pcs? or imb compatibles?

 

[Smilin]

Originally posted by: substance12

Originally posted by: conjur
Had this happen to me at a client site on Mon. Ended up reinstalling XP to a new folder but then, upon a subsequent reboot, got a dreaded "Error reading disk" message. Damn old IBM PCs. :frown:

I've had 2 friends... one with xp pro sp2 and one with xp home ed that both had this issue. Is this common with old IBM pcs? or imb compatibles?

Not more so than any other PC that I'm aware of. IBM did have the dreaded "deathstar" hard drives with a reliability issue. You could be bumping into that I suppose.

Edit: Man, we need to strip this thread down a bit and make a sticky out of it. Lots o good info in here that's a pain to repeat.

 

[perrociego]

Somethin like this is happenning to me.
I think the problem is in the Ntdetect.com and Ntldr files. Windows XP SP1 install new ones that doesnt work with Windows 2000; the old (Windows 2000) doesn't work with XP SP1 either.

Windows 2000:
Ntdetect.com 34,468 bytes 15.12.1999 (d.m.y)
Ntldr 215,024 bytes 15.12.1999

Windows XP:
Ntdetect.com 47,580 bytes 28.08.2002
Ntldr 234,752 bytes 29.08.2002

So, I copy the ones I need and reboot. Until I find a real solution.

 

[rikerisle]

Listening and learning a lot. I'm new to getting this in-depth. I wanted to know if it was possible to:
A. go to recovery console, rename the hive files (system and software)
B. copy the repair versions from the repair folder
C. If system boots, run regedit and attempt to import/repair from the renamed/saved files.

I have this issue on my home system, and have seen it here at work. For the work systems, it was more time and cost effective to just reimage the machine, but my home system is a different matter. I have about70-80 programs installed and would hate to lose the settings.

Any help would be greatly appreciated, and I will keep reading the replies. Have a nice day.

 

[mobius72nb]

Hello all

I have this problem on one of my copies of win2k (running 2 win2ks on a dual boot)

I noticed that freshmeat just copied the system hive to the other drive.

Can someone tell me what files I should copy from the good system to the corrupt system so I can just get it to load. Not worried about lose of data on this system as it is just the kids system and I just need it up and runnning so they will not keep pestering me to use my work system.

I have gone through the winstart up but as I do not want to risk anything going wrong and losing data on my work system I always chicken out (not really any good with all this command prompt stuff) before I get to the fixing bit.

Cheers guys

All help will be appreiceated

 

[Whizzy]

Originally posted by: Smilin
the solution...

Smilin i thank you forever !! i just had this exact same problem on my windows machine and i couldn't figure out for the life of me how to fix this.

Now it's booting again !! i'm still missing some configuration stuff but at least i didn't loose a whole 200GB disk !

THX !

 

[h2]

First of all, huge congratulations to perrociego for being the only one to have correctly read cmyk's original posting. I had this exact same issue happen tonite, dual boot w2k/xp. Upgraded xp to sp 2 and w2k wouldn't boot. Same error message as cmyk originally posted. No way this was hive corruption, the problem is exactly what perrociego posted, xp sp 2 is creating incompatible ntldr and ntdetect.com, but it's a very specific incompatiblity, on my system I have w2k sp4 running as main os, that's the one that got the start up error after I installed xp sp2, but a simple test w2k sp 1 or 2 that I also have installed booted fine.

When I reverted back to the xp standard, no sp ntldr and ntdetect.com files which I have saved elsewhere everything booted fine, including xp sp 2, which makes on wonder just what and why MS decided to change what didn't need to be changed.

For everyone reading this thread who has had this exact issue and started messing with your hives, I'm very sorry, when people make simple problems complex it doesn't help anyone. The hive repair guy I take it works for ms, and I guess also has a hard time admitting ms messed up. Typical.

Anyway, thanks to perrociego for the actual solution to the originally posted problem.

 

[h2]

I have an update for the above thread. In my scenario below, you only need to restore the pre XP SP2 install NTLDR file.

Nightus tried posting his update to this issue here, but couldn't register. You can read the rest of his solution here: http://techpatterns.com/forums/about277.html