Advanced Registry Problem

[Guest]

I'm a fairly advanced computer tech.

I have a problem PC (WinXP SP2 MCE, SU2) where the RPC service refuses to
start. The reason is "Access Denied". Using REG.EXE or Regedit, I can not
view the owner of this service key, nor can I set any permissions. I can not
delete, rename, modify, take ownership... anything. As a result, the RPC
service fails to load and everything that depends on it fails.

I have done the following...

I have disabled any third party drivers and software that start up with the
PC.
Checked for rootkits using an out of box comparison of file data
Checked for any unknown startup entries (Autoruns) while in Safe Mode
Verified using multiple AntiViruses that nothing loaded was known to be
malicious
Used multiple Anti-rootkit tools to look for hidden registry entries by
parsing raw NTFS reads of registry hives.
I have used SecEdit to reset security to installation defaults.

The questions are...

Which forum would I get the best help from on solving this issue?
Has anyone seen or heard of this happening before and know what caused it to
happen?
Does anyone know the best way to repair this problem? (preferably without a
reinstall)

 

[Dave Patrick]

Try replacing the system hive with a known good backup from the recovery
console.

--

Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect

:
| I'm a fairly advanced computer tech.
|
| I have a problem PC (WinXP SP2 MCE, SU2) where the RPC service refuses to
| start. The reason is "Access Denied". Using REG.EXE or Regedit, I can not
| view the owner of this service key, nor can I set any permissions. I can
not
| delete, rename, modify, take ownership... anything. As a result, the RPC
| service fails to load and everything that depends on it fails.
|
| I have done the following...
|
| I have disabled any third party drivers and software that start up with
the
| PC.
| Checked for rootkits using an out of box comparison of file data
| Checked for any unknown startup entries (Autoruns) while in Safe Mode
| Verified using multiple AntiViruses that nothing loaded was known to be
| malicious
| Used multiple Anti-rootkit tools to look for hidden registry entries by
| parsing raw NTFS reads of registry hives.
| I have used SecEdit to reset security to installation defaults.
|
| The questions are...
|
| Which forum would I get the best help from on solving this issue?
| Has anyone seen or heard of this happening before and know what caused it
to
| happen?
| Does anyone know the best way to repair this problem? (preferably without
a
| reinstall)

 

[Guest]

Where would I find a recent backup system hive?

The system has had the problem for a few days now and it's been restarted
multiple times since the problem first occured.

I am guessing System Restore might have some backups, but I am unfamiliar
with its layout.

 

[Dave Patrick]

This article may help.

http://support.microsoft.com/?kbid=307545

--

Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect

:
| Where would I find a recent backup system hive?
|
| The system has had the problem for a few days now and it's been restarted
| multiple times since the problem first occured.
|
| I am guessing System Restore might have some backups, but I am unfamiliar
| with its layout.

 

[Guest]

Thank you very much. This article seems to have the information I need to
repair this problem. However, I still have 1 question left unanswered.

Has anyone seen or heard of this happening before and know what caused it to
happen in the first place?

 

[Dave Patrick]

You're welcome. It's most likely one of three possibilities. The disk is
failing, the file system is damaged or the machine suffers from virus or
other malware.

--

Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect

:
| Thank you very much. This article seems to have the information I need to
| repair this problem. However, I still have 1 question left unanswered.
|
| Has anyone seen or heard of this happening before and know what caused it
to
| happen in the first place?

 

[Sharon Franks]

I have seen it before and it was a profile issue, the current profile with
admin rights some how became corrupted. I created a new user, manually
copied the profile, then deleted the old profile. It worked, as for the
cause I really never found out.

--

Sharon Franks
MCC group
Microsoft Certified Solutions Developer (MCSD)
Microsoft Certified Trainer (MCT).

Thank you very much. This article seems to have the information I need to
repair this problem. However, I still have 1 question left unanswered.

Has anyone seen or heard of this happening before and know what caused it
to
happen in the first place?

This article may help.

http://support.microsoft.com/?kbid=307545

--

Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect

:
| Where would I find a recent backup system hive?
|
| The system has had the problem for a few days now and it's been
restarted
| multiple times since the problem first occured.
|
| I am guessing System Restore might have some backups, but I am
unfamiliar
| with its layout.

 

[Guest]

I forgot to add this, but creating and using different profiles was one of
the first things I did.

I have to come to the conclusion that this is a freak error caused by
[something] that damaged one really important key in the system registry hive.

The owner of the machine claims he left the system on and auto updating,
only to come back one day with SpySweeper trying to do [something] and ever
since then, the system would not function properly.

Now, does anyone know if Spysweeper has some methods of directly editing the
hard disk or registry hives to a point were an error could be caused?

I have seen it before and it was a profile issue, the current profile with
admin rights some how became corrupted. I created a new user, manually
copied the profile, then deleted the old profile. It worked, as for the
cause I really never found out.

--

Sharon Franks
MCC group
Microsoft Certified Solutions Developer (MCSD)
Microsoft Certified Trainer (MCT).

Thank you very much. This article seems to have the information I need to
repair this problem. However, I still have 1 question left unanswered.

Has anyone seen or heard of this happening before and know what caused it
to
happen in the first place?

This article may help.

http://support.microsoft.com/?kbid=307545

--

Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect

:
| Where would I find a recent backup system hive?
|
| The system has had the problem for a few days now and it's been
restarted
| multiple times since the problem first occured.
|
| I am guessing System Restore might have some backups, but I am
unfamiliar
| with its layout.

 

[jashburn13]

Had the same problem after trying to upgrade from IE Beta 7 to IE RC1
which pretty much destroyed my computer and would not let me reinstall
XP. This is from an email I got from microsoft. This should reset all
permissions in the registry. It worked for me.

1. Download subinacl.msi from the following link and save the
installation patch on the Desktop:

http://www.microsoft.com/downloads/...ed6985e3927b&displaylang=en#AffinityDownloads

2. Go to the Desktop and double click the downloaded file to install
it.
3. Select C:\Windows\System32 as the Destination Folder during the
Installation (Note: We assume C:\ is the system partition). Later we
will use this tool to reset the permission settings on the current
Machine.

Step 2:
-------
1. Click Start, Run, type: notepad C:\reset.cmd and press Enter. Choose
Yes when you are prompted.
2. Copy the following commands and then paste them into the opened
Notepad window:

@echo off

subinacl /subkeyreg HKEY_LOCAL_MACHINE /grant=administrators=f
subinacl /subkeyreg HKEY_CURRENT_USER /grant=administrators=f
subinacl /subkeyreg HKEY_CLASSES_ROOT /grant=administrators=f
subinacl /subdirectories %SystemDrive% /grant=administrators=f

subinacl /subkeyreg HKEY_LOCAL_MACHINE /grant=systems=f
subinacl /subkeyreg HKEY_CURRENT_USER /grant=system=f
subinacl /subkeyreg HKEY_CLASSES_ROOT /grant=system=f
subinacl /subdirectories %SystemDrive% /grant=system=f

@Echo =========================
@Echo Finished.
@Echo =========================
@pause

3. After you paste the above commands, please close the Notepad window.
Choose Yes when you are prompted to save the file.
4. Click Start, Run, type: C:\reset.cmd and press Enter to run the
commands we have pasted.
5. You will see a DOS-like window processing the request.

(NOTE: It may take several minutes, please be patient. When it is
finished, you will be prompted with "Finished, press any key to
continue".)

 

[Guest]

This looks like a great tool to use, but I doubt it would fix the problem I
found. I already tried resetting security on the registry keys and files.
Everything worked fine except an Access denied on the one registry key in
question. I was able to view the ACL for the key and it was set to inherit
from parent. I also attempted to grant Everyone Full Control and change the
Ownership to Administrators, but everything tried failed.

It wasn't until I tried scanning the registry with a 3rd party raw hive
scanner that the key was just damaged. I guess I could rebuild the hives and
then locate a machine that I could export the damaged key and import it into
my rebuilt registry, but it is probably easier, faster, and safer to just
restore the system hive from a system restore backup from a few days ago.