lsass.exe won't let me boot

[Guest]

Just bought a pre-owned Dell Inspiron 6000D, running XP. On first power-up,
after what appears to be a normal boot-up, it displays a message window
headed "lsass.exe System error". The error description says, "When trying to
update a password this return status indicates that the value provided as the
current password is incorrect." It never asks for a password to be entered,
so this is puzzling.

Aftger displaying this message it reboots again, displays the same error
message again, reboots again, displays the same error message again, reboots
again, etc., in an infinite loop.

I checked the password settings in Set-Up and note that no passwords are
set. Thanks for any help

 

[David H. Lipman]

From: "rheologuy" <[email protected]>

| Just bought a pre-owned Dell Inspiron 6000D, running XP. On first power-up,
| after what appears to be a normal boot-up, it displays a message window
| headed "lsass.exe System error". The error description says, "When trying to
| update a password this return status indicates that the value provided as the
| current password is incorrect." It never asks for a password to be entered,
| so this is puzzling.
|
| Aftger displaying this message it reboots again, displays the same error
| message again, reboots again, displays the same error message again, reboots
| again, etc., in an infinite loop.
|
| I checked the password settings in Set-Up and note that no passwords are
| set. Thanks for any help
|

So you are saying it you bought a used computer ? The best advice is to wipe the
computer clean of all data and install, an OS from scratch. This will prevent you from
dealing with malware that may be on the computer as well as inheriting any problems or bugs
experienced by the previous owner. Such as you are now dealing with.

 

[Malke]

Just bought a pre-owned Dell Inspiron 6000D, running XP. On first
power-up, after what appears to be a normal boot-up, it displays a
message window
headed "lsass.exe System error". The error description says, "When
trying to update a password this return status indicates that the
value provided as the
current password is incorrect." It never asks for a password to be
entered, so this is puzzling.

Aftger displaying this message it reboots again, displays the same
error message again, reboots again, displays the same error message
again, reboots again, etc., in an infinite loop.

I checked the password settings in Set-Up and note that no passwords
are set. Thanks for any help

The best thing for you to do with a used computer is to format the
computer and reinstall Windows. You should have received the cd's that
came with the Dell which will have included an operating system,
drivers (Dell Resource CD), and possibly some programs. Current Dells
don't come with an operating system cd, but older ones did.

Malke

 

[Guest]

Thanks. It's only a month or two old-- still under warranty. And you're
right-- everything that was with it new was in the box but no OS disks came
with it. Can Anyone tell me how to fix this without wiping the drive?

 

[David H. Lipman]

From: "rheologuy" <[email protected]>

| Thanks. It's only a month or two old-- still under warranty. And you're
| right-- everything that was with it new was in the box but no OS disks came
| with it. Can Anyone tell me how to fix this without wiping the drive?
|

If it is under warranty. Call Dell !

You were given the *best* advice you will get here.

 

[pcbutts1]

Ignore David, you see he is of no help. That error message could mean a
number of things. You need your system patched and upgraded. There was a
virus that causes that message most likely that's what you have. Try this
When the message pops up click start>run and type in the box " shutdown -a"
without the quotes and press enter. That should keep it from restarting. Do
that each time the window pops up. Go to www.windowsupdate.com and download
all the critical updates. Once done then get your antivirus updated.

--


The best live web video on the internet http://www.seedsv.com/webdemo.htm
NEW Embedded system W/Linux. We now sell DVR cards.
See it all at http://www.seedsv.com/products.htm
Sharpvision simply the best http://www.seedsv.com

 

[Jone Doe]

Ignore anything told to you by pcbutts. He is only here to direct people to
his site to increase the numbers so he can get paid. He steals others work
and presents it in his page and directs you there.

The only good advice he gives is to:
1.. Click on Start, Run
2.. Type in CMD and press ENTER
3.. Type in the following command and press Enter

SHUTDOWN -A
This will hopefully stop the shut down loop. Chances are you have the L
(small l)sass worm.

Websearch turns up this:

Follow these steps in removing the Sasser worm.

1) Disconnect your computer from the local area network or Internet

2) Terminate the running program

a.. Open the Windows Task Manager by either pressing CTRL+ALT+DEL,
selecting the Processes tab or selecting Task Manager and then the process
tab on WinNT/2000/XP machines.
b.. Locate one of the following programs (depending on variation), click
on it and End Task or End Process
avserve.exe
avserve2.exe
skynetave.exe
any process running with the "_up.exe" suffix

a.. Close Task Manager
3) Activate the Windows XP Firewall (if running Windows XP) or another
firewall to prevent the worm from shutting your system down while
downloading the patches. To activate the Windows XP firewall, follow these
steps.

a.. Click on Start, Control Panel
b.. Double-click on Networking and Internet Connections, then click on
Network Connnections
c.. Right-click on the connection you use to access the Internet and
choose Properties
d.. Click on the Advanced Tab and check the box
"Protect my computer and network by limiting or preventing access to this
computer from the Internet"
e.. Click OK and close out of the Network and Control Panel
3) Download and Install the patches for the LSASS Vulnerability and others

a.. Microsoft Windows NT® Workstation 4.0 Service Pack 6a
b.. Microsoft Windows NT Server 4.0 Service Pack 6a
c.. Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack
6
d.. Microsoft Windows 2000 Service Pack 2, Microsoft Windows 2000
Service Pack 3, and Microsoft Windows 2000 Service Pack 4
e.. Microsoft Windows XP and Microsoft Windows XP Service Pack 1
f.. Microsoft Windows XP 64-Bit Edition Service Pack 1
g.. Microsoft Windows XP 64-Bit Edition Version 2003
h.. Microsoft Windows ServerT 2003
i.. Microsoft Windows Server 2003 64-Bit Edition
5) Remove the Registry entries

a.. Click on Start, Run, Regedit
b.. In the left panel go to
HKEY_LOCAL_MACHINE>Software>Microsoft>Windows>Current Version>Run

a.. In the right panel, right-click and delete the following entry
"avserve.exe"="%Windir%\avserve.exe"
"avserve2.exe"="%Windir%\avserve2.exe"
"skynetave.exe"= "%Windows%\skynetave.exe"

a.. Close the Registry Editor
6) Delete the infected files (for Windows ME and XP remember to turn off
System Restore before searching for and deleting these files to remove
infected backed up files as well)

a.. Click Start, point to Find or Search, and then click Files or Folders.

b.. Make sure that "Look in" is set to (C:\WINDOWS).

c.. In the "Named" or "Search for..." box, type, or copy and paste, the
file names:

avserve.exe
avserve2.exe
skynetave.exe
C:\win2.log

d.. Click Find Now or Search Now.

e.. Delete the displayed files.

f.. Empty the Recycle bin
7) Reboot the computer and update your antivirus software, and run a
thorough virus scan using your favorite antivirus program.

For Automatic Removal of Sasser, download the Symantec removal tool, you'll
still need to download the patches above and install them, however this
removal tool will stop the Sasser worm from running, remove the items in the
registry, and delete the infected files.

 

[Guest]

Thank you for the information. Since the "Start" button is not accessible I
can't get to "Run" or "CMD". Perhaps this means as you said a HD wipe. But
how do I do that if can't boot? It is under warranty but the seller (on EBay)
hasn't transferred ownership yet, and it's for my son who goes to college
this weekend. Many thanks.

 

[Malke]

Thank you for the information. Since the "Start" button is not
accessible I can't get to "Run" or "CMD". Perhaps this means as you
said a HD wipe. But how do I do that if can't boot? It is under
warranty but the seller (on EBay) hasn't transferred ownership yet,
and it's for my son who goes to college
this weekend. Many thanks.

Here's how to completely format/clean-install Windows:
http://michaelstevenstech.com/cleanxpinstall.html

You will not be going into the operating system to do this.
Unfortunately, you *will* need an operating system cd. Frankly, if you
can return this machine I would. I understand that you are under some
time pressure, but starting your son off to college with this machine
will - IMO - not be a good decision.

Malke

 

[Peter Foldes]

First try to get back your Start and Taskbar then follow the advice given above by David

http://www.kellys-korner-xp.com/taskbarplus!.htm

 

[Guest]

I also now have the same problem -- here is some more background.

When I first tried to boot the computer today it would not boot to Win XP
(Home) and gave the following error:

Windows XP could not start because the following file is missing or
corrupt: \WINDOWS\SYSTEM32\CONFIG\SYSTEM

I found a solution at at a Dell site which recommended to replace the
"system" file. I did not get a chance to see the MS site first:

http://support.microsoft.com/default.aspx?scid=kb;en-us;307545

I was able to replace the "system" file without being asked for an
administrator password but now that I have the "System error: Lsass.exe
When trying to update a password the return status indicates that the value
provided as the current password is not correct." error my attempts to use
the recovery console have been blocked by the need for a password (and my
administrative) password does not work. I assume it has to do with this
statement:
"Warning Do not use the procedure that is described in this article if your
computer has an OEM-installed operating system. The system hive on OEM
installations creates passwords and user accounts that did not exist
previously. If you use the procedure that is described in this article, you
may not be able to log back into the recovery console to restore the original
registry hives. "

I found this site
http://www.geekstogo.com/forum/inde...pid=44939&mode=threaded&show=&st=&#entry44939
Where they recommended this:

[THE NEXT PART SHOULD ONLY BE TRIED IF EVERYTHING ELSE FAILS

I found a program, which is a bootable cd that has all sorts of useful tools
on it. There is a password modifier included. I used this password program to
deactivate Syskey.exe, which is a very important security feature of windows.
http://home.eunet.no/~pnordahl/ntpasswd/

Read this first : http://home.eunet.no/~pnordahl/ntpasswd/syskey.txt

After deactivating syskey and reebooting, since syskey is deactive, windows
will load into safe mode, and you can continue the other steps in the
original knowledge base articles, including moving restor files, and running
the repair function of windows setup to complete the operation.

This technique worked for me, and allowed me access to windows and restore
the registry from a system restore point.

It is important that when you have everything sorted, you MUST restart
syskey.exe (details on MS website)]

Is this a resonable method? I have not found anything at MS that makes it
easy to "turn back on syskey.exe." Is there any possibility to get the
computer to boot so that I can copy files off of it?