Login Immediately Loggin Off

[sailmonsoon]

Hello to all my readers!

"All of a sudden" my system started loggin off immediately after I
login. The login message box says "loading settings" then quickly
changes to "logging off" then after awhile says "closing network
connections" then the login window returns.

A lot of people have reported having this problem. The only solution
offered by other poeple and websites is when this problem has been
caused by "wsaupdater.exe" replacing "userinit.exe" by a registry
setting change. This is caused by an obnoxious malware BlazeFind
related to Internet Explorer. (I don't use IE!) (The people who
distribute this should be ... punished.)

I am experiencing this problem, but none of the symptoms of
BlazeFind. None of the files associated with BlazeFind are located on
my computer, at least not in c:\windows or c:\windows\system32.

I can only access the hard disk by using the Recover Console.

No boot option changes the situation: Safe Mode, Admin Login ... is
there anything else?

The ntbtlog.txt doesn't show anything abnormal.

I have "played" with (renamed) the hive files in c:\windows
\system32\config (DEFAULT, SAM SOFTWARE, SYSTEM. SECURITY), but that
inhibited the boot process completely.

I tried to look at the FireFox install directory, located in c:
\Program Files, but the Recovery Console does not have access to that
folder. Is there a special way to go to that directory?

Does anybody know of another cause of this problem ... and the
solution? A lot of people are experiencing it, if a google search is
any indication. I would like to avoid reloading from a backup,
because it is about one month old, but if there is no joy I will.

My system is "Windows XP Pro sp2".

This post of long enough. I hope someone can help.
Cheers!
Bill Westphal in New Zealand

 

[Pegasus \(MVP\)]

Hello to all my readers!

"All of a sudden" my system started loggin off immediately after I
login. The login message box says "loading settings" then quickly
changes to "logging off" then after awhile says "closing network
connections" then the login window returns.

A lot of people have reported having this problem. The only solution
offered by other poeple and websites is when this problem has been
caused by "wsaupdater.exe" replacing "userinit.exe" by a registry
setting change. This is caused by an obnoxious malware BlazeFind
related to Internet Explorer. (I don't use IE!) (The people who
distribute this should be ... punished.)

I am experiencing this problem, but none of the symptoms of
BlazeFind. None of the files associated with BlazeFind are located on
my computer, at least not in c:\windows or c:\windows\system32.

I can only access the hard disk by using the Recover Console.

No boot option changes the situation: Safe Mode, Admin Login ... is
there anything else?

The ntbtlog.txt doesn't show anything abnormal.

I have "played" with (renamed) the hive files in c:\windows
\system32\config (DEFAULT, SAM SOFTWARE, SYSTEM. SECURITY), but that
inhibited the boot process completely.

I tried to look at the FireFox install directory, located in c:
\Program Files, but the Recovery Console does not have access to that
folder. Is there a special way to go to that directory?

Does anybody know of another cause of this problem ... and the
solution? A lot of people are experiencing it, if a google search is
any indication. I would like to avoid reloading from a backup,
because it is about one month old, but if there is no joy I will.

My system is "Windows XP Pro sp2".

This post of long enough. I hope someone can help.
Cheers!
Bill Westphal in New Zealand

The "userinit" cause you mention is one of several possible causes, i.e.
- userinit.exe does not exist.
- userinit.exe is corrupted.
- the system drive letter has changed and userinit is not where Windows
expects it.
- the registry entry for userinit.exe is incorrect.

The cure is simple if the machine is networked, harder if you can
temporarily install its disk in some other WinXP/2000 PC and
very hard if neither of the above apply. What is it in your case?

 

[sailmonsoon]

The "userinit" cause you mention is one of several possible causes, i.e.
- userinit.exe does not exist.
- userinit.exe is corrupted.
- the system drive letter has changed and userinit is not where Windows
expects it.
- the registry entry for userinit.exe is incorrect.

The cure is simple if the machine is networked, harder if you can
temporarily install its disk in some other WinXP/2000 PC and
very hard if neither of the above apply. What is it in your case?

It's networked (at home, not on a Windows Domain).

I checked for, and found "userinit.exe". I compared it to the copy of
it located in the c:\i386 folder, and it had the same file size and
date. I know, it can stil be corrupted. I will copy the i386 version
to the c:\windows\system32 folder.

The system in question is a laptop, and I don't have another Windows
XP machine here (I have several "other" machines; Solaris, Linux,
Tru64), but I could go to a location that does have more Windows
resources. What is the network "cure"? Is the machine still
accessable via the network even though a use is not logged in? How?
Terminal Services?

What is the cure in the 2nd case?

Thanks for your response.
Bill

 

[Pegasus \(MVP\)]

It's networked (at home, not on a Windows Domain).

I checked for, and found "userinit.exe". I compared it to the copy of
it located in the c:\i386 folder, and it had the same file size and
date. I know, it can stil be corrupted. I will copy the i386 version
to the c:\windows\system32 folder.

The system in question is a laptop, and I don't have another Windows
XP machine here (I have several "other" machines; Solaris, Linux,
Tru64), but I could go to a location that does have more Windows
resources. What is the network "cure"? Is the machine still
accessable via the network even though a use is not logged in? How?
Terminal Services?

What is the cure in the 2nd case?

Thanks for your response.
Bill

Access shared resources via a network is never
dependent on anyone being logged in at the host.
However, it does depend on the two machines
having identical account names and passwords.

Download a copy of psexec.exe from www.sysinternals.com,
then run this command from a Command Prompt:

psexec \\BadPC cmd

What drive letter do you see?

Unfortunately the command won't work if the
firewall on \\BadPC is turned on.

 

[sailmonsoon]

Hello to all my readers!

"All of a sudden" my system started loggin off immediately after I
login. The login message box says "loading settings" then quickly
changes to "logging off" then after awhile says "closing network
connections" then the login window returns.

A lot of people have reported having this problem. The only solution
offered by other poeple and websites is when this problem has been
caused by "wsaupdater.exe" replacing "userinit.exe" by a registry
setting change. This is caused by an obnoxious malware BlazeFind
related to Internet Explorer. (I don't use IE!) (The people who
distribute this should be ... punished.)

I am experiencing this problem, but none of the symptoms of
BlazeFind. None of the files associated with BlazeFind are located on
my computer, at least not in c:\windows or c:\windows\system32.

I can only access the hard disk by using the Recover Console.

No boot option changes the situation: Safe Mode, Admin Login ... is
there anything else?

The ntbtlog.txt doesn't show anything abnormal.

I have "played" with (renamed) the hive files in c:\windows
\system32\config (DEFAULT, SAM SOFTWARE, SYSTEM. SECURITY), but that
inhibited the boot process completely.

I tried to look at the FireFox install directory, located in c:
\Program Files, but the Recovery Console does not have access to that
folder. Is there a special way to go to that directory?

Does anybody know of another cause of this problem ... and the
solution? A lot of people are experiencing it, if a google search is
any indication. I would like to avoid reloading from a backup,
because it is about one month old, but if there is no joy I will.

My system is "Windows XP Pro sp2".

This post of long enough. I hope someone can help.
Cheers!
Bill Westphal in New Zealand

PROBLEM SOLVED ... CAUSE STILL UNKNOWN.

The solution was to copy in an older version of the Registry Hive. The
steps taken were somewhat frustrating.

1. Boot to a Recovery Console. Navigate to %Systemroot%
\system32\config. Rename the files DEFAULT, SAM, SECURITY, SOFTWARE,
AND SYSTEM, eg. add ".bad" extension to each name.

2. Reboot the system to a Recovery Console. This time the console
should NOT ask you for an administtrator password. If you do not
perform step #1 then you will not have access to the "c:\System Volume
Information" folder. Navigate to the "c:\System Volume Information"
directory. There should be a folder here whose name begins with
"_restore{" . It's a very long folder name, unique to every system.
Change to this folder and Copy these files to c:\windows
\system32\config: _RESTORE_MACHINE_SAM, _RESTORE_MACHINE_SECURITY,
_RESTORE_MACHINE_SOFTWARE, _RESTORE_MACHINE_SYSTEM, and
_RESTORE_USER_.DEFAULT. Then navigate to c:\windows\system32\config
and rename the copied files to SAM, SECURITY, SOFTWARE, SYSTEM, and
DEFAULT, respectively.

3. Reboot your system normally. It should proceed as it did before
the problem occurred. I haven't noticed any missing files or
different settings.

MY next step is going to be to make a current, FULL backup. Then I
will make a bootable, rescue CD.

Thank you, Pegasus, for responding.

I would shure like to know what caused this, but I have no time to
investigate. Is there any way to look at the registry entries in the
BAD Hive? Without enabling it or making it live?

Cheers!
Bill Westphal
"Go, Team New Zealand. Bring back the America's Cup!"

 

[Pegasus \(MVP\)]

PROBLEM SOLVED ... CAUSE STILL UNKNOWN.

The solution was to copy in an older version of the Registry Hive. The
steps taken were somewhat frustrating.

1. Boot to a Recovery Console. Navigate to %Systemroot%
\system32\config. Rename the files DEFAULT, SAM, SECURITY, SOFTWARE,
AND SYSTEM, eg. add ".bad" extension to each name.

2. Reboot the system to a Recovery Console. This time the console
should NOT ask you for an administtrator password. If you do not
perform step #1 then you will not have access to the "c:\System Volume
Information" folder. Navigate to the "c:\System Volume Information"
directory. There should be a folder here whose name begins with
"_restore{" . It's a very long folder name, unique to every system.
Change to this folder and Copy these files to c:\windows
\system32\config: _RESTORE_MACHINE_SAM, _RESTORE_MACHINE_SECURITY,
_RESTORE_MACHINE_SOFTWARE, _RESTORE_MACHINE_SYSTEM, and
_RESTORE_USER_.DEFAULT. Then navigate to c:\windows\system32\config
and rename the copied files to SAM, SECURITY, SOFTWARE, SYSTEM, and
DEFAULT, respectively.

3. Reboot your system normally. It should proceed as it did before
the problem occurred. I haven't noticed any missing files or
different settings.

MY next step is going to be to make a current, FULL backup. Then I
will make a bootable, rescue CD.

Thank you, Pegasus, for responding.

I would shure like to know what caused this, but I have no time to
investigate. Is there any way to look at the registry entries in the
BAD Hive? Without enabling it or making it live?

Cheers!
Bill Westphal
"Go, Team New Zealand. Bring back the America's Cup!"

Thanks for the feedback.

Regedit.exe lets you open an off-line registry hive.

I recommend a Bart PE boot CD as a rescue CD. It's worth the
effort to make it.

On my machines I have a scheduled job that runs once each week.
It invokes regback.exe (Windows Resource Kit) so that I have at
all times thre copies of my registry files: The live copy, the most
recent backup copy and the one before. This lets me resolve your
type of problem within a few minutes.

 

[Pegasus \(MVP\)]

PROBLEM SOLVED ... CAUSE STILL UNKNOWN.

The solution was to copy in an older version of the Registry Hive. The
steps taken were somewhat frustrating.

1. Boot to a Recovery Console. Navigate to %Systemroot%
\system32\config. Rename the files DEFAULT, SAM, SECURITY, SOFTWARE,
AND SYSTEM, eg. add ".bad" extension to each name.

2. Reboot the system to a Recovery Console. This time the console
should NOT ask you for an administtrator password. If you do not
perform step #1 then you will not have access to the "c:\System Volume
Information" folder. Navigate to the "c:\System Volume Information"
directory. There should be a folder here whose name begins with
"_restore{" . It's a very long folder name, unique to every system.
Change to this folder and Copy these files to c:\windows
\system32\config: _RESTORE_MACHINE_SAM, _RESTORE_MACHINE_SECURITY,
_RESTORE_MACHINE_SOFTWARE, _RESTORE_MACHINE_SYSTEM, and
_RESTORE_USER_.DEFAULT. Then navigate to c:\windows\system32\config
and rename the copied files to SAM, SECURITY, SOFTWARE, SYSTEM, and
DEFAULT, respectively.

3. Reboot your system normally. It should proceed as it did before
the problem occurred. I haven't noticed any missing files or
different settings.

MY next step is going to be to make a current, FULL backup. Then I
will make a bootable, rescue CD.

Thank you, Pegasus, for responding.

I would shure like to know what caused this, but I have no time to
investigate. Is there any way to look at the registry entries in the
BAD Hive? Without enabling it or making it live?

Cheers!
Bill Westphal
"Go, Team New Zealand. Bring back the America's Cup!"

When looking at the off-line registry, compare these keys
with the on-line version:
HKLM\SYSTEM\MountedDevices\DosDevices

 

[Guest]

I have a slightly different problem. I can logon in SAFE mode and perform
most tasks that can be done. However, I cannot logon in normal mode at all,
the system hangs while trying to load Windows. I don't even get the login
screen. I have checked for viruses and spyware with System Mechanic 7 and
Spybot -- nothing.

Since I can access via SAFE mode, what would you suggest as next steps.

Oh, Windows XP Pro SP2, dual processor, SCSI, C drive contains all programs,
F drive contains all data, can access both in SAFE mode.

Thanks for any help ... I am totally confused and apparently not good at the
technical stuff that this and other posts reference.

 

[Pegasus \(MVP\)]

I have a slightly different problem. I can logon in SAFE mode and perform
most tasks that can be done. However, I cannot logon in normal mode at
all,
the system hangs while trying to load Windows. I don't even get the login
screen. I have checked for viruses and spyware with System Mechanic 7 and
Spybot -- nothing.

Since I can access via SAFE mode, what would you suggest as next steps.

Oh, Windows XP Pro SP2, dual processor, SCSI, C drive contains all
programs,
F drive contains all data, can access both in SAFE mode.

Thanks for any help ... I am totally confused and apparently not good at
the
technical stuff that this and other posts reference.

It helps if you understand that Safe Mode will NOT load a number of
programs and drivers that are loaded in normal mode. It follows that
one of these extra drivers/programs must cause your problem.

Your first step should be to use System Restore in order to return
your machine to a point well before this problem started.

If this is not possible then you could click Start / Run / msconfig.exe.
Now do this:
- Physically disconnect your machine from the Internet.
- Remove all ticks.
- Reboot the machine.
- Selectively restore the ticks until you find the offending program.

Do not restore your Internet connection until your virus scanner
is ticked.

 

[Guest]

I tried System Restore to no avail ... I am now doing msconfig and
deselecting all startup and

There are many programs identified as Microsoft which I do not know their
authenticity. There are other programs, Acronis, iTunes, Kaspersky which I
know and believe are okay. What is the best way to prioritize the good-to-bad
programs? Should I literally do one at a time OR are their groups that can be
loaded?

I thought I fixed the problem before when I used a backup that I created
with Acronis True Image. The system worked fine, albeit a bit slow, then
crashed as I was running a Kaspersky scan. When I ran Kaspersky in Safe Mode,
it completed without identifying any viruses. Same with Spybot. Could I have
a "corrupt" file vs. a virus? Sorry for all the questions but I have
exhausted all of my personal experiences and am getting frustrated with the
"downtime". Thanks in advance ...

 

[Guest]

Okay, I deselected all of the services and startup programs. No change ... I
get to the Windows XP screen and the bar below the trademark indicates that
it is attempting to load Windows XP but it never takes me to the login screen.

So, where am I in terms of fixing the problem. I suspect I may be back to a
Windows Repair using the Windows CD to boot from. I have already tried the
Recovery console and followed the instructions for userinit.exe and that did
not help.

Any other suggestions before I "start over"? I assume that since I have
disabled the startup stuff that the repair will not change that and I would
then follow your earlier instructions. Sorry for all the pestering but I am
out of my league on this one.

Thanks again ...

 

[Pegasus \(MVP\)]

So far you have disabled the startup programs. If this does not
resolve the problem then you need to disable the services. While
in msconfig, click the Services tab, then tick the box that says
"Hide all Microsoft services". Now untick all the remaining
boxes and reboot the machine.

If this fails to resolve the problem then you must physically
remove any adapter you may have plugged into your PC, e.g.
your sound card or network adapter.

 

[Guest]

Okay, assume the "repair" is not going to fix the problem, sounds like you
believe I have a hardware problem. My motherboard has an onboard network
adapter and USB ports. I have a Creative Soundblaster Card, an ATI Video
Card, and an ATI TV Wonder card. Do I disconnect everything or just pull out
the cards and try that first? I am currently disconnected from the network.
Assume we then do the same as in msconfig, one at a time? Thanks again for
all the help.

 

[Pegasus \(MVP\)]

Pull out all cards that are removeable, then try again. It's
the fastest way to resolve this issue!