deleted lsass entries in the registry

[ttt3]

I deleted lsass entries in the registry, thinking it was a virus.

· C:\WINNT\SYSTEM32\lsass.exe was not deleted
· Slow boot must use F8- last known good
· "Unknown user" in Accounts where Admin & user account was
· no icons in network places, but status bar statusbar shows 3 items
· Control panel frame is pushed to the left
· my computer > manage> user accounts has red X- error msg RPC not
available
· net start rpcss does not work
· cannot install Asmin.pak.exe
· error msg You don't rights to shut down pc.
· attempted to re-enter strings to replace lsass which was deleted
· Tried to reinstall to repair Windows from OS discs or ERD did not
fix


Can I use C:\ Winnt\repair - to overwrite registry & fix this? Can I
only use the sam & security files to replace/fix deleting lsass?
copy c:\windows\repair\system c:\windows\system32\config\system
copy c:\windows\repair\software c:\windows\system32\config\software
copy c:\windows\repair\sam c:\windows\system32\config\sam
copy c:\windows\repair\security c:\windows\system32\config\security
copy c:\windows\repair\default c:\windows\system32\config\default

Error msg on boot:
1 Google desktop did not load successfully

These are linksys errors - minor
2 Odyssey client error -OdesseySupplicant
Mgr::Thread()eroron::CoRegistry Class Object() error code 0x800706BA
3 Odssey must terminate
4 Microsoft Visual C++ Runtime Terminated -Program in Ramfiles\
Linksys G notebook adapter\Odhost.exe abnormal program terminated
5 Odhost applicant: odhost error memory could not be "read"
6 WSAStant not yet performing

System properties>User profiles -"Account unkown"
System properties>Network Identification> Domain "unknown"
checked CP>User & passwords>profiles entries -blank


attempted to load Adminpak- could not
My Computer RC >manage> Users & Groups still has red X
Selected service> unable to open service management DB error1307. This
security id may not be assigned as the owner of this object.

HKLM/system/ccs/svc/svc shows "localsystem"

Next I did this :
Restore missing RPC registry values
To restore missing RPC registry values on the client or on the server,
follow these steps.

Warning Serious problems might occur if you modify the registry
incorrectly by using Registry Editor or by using another method. These
problems might require that you reinstall your operating system.
Microsoft cannot guarantee that these problems can be solved. Modify
the registry at your own risk.
Step 1: Verify registry entries
1.
Click Start, and then click Run.
2. In the Open box, type regedit, and then click OK.
3. Locate the following key in the registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\ClientProtocols
Verify that all entries are present and correct by referring to the
tables contained in the "ClientProtocols" section of this article.
4. If any values are missing, add the missing values. To do this,
follow these steps:
a. On the Edit menu, point to New, and then click String Value.
b. Type the name of the missing string value, and then press ENTER.
c. Press ENTER.
d. In the Edit String dialog box, type the missing value data in the
Value data box, and then click OK.

5. Quit Registry Editor.
6. Restart the computer.
7. Test Exchange Server connectivity.
Step 2: Verify the version of the DLL file
If all the registry values exist, verify the version of the RPC DLL
file that is on the computer. The version of the RPC DLL file must
match the version and the build number of the Windows operating system
on the computer.

Note The registry keys that are described earlier in this article list
the names of the .dll files that each RPC uses. For example,
Rpc4rt4.dll is the .dll file that is used by TCP/IP on Windows 2000 and
on Windows XP.

To determine the version and the build number of the Windows operating
system on the computer, follow these steps.
1. Click Start, and then click Run.
2. In the Open box, type winver.
3. Make a note of the version and the build number.
To determine the version of the .dll file, follow these steps:
1. In Windows Explorer, locate the RPC .dll file in the
Windows\System32 folder.
2. Right-click the file, and then click Properties.
3. Click Version.
4. Note the file version.

The file version must reflect the build number of the Windows operating
system on the computer. For example, on Windows XP version 5.1 build
2600, the Rpcrt4.dll file version is 5.1.2600.0.

ncacn_np_np REG_SZ rpcrt4.dll
was the only subkey listed, I added the others as shown below the
version of my OS and dll was 5

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\ClientProtocols
By default, the ClientProtocols subkey contains the following registry
entries for TCP/IP:
Name Type Data
ncacn_http REG_SZ rpcrt4.dll
ncacn_ip_tcp REG_SZ rpcrt4.dll
ncacn_np REG_SZ rpcrt4.dll
ncadg_ip_udp REG_SZ rpcrt4.dll


This did not fix the problem


c:\windows\System32\ is blank, the status bar shows 2068 items, but
they are not visible.I need view this through start>explore to see the
contents but there are no dll files, the dllcache folder has dlls

If I search for files in systems32 I can find them but I cannot see
them, Lsasrv.dll and Lsass.exe are in there.

IS this


I need help.

Thanks TTT3

 

[Dave Patrick]

We've no idea since you didn't tell us what branch you deleted from. Better
to use files from;

%systemroot%\repair\regback

You did backup prior to editing?

--

Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect

:
<snip>
Can I use C:\ Winnt\repair - to overwrite registry & fix this? Can I
<snip>

 

[Mark V]

We've no idea since you didn't tell us what branch you deleted
from. Better to use files from;

%systemroot%\repair\regback

You did backup prior to editing?

I sure hope he did as he is going to need regular Full Registry
Backups frequently with such a cavalier attitude toward messing up
the registry and system.

 

[ttt3]

I sure hope he did as he is going to need regular Full Registry
Backups frequently with such a cavalier attitude toward messing up
the registry and system.

Mark, Dave: It would be too easy if I had made a backup.The entries
were deleted from all the branches (keys), thinking it was a virus.
Since the actual files and dlls were not deleted, is it possible to
re-enter the the subkeys/ into the registry? Yes, in the future,
learning the hard way, I will back up the registry regularly. I was
under the impression that W2K Pro did auto save 5 backups.
Is there a way to get the RPC server restarted other than run>net start
rpcss?

 

[Dave Patrick]

:
| Mark, Dave: It would be too easy if I had made a backup.The entries
| were deleted from all the branches (keys),
* This is still too vague. The keys may help determine the hive files to
restore.


thinking it was a virus.
| Since the actual files and dlls were not deleted, is it possible to
| re-enter the the subkeys/ into the registry?
* Yes, assuming you know exactly what was deleted.


Yes, in the future,
| learning the hard way, I will back up the registry regularly. I was
| under the impression that W2K Pro did auto save 5 backups.
* No such thing.


| Is there a way to get the RPC server restarted other than run>net start
| rpcss?
* From the recovery console command prompt;

enable rpcss service_auto_start
enable rpclocator service_demand_start

To start the Recovery Console, start the computer from the Windows 2000
Setup CD or the Windows 2000 Setup floppy disks. If you do not have Setup
floppy disks and your computer cannot start from the Windows 2000 Setup CD,
use another Windows 2000-based computer to create the Setup floppy disks. At
the "Welcome to Setup" screen. Press F10 or R to repair a Windows 2000
installation, and then press C to use the Recovery Console. The Recovery
Console then prompts you for the administrator password. If you do not have
the correct password, Recovery Console does not allow access to the
computer. If an incorrect password is entered three times, the Recovery
Console quits and restarts the computer. Note If the registry is corrupted
or missing or no valid installations are found, the Recovery Console starts
in the root of the startup volume without requiring a password. You cannot
access any folders, but you can carry out commands such as chkdsk, fixboot,
and fixmbr for limited disk repairs. Once the password has been validated,
you have full access to the Recovery Console, but limited access to the hard
disk. You can only access the following folders on your computer: drive
root, %systemroot% or %windir%


--

Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect

 

[ttt3]

1. BTW - I can login w Admin password w/o a problem, it's just
slow, and have access to the registry
2. I Ran the recovery console to auto start rpcss -successful
3. no more error msg about RPC server not available
4. Again tried to install Aminpak.msi - got error windows installer
service not available
5. Verified msiexec.exe in c:\winnt\system32 & in registry w correct
Infopath
6. Booted to safe mode run>msiexec /regserver, reboot
I tried this Reinstall the Windows Installer - unsuccesful
then I did the following:
To reinstall the Windows Installer, rename the damaged Windows
Installer files, and then reinstall the Windows Installer. To do so:
1. Click Start, and then click Run.
2. In the Open box, type cmd, and then click OK.
3. At the command prompt, type the following line, and then press
ENTER, where Drive is the drive where Windows is installed and where
%Windir% is the folder where Windows is installed:
attrib -r -s -h drive:\%Windir%\system32\dllcache
For example, type
attrib -r -s -h c:\windows\system32\dllcache
Note If you are using Windows 98, type system instead of system32.
4. At the command prompt, type the following lines, pressing ENTER
after each line:
ren msi.dll msi.old
ren msiexec.exe msiexec.old
ren msihnd.dll msihnd.old

These items could not found in systems32 folder, yet F3 will find them,
it's like that contents of the systems32 folder are inaccessible.
Most all of the InfoPaths in the registry point to this folder. How did
removing the Lsass string values impact this?

I am assuming the SAM is intact it just doesn't
know how to play w Lsass.exe or visa versa that is why I may be
getting permission errors ?? Below is where lsass is in the XP registry
( should be the same almost in W2K) Assuming these are what I deleted
they all point to lsass.exe in C:\winnt\system32 folder, can you
start/re-register/associate c:\winnt\system32\Lsass.exe so that it puts
itself back into the registry where it belongs?

There are two binary strings in HKLM\sys\CCS\Control\Nls\
MUILanguages\RCV2\lsass.exe
HKLM>CS001(2)\control\treminal server\sysprocs -dword value 0
HKLM> CS001(2)\services \netlogon - string ImagePath that points to
system32 folder
HKLM> CS001(2)\services\ Npfs\Alias
HKLM> CS001(2)\services\ntlmSsp - string ImagePath that points to
system32 folder
HKLM> CS001(2)\services\PolicyAgent - string ImagePath that points to
system32 folder
HKLM> CS001(2)\services\ProtectedStorage - string ImagePath that
points to system32 folder
HKLM> CS001(2)\services\SamSs - string ImagePath that points to
system32 folder
In HKUsers\
S-1-5-21-3632980786-1293822131-2833911252-513\software\NavClient\1.1\History
and two other subkeys under HKUsers

Thanks Tom

 

[Mark V]

Mark, Dave: It would be too easy if I had made a backup.The
entries were deleted from all the branches (keys), thinking it
was a virus. Since the actual files and dlls were not deleted,

Well, there was some malware at one time that actually used a
filename of lsass.exe if I recall correctly, but not by overwriting
the MS copy in %systemroot%\SYSTEM32\. In that case (again, from
memory only) one might have needed to delete a very specific
registry entry (after Full Registry Backup (not Export)) pointing
to that particular file and the file itself...

The shotgun approach is never a good reaction in the absence of
specfic and verified corrective solutions. A Google search will
likely provide specific solutions in many cases whereby malware may
be identified and removed safely.

Seek one of Dave's posts about using ntbackup.exe and the "ERD"
backup option for a manual Full Registry Backup method. Or
investigate "ERUNT".

 

[Mark V]

1. BTW - I can login w Admin password w/o a problem, it's
just slow, and have access to the registry

lsass is the Local Security Authentication and the system will not
operate correctly without those now missiing registry entries. I am
surprised you can get booted and logged in at all. Many parts of the
OS depend on this internal component. MSI and many others will never
run or not be allowed to run without this component.

If your "Repair Install" did not correct it, then Dave's suggestion
to use the newest available \RegBack\ copy (if any) or fall all the
way back to the "as installed" copies (\repair\) may be possible but
not very desireable. Most, but not all, references will be in the
SYSTEM hive file stored on disk. IMO you should probably just start
over with a New installation.