Win2K suddenly blocked at boot

[Massimo Nespolo]

Greetings,
I am experiencing an unexpected problem in my laptop running Win2KPro
SP4 with all the patches, fixes and updates installed.

Suddenly, it stops the boot process at the Win2K screen, when the blu bar
has reached its final position, and before showing the desktop with the
login window.

Rebooting doesn't help
Rebooting in safe mode doesn't help
I've tried reparing the installation from the CD-ROM, with the emergency
disk (first with the "F" option, then with the "M" one), no changes.
I have tried the recovery console, with a chkdsk /p : nothing changed
I have tried the recovery console with a fixboot: no change
I have NOT yet tried the fixmbr from the recovery console (I leave it as
last desperate option - I have only one volume, with only one partition)
I have also tried to boot from the antivirus emergency disks (AVG),
but nothing changed. I strongly doubt it may be a virus - I keep my
antivirus always updated and I never open a file without having it scanned
before.

This laptop gave some disk errors in the past, but I have recently
reformatted the disk and done a clean install, and since then no more error
messages. Nevetheless, I'm afraid a boot sector may be damaged.

Any suggestions, before I run and buy a new HD? I have multiple copies of
my data on other machines, but I am on a tight schedule and would love to
avoid spending a day or so in re-installing everything.

Many thanks in advance.

Massimo Nespolo
Nancy, France

 

[Pegasus \(MVP\)]

Greetings,
I am experiencing an unexpected problem in my laptop running Win2KPro
SP4 with all the patches, fixes and updates installed.

Suddenly, it stops the boot process at the Win2K screen, when the blu bar
has reached its final position, and before showing the desktop with the
login window.

Rebooting doesn't help
Rebooting in safe mode doesn't help
I've tried reparing the installation from the CD-ROM, with the emergency
disk (first with the "F" option, then with the "M" one), no changes.
I have tried the recovery console, with a chkdsk /p : nothing changed
I have tried the recovery console with a fixboot: no change
I have NOT yet tried the fixmbr from the recovery console (I leave it as
last desperate option - I have only one volume, with only one partition)
I have also tried to boot from the antivirus emergency disks (AVG),
but nothing changed. I strongly doubt it may be a virus - I keep my
antivirus always updated and I never open a file without having it scanned
before.

This laptop gave some disk errors in the past, but I have recently
reformatted the disk and done a clean install, and since then no more error
messages. Nevetheless, I'm afraid a boot sector may be damaged.

Any suggestions, before I run and buy a new HD? I have multiple copies of
my data on other machines, but I am on a tight schedule and would love to
avoid spending a day or so in re-installing everything.

Many thanks in advance.

Massimo Nespolo
Nancy, France

Have a look at this registry key:
HKLM/Software/Microsoft/Windows NT/Current Version/Winlogon/Userinit
It's supposed to reference %SystemRoot%\system32\userinit.exe.
Check if userinit.exe actually exists at the referenced location.

There are several ways how you can do this:
1. By running regedit.exe via a networked machine.
2. By installing the disk as a slave disk in some desktop PC, and
running regedt32.exe. You will need to buy a cheap adapter
for the IDE ribbon cable.
3. By booting with a Linux disk from
http://home.eunet.no/~pnordahl/ntpasswd/bootdisk.html

It would be helpful if you reported the recent history of the
machine (hardware/software changes).

 

[Massimo Nespolo]

Have a look at this registry key:
HKLM/Software/Microsoft/Windows NT/Current Version/Winlogon/Userinit
It's supposed to reference %SystemRoot%\system32\userinit.exe.
Check if userinit.exe actually exists at the referenced location.

There are several ways how you can do this:
1. By running regedit.exe via a networked machine.
2. By installing the disk as a slave disk in some desktop PC, and
running regedt32.exe. You will need to buy a cheap adapter
for the IDE ribbon cable.
3. By booting with a Linux disk from
http://home.eunet.no/~pnordahl/ntpasswd/bootdisk.html

It would be helpful if you reported the recent history of the
machine (hardware/software changes).

First, thanks for your answer.
I haven/t changed anything in my laptop during the last weeks. I have only
updated the antivirus. The only "anomaly" I had yesterday was a print job
interrupted (printed connected via parallel port).

I tried the boot from the Lnux disk as you suggested. I could go to the
registry editor, but I am stopped there. The prompt says "[1020]" and I
don't know how to reach the correct key. An "ls" command shows only a
couple of subkeys, <sam> and <security> (maybe a third one I have
forgotten?). Do you have any hint about the syntax of the editor?

The laptop is connected to a desktop via a cross cable, but I cannot
access it from the desktop: the logon does not start, and the laptop is
not visible from the desktop - although the network connection is alive.

Many thanks in advance.

Massimo

 

[Pegasus \(MVP\)]

Have a look at this registry key:
HKLM/Software/Microsoft/Windows NT/Current Version/Winlogon/Userinit
It's supposed to reference %SystemRoot%\system32\userinit.exe.
Check if userinit.exe actually exists at the referenced location.

There are several ways how you can do this:
1. By running regedit.exe via a networked machine.
2. By installing the disk as a slave disk in some desktop PC, and
running regedt32.exe. You will need to buy a cheap adapter
for the IDE ribbon cable.
3. By booting with a Linux disk from
http://home.eunet.no/~pnordahl/ntpasswd/bootdisk.html

It would be helpful if you reported the recent history of the
machine (hardware/software changes).

First, thanks for your answer.
I haven/t changed anything in my laptop during the last weeks. I have only
updated the antivirus. The only "anomaly" I had yesterday was a print job
interrupted (printed connected via parallel port).

I tried the boot from the Lnux disk as you suggested. I could go to the
registry editor, but I am stopped there. The prompt says "[1020]" and I
don't know how to reach the correct key. An "ls" command shows only a
couple of subkeys, <sam> and <security> (maybe a third one I have
forgotten?). Do you have any hint about the syntax of the editor?

The laptop is connected to a desktop via a cross cable, but I cannot
access it from the desktop: the logon does not start, and the laptop is
not visible from the desktop - although the network connection is alive.

Many thanks in advance.

Massimo

You write that the network connection is alive. There are several
degrees of "alive". See if you can make a network connection to
C$. If you can then you should launch regedt32.exe, then click
File / Load Hive, and specify x:\winnt\system32\config\system.
You can then specify the HKey_Local_Machine hive.

If you cannot make a connection then the Linux disk gives
you the tools to edit your registry. I wrote the guide below
for a different job - it is totally based on the help text built
into the Linux disk.

1. (not relevant here)
2. (not relevant here)
3. Boot from the boot disk.
4. Accept the suggested NT partition.
5. Accept the full path to the registry directory.
6. Type system
7. Type 9 (for Registry Editor)
8. Type ? (to see the available commands)
9. Type ls (to see the current keys)
10. Type cd CurrentControl (it's case-sensitive!)
11. Type cd Control
12. Type cd Session Manager
13. Type cd Memory Manager
14. Type type PagingFiles
You can now see where the system expects your paging file to be.
15. Type edit PagingFiles
16. Type C:\pagefile.sys 192 385
(or whatever is appropriate for you)
17. Type --n
18. Type type PagingFile
You should see your changes.
19. Type q
You will be prompted to save or discard your changes.

 

[Massimo Nespolo]

You write that the network connection is alive. There are several
degrees of "alive".

I mean that on my desktop I see the two PCs icon flashing, and pointing on
that it says "100Mpbs"

See if you can make a network connection to
C$. If you can then you should launch regedt32.exe, then click
File / Load Hive, and specify x:\winnt\system32\config\system.
You can then specify the HKey_Local_Machine hive.

I can't access the laptop, unluckily.

If you cannot make a connection then the Linux disk gives
you the tools to edit your registry. I wrote the guide below
for a different job - it is totally based on the help text built
into the Linux disk.

1. (not relevant here)
2. (not relevant here)
3. Boot from the boot disk.
4. Accept the suggested NT partition.
5. Accept the full path to the registry directory.
6. Type system
7. Type 9 (for Registry Editor)
8. Type ? (to see the available commands)
9. Type ls (to see the current keys)

Here is what I get:

Simply registry editor. ? for help
[1020] ls
ls of node at offset 0x1024
Node has 1 subkeys and 0 values
offs keyname
[1120] <SAM>

That's all!

10. Type cd CurrentControl (it's case-sensitive!)

I get the answer:
Key CurrentControl not found!

11. Type cd Control
12. Type cd Session Manager
13. Type cd Memory Manager
14. Type type PagingFiles
You can now see where the system expects your paging file to be.
15. Type edit PagingFiles
16. Type C:\pagefile.sys 192 385
(or whatever is appropriate for you)
17. Type --n
18. Type type PagingFile
You should see your changes.
19. Type q
You will be prompted to save or discard your changes.

I would love to follow your kind instructions, but I get simply a "not found" error.

Do you think it would be of some help to delete the pagefile.sys from the recovery console, as described
in KB255205 (http://support.microsoft.com/default.aspx?kbid=255205)?

Thanks again for your help!

Massimo

 

[Pegasus \(MVP\)]

You write that the network connection is alive. There are several
degrees of "alive".

I mean that on my desktop I see the two PCs icon flashing, and pointing on
that it says "100Mpbs"

See if you can make a network connection to
C$. If you can then you should launch regedt32.exe, then click
File / Load Hive, and specify x:\winnt\system32\config\system.
You can then specify the HKey_Local_Machine hive.

I can't access the laptop, unluckily.

If you cannot make a connection then the Linux disk gives
you the tools to edit your registry. I wrote the guide below
for a different job - it is totally based on the help text built
into the Linux disk.

1. (not relevant here)
2. (not relevant here)
3. Boot from the boot disk.
4. Accept the suggested NT partition.
5. Accept the full path to the registry directory.
6. Type system
7. Type 9 (for Registry Editor)
8. Type ? (to see the available commands)
9. Type ls (to see the current keys)

Here is what I get:

Simply registry editor. ? for help
[1020] ls
ls of node at offset 0x1024
Node has 1 subkeys and 0 values
offs keyname
[1120] <SAM>

That's all!

10. Type cd CurrentControl (it's case-sensitive!)

I get the answer:
Key CurrentControl not found!

11. Type cd Control
12. Type cd Session Manager
13. Type cd Memory Manager
14. Type type PagingFiles
You can now see where the system expects your paging file to be.
15. Type edit PagingFiles
16. Type C:\pagefile.sys 192 385
(or whatever is appropriate for you)
17. Type --n
18. Type type PagingFile
You should see your changes.
19. Type q
You will be prompted to save or discard your changes.

I would love to follow your kind instructions, but I get simply a "not
found" error.

Do you think it would be of some help to delete the pagefile.sys from the
recovery console, as described
in KB255205 (http://support.microsoft.com/default.aspx?kbid=255205)?

Thanks again for your help!

Massimo

===================

You may have to try a little harder! I did not invent the Nordahl boot
disk but I found it not too hard to follow the on-screen help and
navigate to this key:

Software/Microsoft/Windows NT/Current Version/Winlogon

You must, of course, load the "Software" hive! I tried it myself a
moment ago and I found that the value for "Userinit" was
"c:\winnt\system32\userinit.exe".

You can delete the paging file if you want to. Doing so won't to
any harm but it may not do any good either.

 

[Massimo Nespolo]

You may have to try a little harder! I did not invent the Nordahl boot
disk but I found it not too hard to follow the on-screen help and
navigate to this key:

Software/Microsoft/Windows NT/Current Version/Winlogon

You must, of course, load the "Software" hive! I tried it myself a
moment ago and I found that the value for "Userinit" was
"c:\winnt\system32\userinit.exe".

I am sorry, I had missed one important step.
OK, now I can navigate to that key, and I have found the same result as
yours. I have also checked that the "useinit.exe" is really there (with
the recovery console). And it's there! So, the problem does not seem to be
a corrupted registry key. Can the file itself be corrupted? And in
that case, how to replace it, if possible? With the same file I have on
the desktop PC, maybe?

You can delete the paging file if you want to. Doing so won't to
any harm but it may not do any good either.

In fact, it didn't change anything.

Massimo

 

[Pegasus \(MVP\)]

You may have to try a little harder! I did not invent the Nordahl boot
disk but I found it not too hard to follow the on-screen help and
navigate to this key:

Software/Microsoft/Windows NT/Current Version/Winlogon

You must, of course, load the "Software" hive! I tried it myself a
moment ago and I found that the value for "Userinit" was
"c:\winnt\system32\userinit.exe".

I am sorry, I had missed one important step.
OK, now I can navigate to that key, and I have found the same result as
yours. I have also checked that the "useinit.exe" is really there (with
the recovery console). And it's there! So, the problem does not seem to be
a corrupted registry key. Can the file itself be corrupted? And in
that case, how to replace it, if possible? With the same file I have on
the desktop PC, maybe?

You can delete the paging file if you want to. Doing so won't to
any harm but it may not do any good either.

In fact, it didn't change anything.

Massimo
===========================
Things are getting a little difficult . . .

You can replace the userinit.exe by booting the machine with your
Win2000 CD, then selecting "Repair", then "Command Console".
This is probably what you did when deleting the paging file.

You could also replace the System registry file with its previous
version, which could be intact: Rename c:\winnt\system32\config\system
to system.bad, then "system.alt" to "system".

Furthermore you could re-install Win2000 over the top of your
existing installation. This would preserve your current settings.

 

[Massimo Nespolo]

Things are getting a little difficult . . .

You can replace the userinit.exe by booting the machine with your
Win2000 CD, then selecting "Repair", then "Command Console".
This is probably what you did when deleting the paging file.

Yup. I have now replaced the userinit.exe file (renaming the old one):
didn't help

You could also replace the System registry file with its previous
version, which could be intact: Rename c:\winnt\system32\config\system
to system.bad, then "system.alt" to "system".

Done. No change.
I have also tried something more "brutal". From the repair process and the
emergency disk, I have replaced all files that differed from the original
installation (I know, losing all the patches and service packs): again, no
result!

Furthermore you could re-install Win2000 over the top of your
existing installation. This would preserve your current settings.

I'm trying installing in another folder. Same folder would mean to lose
everything (this is what setup says). After that I'll try a checkdisk
(still convinced something is wrong with the disk...).

Massimo

 

[Massimo Nespolo]

Well, nothing worked so I am reinstalling everything from the scratch.
Thanks for your help, Pegasus: I have learnt something.
Luckily I always keep multiple up-to-date copies of my data, so that a
crash is never fatal for me - just the time to reinstall everything.

Massimo

 

[Pegasus \(MVP\)]

Well, nothing worked so I am reinstalling everything from the scratch.
Thanks for your help, Pegasus: I have learnt something.
Luckily I always keep multiple up-to-date copies of my data, so that a
crash is never fatal for me - just the time to reinstall everything.

Massimo

I protect myself against this sort of thing by keeping a couple
of snapshots of my drive C:. Such snapshots can be made
in a couple of ways:
- By an imaging program such as PQMagic DriveImage,
Norton Ghost or Acronis TrueImage
- With a 32-bit ZIP program, provided that you boot the
laptop with a Bart WinXP PE CD.

I restored my laptop last night from such an image. It took
me 20 minutes.