widnows could not start... windows/system32/config/system is corrput or missing

[bob4432]

i will backup the hdd before i do anything but the problem i have is that it is asking me for the original install disc which was xphome and the only install disc i have is xppro. will the repair function work correctly from a xppro disc on a xphome install?

 

[Smilin]

A repair is not the first option you want to perform for this particular error.

If you are simply trying to get to the recovery console (as you should be) then yes, an XP pro disc will work fine. You can also use Any version of 2000 or 2003 to reach recovery console in XP as well.

This KB article covers exactly what you need to do to fix this problem:
http://support.microsoft.com/default.aspx?scid=kb;en-us;307545

 

[DennyD]

Here is a cleaner version of the 307575 article:

Boot into recovery console

Go to the C:\windows\system32\config> prompt

Type the following commands:
ren system system.old
ren software software.old
ren default default.old
ren security security.old
ren sam sam.old

===========================================
Then do the following steps
Type: copy c:\windows\repair\system
(Hit your UP arrow and the last command you typed will appear at the prompt)

Delete ?system? and then type ?software?
Do the above steps for ?default,? ?security,? and ?sam.?

Type ?Exit? then press ?Enter.?

Upon reboot, start pressing ?F8? to get the advanced options
Menu. Choose ?Safe Mode.? Log in as Administrator.

While in safe mode go into Windows Explorer:
Start-> All Programs-> Accessories-> Windows Explorer

On the Toolbar go to Tools and then Folder Options, then go to the View tab.

Put a check in show hidden files and folders
Also take the checks out of:
Hide extensions for known file types
Hide protected operating system files

Go to the Windows directory on c:\ and make a directory
Called ?tmp? without quotations.

Then click on ?Local Disk C:?

There you will see the System Volume Information folder. Within that folder you will see two folders like this:
"_restore{87bd3667-3246-476b-923f-f86e30b3e7f8}"
Click on either one

IF YOU CANNOT ENTER THE FOLDER (ACCESS DENIED)
Start -> Run -> CMD Press Enter
On the root of the C drive type the following, including the quotes.

cacls "c:\System Volume Information" /E /G administrator:F

This is assuming the windows installation is on the C drive.


Then you will see folders listed RP1, RP2, RP3 etc. Click on any one.
In there you will see a Snapshot folder. Click on it

Then you will see the following keys:

- _registry_user_.default> rename to default
- _registry_machine_security> rename to security
- _registry_machine_software> rename to software
- _registry_machine_system> rename to system
- _registry_machine_sam> rename to sam

Highlight all five and right click copy, and then paste them into the ?tmp? folder that you made in the windows directory.

Boot back into recovery console and go to the following prompt: c:\windows\system32\config>

Type the following commands

Del system
Del software
Del default
Del sam
Del security

Then the following from the same prompt
copy c:\windows\tmp\system

Press your Up arrow. Delete ?system? and then type ?software?
Do the above steps for ?default,? ?sam,? and ?security.?

Exit reboot back into windows.

Everything should be like it was before the error occurred.

 

[bob4432]

Originally posted by: DennyD
Here is a cleaner version of the 307575 article:

Boot into recovery console

Go to the C:\windows\system32\config> prompt

Type the following commands:
ren system system.old
ren software software.old
ren default default.old
ren security security.old
ren sam sam.old

===========================================
Then do the following steps
Type: copy c:\windows\repair\system
(Hit your UP arrow and the last command you typed will appear at the prompt)

Delete ?system? and then type ?software?
Do the above steps for ?default,? ?security,? and ?sam.?

Type ?Exit? then press ?Enter.?

Upon reboot, start pressing ?F8? to get the advanced options
Menu. Choose ?Safe Mode.? Log in as Administrator.

While in safe mode go into Windows Explorer:
Start-> All Programs-> Accessories-> Windows Explorer

On the Toolbar go to Tools and then Folder Options, then go to the View tab.

Put a check in show hidden files and folders
Also take the checks out of:
Hide extensions for known file types
Hide protected operating system files

Go to the Windows directory on c:\ and make a directory
Called ?tmp? without quotations.

Then click on ?Local Disk C:?

There you will see the System Volume Information folder. Within that folder you will see two folders like this:
"_restore{87bd3667-3246-476b-923f-f86e30b3e7f8}"
Click on either one

IF YOU CANNOT ENTER THE FOLDER (ACCESS DENIED)
Start -> Run -> CMD Press Enter
On the root of the C drive type the following, including the quotes.

cacls "c:\System Volume Information" /E /G administrator:F

This is assuming the windows installation is on the C drive.


Then you will see folders listed RP1, RP2, RP3 etc. Click on any one.
In there you will see a Snapshot folder. Click on it

Then you will see the following keys:

- _registry_user_.default> rename to default
- _registry_machine_security> rename to security
- _registry_machine_software> rename to software
- _registry_machine_system> rename to system
- _registry_machine_sam> rename to sam

Highlight all five and right click copy, and then paste them into the ?tmp? folder that you made in the windows directory.

Boot back into recovery console and go to the following prompt: c:\windows\system32\config>

Type the following commands

Del system
Del software
Del default
Del sam
Del security

Then the following from the same prompt
copy c:\windows\tmp\system

Press your Up arrow. Delete ?system? and then type ?software?
Do the above steps for ?default,? ?sam,? and ?security.?

Exit reboot back into windows.

Everything should be like it was before the error occurred.

thanks

this is not my machine but a friends so i believe there is a virus. i put the hdd in one of my machines as a slave because i was going to ghost it just in case things went south and man, my machine would not startup and about 100 spyware were installed. i did run a virus check and all seemed ok, keeping fingers crossed. i do have norton system works 2005 and was wondering if i booted up with that is that a good way to check for viruses? i have never used that option and want to be really careful because i won't have a ghost of the image...

thanks in advance

 

[Smilin]

This is not typically virus related.

NTLDR is unable to load the HKLM\System portion of your registry into memory. The file c:\windows\system32\config\system is the file it is attempting to load.

The reason it cannot load this is either it is too large (approx >10.5mb) or the file has become corrupted. In about 1 in 4 times a chkdsk /p from recovery console will fix this right away. If not, follow the KB.

If you are able to mount this drive as a secondary drive it makes the process much easier. Just perform the steps outlined with explorer rather than all the command lines.

 

[bob4432]

putting that one hdd in my machine seems to have nuked it, now i need to do a system restore.....f*cking things. why does the system file get so big?

 

[Smilin]

Adding that drive to your machine should not have nuked it provided you didn't goof up the boot order or put two masters on a single ide channel or something.

If it's popping you back to the logon screen then a drive letter shift has occured - this is correctable without any sort of restore.


The system file should not get over 10.5megs under normal circumstances. A badly written app or driver can do some things to cause this but it's not something that normally happens. A system hive size of 2.5-6 megs is pretty typical.

Have you performed the steps in that KB to fix the corrupt system hive?
What new problem are you seeing now?

 

[bob4432]

Originally posted by: Smilin
Adding that drive to your machine should not have nuked it provided you didn't goof up the boot order or put two masters on a single ide channel or something.

If it's popping you back to the logon screen then a drive letter shift has occured - this is correctable without any sort of restore.


The system file should not get over 10.5megs under normal circumstances. A badly written app or driver can do some things to cause this but it's not something that normally happens. A system hive size of 2.5-6 megs is pretty typical.

Have you performed the steps in that KB to fix the corrupt system hive?
What new problem are you seeing now?

i have not messed with the really screwed up machine yet, i am trying to get mine working as it should. i did not put 2 masters and mine boots up after i chose "use last working config" in the startup. before i put that other hdd in mine it was working like a dream, any other ideas? it does not put me to a login screen, it just runs very slow and won't let me install either system works 2k3 or 2k5....i unistalled 2k3 to see if 2k5 would fix it and no luck as i cannot install it...

 

[Smilin]

Sorry man, but you're confusing the living sh1t out of me, no offense I hope

To be clear, we are no longer troubleshooting:
1) missing or corrupt windows/system32/config/system error.

We are now troubleshooting:
2) your system which boots slowly and will not let you install antivirus?


If #1, then to keep things clear put just that drive in the system, confirm it boots to the config/system error then follow the KB to troubleshoot.

If #2, then boot to safemode and see how it behaves. Still perform slowly or is it responsive now? Can you install antivirus of either version? If so, can you get to safemode with networking at get updated defs for a scan?

 

[bob4432]

Originally posted by: Smilin

Sorry man, but you're confusing the living sh1t out of me, no offense I hope

To be clear, we are no longer troubleshooting:
1) missing or corrupt windows/system32/config/system error.

We are now troubleshooting:
2) your system which boots slowly and will not let you install antivirus?


If #1, then to keep things clear put just that drive in the system, confirm it boots to the config/system error then follow the KB to troubleshoot.

If #2, then boot to safemode and see how it behaves. Still perform slowly or is it responsive now? Can you install antivirus of either version? If so, can you get to safemode with networking at get updated defs for a scan?

no probs, sorry about confusing you ;(

#1 is still a problem and i will work on that tonight

#2 i have system work 2k3 installed now, will try to upgrade to 2k5.....

i do some troubleshooting for friends and it seems like in the last month or two either i have lost all of my skill or the spyware/viruses are getting worse. maybe a combination of both... in the last 10years i have only not been able to overcome difficulties on 3 machines our of probably 100 friends and 20 of mine and these 3 have been in the last month... very frustrating

 

[Smilin]

That #1 is a pretty straightforward fix. As long as nobody had the bright idea to disable system restore points it should work perfect.

For your #2, do a scan with good virus defs, leverage the MSConfig utility to kill any startup items or non-ms startup services that could be causing problems. MSs anti-spyware program is pretty good so give that a shot. For any anti-spyware product make sure you can rollback unwanted changes.

 

[bob4432]

Originally posted by: Smilin


That #1 is a pretty straightforward fix. As long as nobody had the bright idea to disable system restore points it should work perfect.

For your #2, do a scan with good virus defs, leverage the MSConfig utility to kill any startup items or non-ms startup services that could be causing problems. MSs anti-spyware program is pretty good so give that a shot. For any anti-spyware product make sure you can rollback unwanted changes.

damn, now #2 is not working, bsod and reboot....can't even read the error message. do you think i should i try the xp repair?

definately not my day

 

[bob4432]

damn, i am pulling my hair out.....

i think i will just put in my ghost backup on my machine and not worry about it i will only lose about 10 days worth of work.....

 

[bob4432]

i just found out from the owners that the machine with problem #1 has been used to d/l music with programs like morpheus, limewire, kazaa...... PEOPLE..... f*ck!!!

 

[bob4432]

sh!t, even after the ghost file recovery my machine still has a bsod loop......f*ck........what do you think it is? memory? hdd?

 

[Smilin]

Ooof. Man, knowing the error code is half the battle.

If you're running service pack 2 there is an option in your F8 boot menu to stop the reboot following the blue screen so you can see what's up. Otherwise you'll need to get at that failing machines registry to stop the reboot with HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl ! AutoReboot = 0

You can get at the registry with either a parallel install or a Bart's PE bootdisk. Bart's is definately faster, but a parallel install (that in turn fails) will tell you with 100% certainty if you have an OS/Software problem or a hardware problem.

It's a longshot, but any luck with a safemode reboot?
Does a chkdsk /p at recovery console report any errors?

For your friend's error #1 config/system thing it's likely unrelated to spyware or viruses. Kazaa and the like are definately a breeding ground for that stuff so there is always the possibility that they have that problem as well (two for one, yay!!!)

 

[bob4432]

Originally posted by: Smilin
Ooof. Man, knowing the error code is half the battle.

If you're running service pack 2 there is an option in your F8 boot menu to stop the reboot following the blue screen so you can see what's up. Otherwise you'll need to get at that failing machines registry to stop the reboot with HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl ! AutoReboot = 0

You can get at the registry with either a parallel install or a Bart's PE bootdisk. Bart's is definately faster, but a parallel install (that in turn fails) will tell you with 100% certainty if you have an OS/Software problem or a hardware problem.

It's a longshot, but any luck with a safemode reboot?
Does a chkdsk /p at recovery console report any errors?

For your friend's error #1 config/system thing it's likely unrelated to spyware or viruses. Kazaa and the like are definately a breeding ground for that stuff so there is always the possibility that they have that problem as well (two for one, yay!!!)

thanks for all the help safemode and all the other options under f8 do the same thing. this is really buggin me just for sh!ts and giggles i am putting mandrake 10 on mine really quick and will run memtest too, if both of those work i would assume that it is not hardware related. i wonder why when i put the ghost image back on it didn't fix the probelm?? any ideas because that image was taken when the machine was working nicely.

if hardware is ok, i guess i will just put a clean install of 2k on it. sucks though because that machine was my "server" machine and had apache/php/mysql nicely configured. atleast my system drive is only 9GB so most of the other stuff is on a seperate drive that i hope is not f*cked up tooo.... i guess i can still get the apache conf from the ghost image...

 

[bob4432]

mandrake works so it looks like a software problem

 

[Smilin]

While you're using ghost explorer to grab your conf files, snag a copy of windows\system32\config\system off of there. Open the file up with regedit (see regedit helpfiles on "load hive" for details) and edit that autoreboot key I mentioned earlier.

Unload the hive (closing regedit does NOT do this automatically) and slip the system file back into the image with ghost explorer. If you're feeling froggy someday you can drop the image on again and it will at least tell you what the STOP code is. Could be something goofy like a Stop 7B from updating your mass storage firmware since the image was taken. Always tough to troubleshoot a bugcheck when you don't even know what it is.

 

[bob4432]

i was able to get to f8 and had it halt and reboot. the problem code is stop:0x00000007b...

 

[bob4432]

decided to go ahead and put win2kpro on the #2 problem.

still have the #1 problem and am afraid to put it in another machine to backup the drive since this fiasco...how safe are DennyD's instructions?

 

[Smilin]

I didn't read DennyD's instructions. They are simply an extract from that KB article I mentioned way up there. It's pretty straightforward stuff and should work fine.

As an added bonus: Familiarize yourself with the KB. If you find you don't have a good copy of your system hive in the 'system volume information' folder due to disabled restore points, then just use a windows\repair copy of the hive long enough to get booting then zip up and email me the damaged hive. I've still got some of my tools from MS and there is a good chance I can repair that hive for you (provided it's not truncated in half or something horrible).

For your Stop 7B. If you want to work it, I'll help you out. Just so happens I'm the Jedi Master of Stop 0x0000007Bs (not humble about it either). Send me a PM with your email address. If you have a way to get that system hive off the Stop 7B machine and send it to me it will help greatly. Even if you don't feel like working the problem I would love to take a look at that system hive anyway. I get a kick out of fixing stop 7Bs and I don't get to do it much since I left MS.

When the Stop 7B is occuring will give a huge clue as to what is causing it. If it happens before you see any of the splash screen progress bar there is a good chance the mass storage controller driver is failing to load (or the wrong one is loading). Minor drive corruption can cause this on occasion - recovery console plus a chkdsk is always a good starting point. BTW, are you IDE, SCSI, SATA or what? If you are seeing the progress bar get somewhere (say 3/4 of a load) then you're probably getting a start type 0x0 driver or filter driver trying to load that is bunk. A hypothetical example would be a filter driver for some CD burning software and you've since changed CD burners so it's no longer valid.

All that aside, it sounds like you at least have a functional computer at this point so I hope your stress level has dropped!

 

[bob4432]

Originally posted by: Smilin
I didn't read DennyD's instructions. They are simply an extract from that KB article I mentioned way up there. It's pretty straightforward stuff and should work fine.

As an added bonus: Familiarize yourself with the KB. If you find you don't have a good copy of your system hive in the 'system volume information' folder due to disabled restore points, then just use a windows\repair copy of the hive long enough to get booting then zip up and email me the damaged hive. I've still got some of my tools from MS and there is a good chance I can repair that hive for you (provided it's not truncated in half or something horrible).

For your Stop 7B. If you want to work it, I'll help you out. Just so happens I'm the Jedi Master of Stop 0x0000007Bs (not humble about it either). Send me a PM with your email address. If you have a way to get that system hive off the Stop 7B machine and send it to me it will help greatly. Even if you don't feel like working the problem I would love to take a look at that system hive anyway. I get a kick out of fixing stop 7Bs and I don't get to do it much since I left MS.

When the Stop 7B is occuring will give a huge clue as to what is causing it. If it happens before you see any of the splash screen progress bar there is a good chance the mass storage controller driver is failing to load (or the wrong one is loading). Minor drive corruption can cause this on occasion - recovery console plus a chkdsk is always a good starting point. BTW, are you IDE, SCSI, SATA or what? If you are seeing the progress bar get somewhere (say 3/4 of a load) then you're probably getting a start type 0x0 driver or filter driver trying to load that is bunk. A hypothetical example would be a filter driver for some CD burning software and you've since changed CD burners so it's no longer valid.

All that aside, it sounds like you at least have a functional computer at this point so I hope your stress level has dropped!

thanks for the info. i still have the ghost files for the #2 problem and if you tell me where i can get the hive i will get it to you. bascially what happend is when i put that other hdds in as a slave of the master ide channel all things went to hell. what was then the good computer would not fully startup and would not recognize the drive in windows but would in the bios. the bios recognized it as the master channel slave, which it was. when i took it out i ran ad-aware and found about 100 files and there were maybe 5 there before. at this point the "bad" drive was out and my cd-rom which is the slave on the slave channel would not show up all the time. that particular machine was basically just a server machine that shared a printer and ran a couple of websites, and held ghost images for my other machines so it was only rebooted every sat or so. all pata running on a nforce 2 ultra board. nothing fancy, but it was reliable.

could you explain to me why putting the ghost image back on didn't fix the issue? should i have zero filled the drive and then put it back on? in the past when i have had a issue, i would just put the ghost image back on and all is good, this time it failed.

as far as software, there was a change with system works and sometimes it would install then it would not so maybe that screwed it up. this may have been what did it in.

when starting i would see just a flash of the blue progress bar screen then the bsod. when i say just a flash i mean 1/30 or 1/60th of a second.

since i have put 2k back on it, it is running ok so far, i just need to get apache/php/mysql and the different sites reconfigured...

 

[Smilin]

Originally posted by: bob4432
thanks for the info. i still have the ghost files for the #2 problem and if you tell me where i can get the hive i will get it to you.

It is the file \windows\system32\config\system (no extension). It's the same file that's corrupted on that other machine.

snip ... all pata running on a nforce 2 ultra board. nothing fancy, but it was reliable.

could you explain to me why putting the ghost image back on didn't fix the issue? should i have zero filled the drive and then put it back on? in the past when i have had a issue, i would just put the ghost image back on and all is good, this time it failed.

as far as software, there was a change with system works and sometimes it would install then it would not so maybe that screwed it up. this may have been what did it in.

when starting i would see just a flash of the blue progress bar screen then the bsod. when i say just a flash i mean 1/30 or 1/60th of a second.

since i have put 2k back on it, it is running ok so far, i just need to get apache/php/mysql and the different sites reconfigured...

If you are seeing just a small bit of progress bar it typically means either 1) Bad controller driver, or 2) some corruption. If it crashes after a few seconds it's typically a filter driver. Since you're running simple pata the bad controller driver ain't it so...I would say it's likely just some corruption. The image may have simply not gone down cleanly. This is fairly common and that's why symantec has ghost always initiate a chkdsk during the first boot following an image. So for now I think simply redoing that image might work just fine! Do a full disk image though, not just the partition (if you weren't already).

This is just an educated guess for now based on the symptoms. Zip up and send that hive to me and I'll go through all your Start 0x0 (boot) services to make sure something isn't goofy in there. I'll PM you may email addy and take a look at it this weekend.

 

[bob4432]

Originally posted by: Smilin

Originally posted by: bob4432
thanks for the info. i still have the ghost files for the #2 problem and if you tell me where i can get the hive i will get it to you.

It is the file \windows\system32\config\system (no extension). It's the same file that's corrupted on that other machine.

snip ... all pata running on a nforce 2 ultra board. nothing fancy, but it was reliable.

could you explain to me why putting the ghost image back on didn't fix the issue? should i have zero filled the drive and then put it back on? in the past when i have had a issue, i would just put the ghost image back on and all is good, this time it failed.

as far as software, there was a change with system works and sometimes it would install then it would not so maybe that screwed it up. this may have been what did it in.

when starting i would see just a flash of the blue progress bar screen then the bsod. when i say just a flash i mean 1/30 or 1/60th of a second.

since i have put 2k back on it, it is running ok so far, i just need to get apache/php/mysql and the different sites reconfigured...

If you are seeing just a small bit of progress bar it typically means either 1) Bad controller driver, or 2) some corruption. If it crashes after a few seconds it's typically a filter driver. Since you're running simple pata the bad controller driver ain't it so...I would say it's likely just some corruption. The image may have simply not gone down cleanly. This is fairly common and that's why symantec has ghost always initiate a chkdsk during the first boot following an image. So for now I think simply redoing that image might work just fine! Do a full disk image though, not just the partition (if you weren't already).

This is just an educated guess for now based on the symptoms. Zip up and send that hive to me and I'll go through all your Start 0x0 (boot) services to make sure something isn't goofy in there. I'll PM you may email addy and take a look at it this weekend.

i did run chkdsk /p and it said no errors or.

how would i go about getting the hive?