User immediatly logs off after entering username and password

[David]

Hi there! I'm having the following problem:

My WinXP Pro startup goes on normaly until it asks me to choose my user
account and I enter my password.

Immediatly after entering my password, when XP should log in, it does logoff
instead and goes back to the screen where I must choose my user account.

Does it mean that someone has entered a shortcut to "shutdown.exe" in
startup folder? If so, how can I solve this? Can it be anything else?

Best regards.

David - Pt

 

[smlunatick]

Hi there! I'm having the following problem:

My WinXP Pro startup goes on normaly until it asks me to choose my user
account and I enter my password.

Immediatly after entering my password, when XP should log in, it does logoff
instead and goes back to the screen where I must choose my user account.

Does it mean that someone has entered a shortcut to "shutdown.exe" in
startup folder? If so, how can I solve this? Can it be anything else?

Best regards.

David - Pt

Have you tried a different account?

You may have to use the "Administrator" account in order to check the
"Startup" folders (user account AND the All Users one.)

 

[nass]

Hi there! I'm having the following problem:

My WinXP Pro startup goes on normaly until it asks me to choose my user
account and I enter my password.

Immediatly after entering my password, when XP should log in, it does logoff
instead and goes back to the screen where I must choose my user account.

Does it mean that someone has entered a shortcut to "shutdown.exe" in
startup folder? If so, how can I solve this? Can it be anything else?

Best regards.

David - Pt

It could be a damaged/corrupt user account ( Admin account or Admin group!).

What happen if you tried Safe Mode, does it work?.
If it did you may have Bad Hardware/driver causing this issue, see the
Device manager in safe mode and the Event Viewer for error messages,, that
can help in solving or knowing the culprit in your case.

You may experiencing a profile corruption, try to create a new profile (as
Admin) and copy the data from one of these profile to the new and test to see
if it will work.
If it did work then you know it is a profile corruption, after making sure
you copied all the Data from the Old Profile to the new one, you can safely
delete the old corrupted one, the same with other account.
How to Identify a Damaged User Profile and Create a New Profile
http://support.microsoft.com/kb/811151
How to copy data from a corrupted user profile to a new profile
http://support.microsoft.com/kb/811151
HTH.
nass

 

[John John]

Often a sign of malware replacing the userinit file or registry entries
at the Winlogon userinit value. It can also occur if the boot volume
drive letter assignment was changed in the Registry's MountedDevices
database. Does your computer have a floppy diskette drive? How many
hard disks does the computer have? How many partitions and how many
operating systems on the drives and partitions? Is the computer
networked? Do you have another Windows XP computer available?

John

 

[Guest]

It could be a damaged/corrupt user account ( Admin account or Admin
group!).

What happen if you tried Safe Mode, does it work?.
If it did you may have Bad Hardware/driver causing this issue, see the
Device manager in safe mode and the Event Viewer for error messages,,
that can help in solving or knowing the culprit in your case.

You may experiencing a profile corruption, try to create a new profile
(as Admin) and copy the data from one of these profile to the new and
test to see if it will work.
If it did work then you know it is a profile corruption, after making
sure you copied all the Data from the Old Profile to the new one, you
can safely delete the old corrupted one, the same with other account.
How to Identify a Damaged User Profile and Create a New Profile
http://support.microsoft.com/kb/811151
How to copy data from a corrupted user profile to a new profile
http://support.microsoft.com/kb/811151
HTH.
nass

Another possibility is an invalid/missing TEMP folder, or one where the
permissions have been set to not allow the user access.

 

[David]

This problem occurs with all user accounts.

The computer does not have a floppy disk drive.

It has one hard drive, single partition and with a single OS - Win XP

It's a laptop

I have another computer with XP available

It has a network connection.


Thanks!

David

 

[John John]

If the laptop is part of a network you can access it and modify the
registry by one of the means mentioned in this article:

Unable to log on if the boot partition drive letter has changed
http://support.microsoft.com/kb/249321/

Your problem might be caused by a boot drive letter change but I kind of
doubt that that is the problem, nonetheless it's easy enough to verify
and eliminate that possibility. In addition to the above also see:

How to restore the system/boot drive letter in Windows
http://support.microsoft.com/kb/223188/

As I already mentioned, I rather doubt that your problem is drive letter
related, I think that this looks like yet another one of those pests
that changes the userinit value at the Winlogon key in the registry.
Incorrectly changing the userinit value typically results in the
computer rebooting and returning to the logon screen when it cannot find
the associated userinit entries.

The Userinit entry is at:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Here is the description of the value:

Specifies the programs that Winlogon runs when a user logs on. By
default, Winlogon runs Userinit.exe, which runs logon scripts,
reestablishes network connections, and then starts Explorer.exe, the
Windows user interface.

You can change the value of this entry to add or remove programs. For
example, to have a program run before the Windows Explorer user
interface starts, substitute the name of that program for Userinit.exe
in the value of this entry, then include instructions in that program to
start Userinit.exe. You might also want to substitute Explorer.exe for
Userinit.exe if you are working offline and are not using logon scripts.

[end quote]

http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/regentry/12330.mspx?mfr=true

Some spyware and other pests can make use or exploit the userinit entry
to load their trash before the user GUI starts. If you remove spyware
and other such pests without removing them from the registry at the
above mentioned location you might experience the reboot behaviour such
as the one you are now experiencing. At other times the value may have
been completely removed, in which case you have to recreate it, the key
normally contains the following entry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Value name: Userinit

Value data: C:\WINDOWS\system32\userinit.exe,

*Note the comma at the end of the value string*

Windows Log on and Log off immediately.
http://support.microsoft.com/kb/555648

At other times some of these pests simply highjack the userinit.exe file
itself to do their dirty deeds, they remove the valid userinit.exe file
and place their malware (renamed as userinit) at the valid location,
then there maybe no changes made to the registry value itself but when
the key is read and when userinit is executed the operating system is
actually executing the pest itself instead of the valid userinit.exe.
If your AV/Antispyware tools remove the impostor without placing the
valid file back to its original location then you may also experience
the reboot behaviour. See here for typical information on how to remove
invalid files and how to restore the registry value:

You cannot log on to Windows XP after you remove Wsaupdater.exe
http://support.microsoft.com/kb/892893

John

 

[Ramesh, MS-MVP]

Addendum:

If this is an "userinit" issue, you can fix this via BartPE's boot environment.

How to edit the registry offline using BartPE boot CD ?:
http://windowsxp.mvps.org/peboot.htm

--
Regards,

Ramesh Srinivasan, Microsoft MVP [Windows Shell/User]
Windows® Troubleshooting http://www.winhelponline.com


If the laptop is part of a network you can access it and modify the
registry by one of the means mentioned in this article:

Unable to log on if the boot partition drive letter has changed
http://support.microsoft.com/kb/249321/

Your problem might be caused by a boot drive letter change but I kind of
doubt that that is the problem, nonetheless it's easy enough to verify
and eliminate that possibility. In addition to the above also see:

How to restore the system/boot drive letter in Windows
http://support.microsoft.com/kb/223188/

As I already mentioned, I rather doubt that your problem is drive letter
related, I think that this looks like yet another one of those pests
that changes the userinit value at the Winlogon key in the registry.
Incorrectly changing the userinit value typically results in the
computer rebooting and returning to the logon screen when it cannot find
the associated userinit entries.

The Userinit entry is at:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Here is the description of the value:

Specifies the programs that Winlogon runs when a user logs on. By
default, Winlogon runs Userinit.exe, which runs logon scripts,
reestablishes network connections, and then starts Explorer.exe, the
Windows user interface.

You can change the value of this entry to add or remove programs. For
example, to have a program run before the Windows Explorer user
interface starts, substitute the name of that program for Userinit.exe
in the value of this entry, then include instructions in that program to
start Userinit.exe. You might also want to substitute Explorer.exe for
Userinit.exe if you are working offline and are not using logon scripts.

[end quote]

http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/regentry/12330.mspx?mfr=true

Some spyware and other pests can make use or exploit the userinit entry
to load their trash before the user GUI starts. If you remove spyware
and other such pests without removing them from the registry at the
above mentioned location you might experience the reboot behaviour such
as the one you are now experiencing. At other times the value may have
been completely removed, in which case you have to recreate it, the key
normally contains the following entry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Value name: Userinit

Value data: C:\WINDOWS\system32\userinit.exe,

*Note the comma at the end of the value string*

Windows Log on and Log off immediately.
http://support.microsoft.com/kb/555648

At other times some of these pests simply highjack the userinit.exe file
itself to do their dirty deeds, they remove the valid userinit.exe file
and place their malware (renamed as userinit) at the valid location,
then there maybe no changes made to the registry value itself but when
the key is read and when userinit is executed the operating system is
actually executing the pest itself instead of the valid userinit.exe.
If your AV/Antispyware tools remove the impostor without placing the
valid file back to its original location then you may also experience
the reboot behaviour. See here for typical information on how to remove
invalid files and how to restore the registry value:

You cannot log on to Windows XP after you remove Wsaupdater.exe
http://support.microsoft.com/kb/892893

John