Win XP Pro - local policy of this system does not permit you to logon interactively

[DaveM]

This morning I rebooted my Win XP Pro (after installing the latest
security windows update)

When I get to the logon screen, in addition to seeing my account
there, I see login prompts accounts that do exist but never show on
the XP logon page:

ASP.NET Machine account
SQLDebugger
Guest

I do have Visual Studio.NET installed.

When I try to log on with my account, I get a popup

"The local policy of this system does not permit you to logon
interactively"

When I try to start in safe mode and logon as administrator I get the
same.

I have not intentionally done anything regarding users, domains or
computer management. Norton Antivirus AutoUpdate is on. I am 99% sure
the XP firewall is on. I know I have turned it off before, but I am
pretty good about putting it back on. Since I cannot logon, it is
tough to tell if it was on or not.

I have tried connecting to the computer using another and the "net use
\\mycom\c$ password /user:username" but that only gave me a logon
failed.

It seems someone / Trojan / virus was able to disable all the NT
accounts.

Any help is appreciated.

 

[Doug Knox MS-MVP]

Dave,

You may well be screwed. But then again, maybe not. Since you do have access to the affected computer via the LAN, I hope you have access from an XP or Win2K machine.

On the other machine, click Start, Run and enter REGEDIT Go once there, go to File, Connect Network Registry. Type in the machine name of the affected computer. You'll see another computer icon listed at the bottom of the tree, with that machine name. Expand it and go to HKEY_LOCAL_MACHINE\Security. Right click on the Security subkey and select Permissions. Give Administrators "Full Control". Press the F5 key to refresh the view in REGEDIT. Now you should be able to see the subkeys under Security. In the Security subkey, go down to Policy\Accounts. Look for the account that matches yours. This is by the SID. The SID is the number that looks similar to this:

HKEY_LOCAL_MACHINE\SECURITY\Policy\Accounts\S-1-5-21-1606980848-1604221776-725345543-1014

Your account will be one of the longer SID strings. The shorter ones are not user accounts.

There is no way to tell from the contents of the keys, which SID belongs to who. You can download a small VBS script from

http://www.dougknox.com/xp/scripts/xp_accountsid.vbs

This script will allow you to enter the machine name of the problem machine and extract a list of SID's/User information and display it in Notepad. Do not use the \\name convention, just enter the machine name.

Once you've determined the correct SID for your user account, right click the appropriate subkey and select Export. This creates a backup, just in case. Then right click the same key and select Delete.

Next, right click the computer icon for the remote computer and select Disconnect, to disconnect the remote Registry. You should now be able to log on locally to the affected machine. You may need to reboot the machine for the change to take effect.

If not, then reconnect to the remote computer's registry and re-import the REG file you exported earlier. And if this doesn't work, your only option may be a paralell installation of XP and then recover your data from the problem system.