How to make "last known good boot" the default boot?

[Mr. Z]

My XP machine (with all updates) gets stuck on the Welcome screen
on normal boot, but boots on the "last known good boot". How can I
make this the default boot? I have all latest updates, and antivirus
and antispyware programs I have find nothing. Thanks!

 

[John John (MVP)]

The real way to fix your problem would be to try to find out why it
doesn't want to boot with the Default control set. You could try
enabling boot logging then look at the log to see if anything of value
can be found. You could also look at the Default control set and see
what is different between it and the LastKnownGood set. After you
successfully boot the installation something is adding a change that
needs to be done at the next reboot and this is causing problems. You
can start the computer with the Last Known Good and then use a tool like
Autoruns to see what might be added to the start entries for the next
reboot.

John

 

[Mr. Z]

Ok I've was able to log the boot process for a "bad" boot, but how
can I log the the boot process for a "last known good" boot, since
I can only choose one option from the F8 menu? Or how do I choose
"boot from last known good" AND "Enable boot log"?

If what I REALLY want to do was indeed make the last known good
boot the default boot (it's my kids' PC so no critical data), how do I
do it? Worse comes to worst is I reload XP, which I don't want to do
just yet.

 

[John John (MVP)]

You can't bootlog the Last Known Good Configuration.

You can't set the computer to always boot to the Last Known Good
Configuration, you can only select this option with the use of the F8
boot options. If you understand the registry and if you are ready to
try advanced techiques you could try changing the Control Set numbers at
HKEY_LOCAL_MACHINE\SYSTEM\Select and swith the Default and Last Known
Good values. Be warned that this can be risky business and it won't
solve your problem!

If the computer boots properly to the Last Known Good yet refuses to
then subsequently reboot to the default Control Set then there is
something adding startup items to the registry *after* the computer is
booted. You would have to compare the startup items in the Default and
LKG Control Sets.

At this stage you should make sure that the machine is free of malware
and you should do a clean boot to try and figure out what might be
causing the default boot to fail:

How to configure Windows XP to start in a "clean boot" state
http://support.microsoft.com/kb/310353


How the Boot Process and the Last Known Good Configuartion Work.

When you boot the computer and select a boot option ntldr reads the
HKEY_LOCAL_MACHINE\SYSTEM\Select key to determine which Control Set it
should load. The Select key contains the following values:

Current
Default
Failed
LastKnownGood

These values typically contains data as shown here:

"Current"=dword:00000001
"Default"=dword:00000001
"Failed"=dword:00000000
"LastKnownGood"=dword:00000002

The data may be different in your computer, if you have had failed boots
you may have different numbers (like 00000003) and the numbers assigned
to the values may be different than shown above. These numbers tell
ntldr which Control Set to load, the Control Sets are also held in the
HKEY_LOCAL_MACHINE\SYSTEM key, typically:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002

When you boot the computer normally ntldr looks for the "Default" value
and loads the Control Set assigned to it, in the above example it would
load HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001, if you boot to Last Known
Good ntldr looks at, of course, the "LastKnownGood" value and loads the
corresponding Control Set, in this example it would load ControlSet002.

The Last Known Good set is only copied and recorded after a user
successfully logs on. In the above example, if you boot normally,
Windows will be booted using ControlSet001, after a user successfully
logs on the ControlSet001 will be copied to ControlSet002 and the
control set number will be recorded in the Select key. The value of the
Select key and the ControlSetnnn of the "LastKnownGood" configuration
will not change until the next successful logon. Booting successfully
to Safe Mode does not change the "LastKnownGood" Control Set, in only
changes when booting Windows normally.

So now it becomes apparent that something is added to the Default
Control Set *after* Windows is booted and on the subsequent reboot
whatever was added to the Control Set is preventing Windows from booting
properly. A service, application or some kind of malware is adding
something after the booted Control Set is copied over to the Lasst Known
Good set.

John

 

[Mr. Z]

Thanks, I'll try these suggestions.

You can't bootlog the Last Known Good Configuration.

You can't set the computer to always boot to the Last Known Good
Configuration, you can only select this option with the use of the F8
boot options. If you understand the registry and if you are ready to
try advanced techiques you could try changing the Control Set numbers at
HKEY_LOCAL_MACHINE\SYSTEM\Select and swith the Default and Last Known
Good values. Be warned that this can be risky business and it won't
solve your problem!

If the computer boots properly to the Last Known Good yet refuses to
then subsequently reboot to the default Control Set then there is
something adding startup items to the registry *after* the computer is
booted. You would have to compare the startup items in the Default and
LKG Control Sets.

At this stage you should make sure that the machine is free of malware
and you should do a clean boot to try and figure out what might be
causing the default boot to fail:

How to configure Windows XP to start in a "clean boot" state
http://support.microsoft.com/kb/310353


How the Boot Process and the Last Known Good Configuartion Work.

When you boot the computer and select a boot option ntldr reads the
HKEY_LOCAL_MACHINE\SYSTEM\Select key to determine which Control Set it
should load. The Select key contains the following values:

Current
Default
Failed
LastKnownGood

These values typically contains data as shown here:

"Current"=dword:00000001
"Default"=dword:00000001
"Failed"=dword:00000000
"LastKnownGood"=dword:00000002

The data may be different in your computer, if you have had failed boots
you may have different numbers (like 00000003) and the numbers assigned
to the values may be different than shown above. These numbers tell
ntldr which Control Set to load, the Control Sets are also held in the
HKEY_LOCAL_MACHINE\SYSTEM key, typically:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002

When you boot the computer normally ntldr looks for the "Default" value
and loads the Control Set assigned to it, in the above example it would
load HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001, if you boot to Last Known
Good ntldr looks at, of course, the "LastKnownGood" value and loads the
corresponding Control Set, in this example it would load ControlSet002.

The Last Known Good set is only copied and recorded after a user
successfully logs on. In the above example, if you boot normally,
Windows will be booted using ControlSet001, after a user successfully
logs on the ControlSet001 will be copied to ControlSet002 and the
control set number will be recorded in the Select key. The value of the
Select key and the ControlSetnnn of the "LastKnownGood" configuration
will not change until the next successful logon. Booting successfully
to Safe Mode does not change the "LastKnownGood" Control Set, in only
changes when booting Windows normally.

So now it becomes apparent that something is added to the Default
Control Set *after* Windows is booted and on the subsequent reboot
whatever was added to the Control Set is preventing Windows from booting
properly. A service, application or some kind of malware is adding
something after the booted Control Set is copied over to the Lasst Known
Good set.

John

 

[Mr. Z]

Are there tools to compare the default and LKG control sets in
the registry?

 

[Mr. Z]

Ok here are my registry dword values after I booted to the LastKnownGood
load, NOT the default load. This is without me doing any changes yet.

Current: 0x00000003
Default: 0x00000003
Failed: 0x00000002
LastKnownGood: 0x00000004

If I understood your explanation, why isn't Current equal to 0x00000004?

 

[John John (MVP)]

Reg Compare
http://technet.microsoft.com/en-us/library/cc742038.aspx

or Windiff.exe available in the Resource Kits or in the Support Tools
package:
http://www.microsoft.com/downloads/...76-9BB9-4126-9761-BA8011FABF38&displaylang=en

John

 

[John John (MVP)]

Ok here are my registry dword values after I booted to the LastKnownGood
load, NOT the default load. This is without me doing any changes yet.

Current: 0x00000003
Default: 0x00000003
Failed: 0x00000002
LastKnownGood: 0x00000004

If I understood your explanation, why isn't Current equal to 0x00000004?

Because then at the next reboot 0x00000004 would no longer be a "Last
Known Good" Control Set. If ControlSet004 were to be kept as the
CurrentControlSet, and if you were to then change this Control Set by
lets say adding new and incompatible drivers, the CurrentControlSet
would be saved as ControlSet004 (the Default Set) when you shutdown the
machine and on reboot you would not be able to boot to the Default
Control Set and upon trying the LKG it would try to boot the same
defective ControlSet004 and it too would fail.

The Control Set that is used to boot automatically becomes the Current
Control Set and the system will assign or reassign the proper number to
the booted Control Set and it will copy the successfully booted Control
Set to the Last Known Good Control Set, from then on during your Windows
session the Last Known Good Set will be kept isolated and it will not be
touched or changed at all, otherwise, if changes were to be allowed to
be made this LKG Control Set, there would be no way of knowing whether
the set had maintained its "Last Known Good" status, thus the Last Known
Good Control Set cannot be the same as the Current and Default Control
Sets. You should note that the CurrentControlSet is ephemeral, there is
no CurrentControlSet when the machine isn't running, the
CurrentControlSet is created from the Control Set used to boot the
machine and it is only present when Windows is booted.

John

 

[Mr. Z]

Ok I read more here http://support.microsoft.com/kb/100010 which
is what you explained.

reg compare shows the control sets to be identical. That is I compared
current to failed, current to LKG, LKG to failed, all saying identical. So
it must be something else other than registry?

 

[John John (MVP)]

Boot the machine to a clean boot and see if the problems persists.

Look at the Run and RunOnce keys at:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

Use a utility like Sysinternals' Autoruns to see what is going on when
the computer boots.

John

 

[Mr. Z]

I was able to boot to a clean boot, but have not looked at
the registry values or Autoruns yet.

 

[John John (MVP)]

Your on your way to resolving the problem. If the machine can
successfully boot to a clean boot then a startup item is preventing the
machine from booting normally. One way to try to find the culprit would
be to boot normally to the LKG again and then to launch the Msconfig
utility and to disable all non Microsoft services and see if the problem
persists. If the problem persists you can then look at the items in
the startup tab and see if disabling these items resolves the problem.
One way of quickly eliminating items in the startup tab is to disable
half of then and then reboot. If the problem persists it's in one of
the remaining items, cut the in half again and reboot, repeat until you
find the culprit.

John

 

[Mr. Z]

Thanks you! I'll try this.

Your on your way to resolving the problem. If the machine can
successfully boot to a clean boot then a startup item is preventing the
machine from booting normally. One way to try to find the culprit would
be to boot normally to the LKG again and then to launch the Msconfig
utility and to disable all non Microsoft services and see if the problem
persists. If the problem persists you can then look at the items in
the startup tab and see if disabling these items resolves the problem.
One way of quickly eliminating items in the startup tab is to disable
half of then and then reboot. If the problem persists it's in one of
the remaining items, cut the in half again and reboot, repeat until you
find the culprit.

John