logonui hung, no explorer.exe, no desktop icons

[TonyG]

I see people in forums everywhere posting on this, but no resolutions.
Let's find out what this is!

Symptoms
My XP SP1 with full patches was working fine. I booted this morning
and saw a warning that there was an invalid registry key, but that a
prior version of the registry was available and it was going to use
that. I had to OK it. Then nothing.

I hard reset. I have auto-login to a user in group admin. I see the
desktop wallpaper, hear the music, then it goes back to windows logon
and stays there. The only thing active is ctrl-alt-delete which brings
up task manager. The desktop under that shows wallpaper with no icons.
logonui.exe is running and a few other services, explorer.exe is not.
I cannot run explorer.exe manually from File>Run because there are no
program associations. I can't see any recent errors because (no
associations) I can't run control panel (any other way to do this?). I
can't regedit for the same reasons.

Shutdown>Restart and Shutdown>TurnOff from the Task Manager menu do
not work. I figured a good boot may require a clean wrapup.

If I close task manager, there are no icons on the desktop.
Right-clicking shows no context menu, so I can't "Show desktop icons",
"Arrange icons by", etc. Ctrl-alt-delete again doesn't re-open task
manager, hard reset is the only option.

Safe Boot IS available
F8 does work, and I can select "with Command prompt" from the menu.
While it shows the same logonui issue, I now have a command prompt,
and can execute Notepad, and regedit! I still have no icons or context
menu from the desktop, and browsing with the notepad Open dialog only
shows some folders depending on how I drill down into them.

I did not do any system configuration or installs of new software
yesterday. I have fully updated NAV 2004 but it's possible that I got
hit with a nasty virus (don't know how, this is a development machine
and "surfs safe"). Problem is that I can't do a scan/check in this
condition. I have daily backups of critical data, my last save of the
registry was done a couple weeks ago. I can backup the registry now
but am not sure how to do a check to get a delta and see what
happened.

Please provide some suggestions for how to get logonui to finish
whatever it's doing, launch explorer.exe, and otherwise get this
system back to normal. Any tips on what to look for in the registry or
logs are welcome.

I don't know if there is a way to boot into safe mode with a command
prompt AND with networking. I'd really like to be able to extract my
backups off of this system through the network, just in case the
system can't be salvaged.

Thanks!!

 

[Guest]

If you have safe mode command prompt, I would run chkdsk.exe. It may ask you
to reboot if windows files are in use. If necessary just power off. Chkdsk
will run before your user logon welcome. This may clean up minor corruption.

 

[TonyG]

Thanks Larry. I did a chkdisk without repair and it was clean.

Going through the registry, so far I see most of the registry keys
under this key have been deleted:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes
The ones obviously missing are the "extension" keys beginning with
".", then there are just other sporadic ones, but out of the hundreds
of keys that should be there, I only have about 50.

I created several .reg files from my registry backup to restore this
tree. Then I used "regedit name.reg" to import the data from the
backup. I guessed at that point that I'd need to reboot in order for
Windows to see and use the new registry keys. I executed msconfig and
set the boot to Safe with Networking.

Now when I boot I get into safe/networking mode, but I can't manually
boot into safe with command prompt or into normal mode anymore. The
boot.ini overrides whatever I do at the F8 menu. Also, despite
importing a ton of registry keys the system still does not recognize
any file extensions - including important ones like .exe, so now I
can't even execute cmd.exe - I no longer have any control.

Three things are on my mind now:
1) Getting control: What can I do from task manager File>Run to get
some control back, assuming I can't execute .exe files, meaning I
can't even execute regedit.exe anymore to manually add file
associations? How can I reset boot.ini without msconfig and without
an editor, so that I can boot and get back a command prompt? What
happens if we select the "go back to last known good configuration
setting"? Does that mess with profiles? Will that reset the
registry? Will that reset boot.ini?
2) Cleaning up: Is anyone aware of a virus that targets this Classes
tree? And what other damage should I look for in the registry if this
is a known issue?
3) What else do I need to do/restore in order to have .reg files
update the registry? Apparently the import didn't "take", or
something deleted the entries again after I imported them - still
active virus??

Thanks again!

 

[Guest]

You mention you "regedit name.reg" to import the data from the
backup" If you have a backup that includes system state(that includes
registy keys) and indeally with data files, I would restore your system from
backup.

 

[TonyG]

You mention you "regedit name.reg" to import the data from the
backup" If you have a backup that includes system state(that includes
registy keys) and indeally with data files, I would restore your system from
backup.

Thanks again Larry. Still looking for more feedback from others too.
I'm documenting little lessons below for anyone else who goes down
this path.

The problem in restoring any system is that we "may" have all of the
data, but re-installing programs and config settings from scratch
takes a very long time, and the new system is never quite the same as
the old one. About that "may" word - I do selective backups of all
data and whatever configurations I know about - I prefer to not just
save every byte unquestioningly. But since applications hide data in
different places, I'm not positive I have everything either. I have
it in my ToDo list to ensure that I have a complete backup of
everything necessary to recover, but I'm not quite there. Re-install
or Repair Update is the easy solution, but it doesn't get us any
closer to knowing what caused this problem in the first place. I
think Microsoft should know what it is so others stop getting into
this situation.

Update
The system was stuck in safe/networking mode because boot.ini
overrides whatever you select from F8 options. Since I had a network,
I was able to copy boot.ini to another system, remove the
/safeboot:network switch, then simply copy the file back. With
another reboot I got a command prompt back.

Using my registry backup to restore the registry was a good idea,
using notepad to break up the massive .reg file into smaller pieces
wasn't good. With the command prompt back I used Wordpad to edit and
save sections of my massive .reg file into smaller Unicode files -
wordpad also doesn't insert it's own CRLF at line wraps. For each
file I then used "regedit filename.reg" to reload small sections back.
It looks like regedit is done as soon as you OK the load, but you need
to wait until you get a confirmation that it's done (I may not have
done that the first time around either). Bottom line on this, I fully
restored the Classes section and it looked OK before rebooting.

On reboot into normal mode, I got the same thing as when I started, no
desktop or icons. Going back to safemode with command prompt I saw
the classes section got hit again. It looks like one of my primary
startup routines has been compromised into corrupting the registry. I
used msconfig to prevent all non-Microsoft Services and Startup
processes from starting at boot, then reloaded the Classes registry
from backup. I want to do a clean reboot but Restart doesn't work
from Task Manager, and the Shutdown command (w/wo -r option) doesn't
bring the system down either. I have to hard-reset the box in order
to reboot.

Power-up into safe mode with command prompt again, I see the exact
same Classes keys are no longer in the registry, but others that were
there before are - it looks like the registry isn't flushing. The
system flushes to disk because file changes are persisted across
reboots. Either the registry is not saving because I hard crash it,
or something is hammering it every time I reboot, even into safe mode.
Is there some command to flush the registry? How long does it wait
between flushes? http://support.microsoft.com/?kbid=839562 shows that
there is a key to set the lazy flush for the registry, I'll try this
later.

For now, my challenge is to figure out how to make registry changes
stick. Sigh. I think this system can be salvaged, and maybe we can
find out what causes this condition.

Tony

 

[TonyG]

Update
After restoring the entire HKLM\Software\Classes structure in safe
mode and waiting for a while, I was able to run explorer, which
returned the desktop icons, task bar, start menu, etc. I ran Norton
AntiVirus, Ad-aware, and SpyBot, all of which showed a clean system.
The system looked fine, except that I still could not shutdown/reboot
by any means. I had to hard reset. Coming back into safe mode the
system was back to the corrupted state, with the same 50 or so keys
under HKLM\Software\Classes.

Something is stopping a clean shutdown and something is zapping the
registry on boot. I'm not a registry guru by any stretch and I'm all
out of tricks. Any ideas at this point?

Ref:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/sysinfo/base/registry_hives.asp
This info on the registry says "The setup phase of the Windows boot
process automatically retrieves data from these supporting files. You
can also retrieve data manually using the Import Registry File menu
item of the Registry Editor (Regedit.exe). When you shut down Windows,
the operating system automatically writes the hive data to the
supporting files." Since I can't shutdown, is this data simply not
getting written to disk, even though I leave it sit for a few hours?
How do I flush hive data to disk!?

Is there some other part of the registry I need to check?

Is it safe to just restore the entire HKLM?

Do I need to restore the corresponding keys in HKEY_CLASSES_ROOT for
Windows to verify HKLM\Software\Classes? Does the system replace
HKLM\Software\Classes with the contents of HKEY_CLASSES_ROOT, or the
other way around?

This has to be a solvable problem, I don't want to do a repair install
except as a very last resort.

Thanks!

 

[TonyG]

System is back
Things are back (mostly) in order, though I have no idea what caused
the problem. The lazy flusher was turned off so the registry was not
flushing to disk, and since the system could not be shutdown it wasn't
flushing then either.

I know there is a free "sync" program (SysInternals) that forces a
disk flush but I don't know if that works on the registry. Hello
Microsoft - it would be nice if Windows included this sort of thing
because so many people need it for databases and other purposes.

With some reading I found the NT process of creating an Emergency
Repair Disk was supposed to flush the registry. XP has the Automated
System Recovery process which I hoped would do the same, but that
wouldn't run - either it doesn't like safe mode or the same issue
stopping the flusher in the first place caused ASR to abort.

I looked at my user profile and saw it has 1.37GB of data. I thought
maybe I've blown some limit, or maybe the profile itself was
corrupted. To reduce the size I moved large files to other virtual
drives on the system. Through TweekUI I disabled autologon so that on
reboot I could get into another user - maybe to reset the registry,
flush, then come back. After taking all of those steps, I was able to
logoff, login, create an ASR image, restart, etc. Again, no idea what
the problem was or which remedy really fixed it.

Because I used msconfig to disable non-Microsoft services I needed to
reset required services to start automatically. There is still some
minor weirdness that I can live with but I suspect a re-install is
prudent at some point soon.

Summary
To answer one of my own questions: After reloading
HKLM\Software\Classes, the registry self-mirrored the data to
HKEY_CLASSES_ROOT.

People here and elsewhere suggested that I do a repair installation,
but I'm not using ntbackup and haven't been generating ASR images -
but I will now. Despite all of my backups I was only half-prepared
for this event, which could have been much more of a disaster.

Follow-ups are welcome from anyone who sees this and has a clue - the
reason I turned this into a diary is that I've seen others stuck with
no other option than a reinstall. My experience shows that's not 100%
required, provided you have data and registry backups, a little
knowledge, and a lot of determination.

---------------------------