Solved

winlogon.exe application error invalid memory reference

Posted on 2004-04-09
20
20,388 Views
Last Modified: 2011-08-18
Brand new PC. I have four users loging into this machine with the same login script. However with one user I get a winlogon.exe application error and then an invalid memory reference. I have run a repair on XPP. Then I replaced the memory. I then wiped the machine clean and reinstalled. I keep getting the same error with this user. All four users are setup on this PC the exact same and the other three have no problems what so ever. I have also removed the login script for the error user to see if that was causing the problem. Still getting error. I also updated the bios and any other driver that needed to. Also once the error occurs you get the option to click ok to exit the program or cancel to debug. Either option you choose immediately restarts the machine. I have searched all over the net trying to find anything on this and no luck. Here are the PC specs.
HP d220mt 2.6G/40G/256M running XPP with all updated sp and patches. Office 2003 with all office updates installed. Please help! I have exhausted all other resources. Thanks!
Also running Mcafee 4.1 have checked their site and nothing as well.
0
Comment
Question by:reedler
  • 6
  • 5
  • 3
  • +2
20 Comments
 
LVL 11

Expert Comment

by:Joseph O'Loughlin
ID: 10793012
Hi reedler,
As a login script is being run this implies a server is being used that could be hosting a corrupted user profile.  Backup and delete the contents of the users home directory or profile directory.  As admin on the XP machine use the system icon in the control panel to delete their cached local profile.  Have them log in again to get a default profile (loosing their preferences) and log out and then in again to save it to the server and check all is well.  Copy back bits of their old profile if needed.  Likely a large file caused corruption so advise them not to save things to their desktop.
usual disclaimers apply
0
 

Author Comment

by:reedler
ID: 10824806
Well after testing the above solution it worked fine when I did not run the login script. However when I did run the login script I get the error. I am also on an NT 4 domain. THis login script has been working fine for all other users on multiple OS's including many XPP. This script is actually a kix script with a drive mapping. Anymore help much apprec.
0
 
LVL 11

Accepted Solution

by:
Joseph O'Loughlin earned 280 total points
ID: 10827107
Has the username any non alphanumeric characters in the name, like John O'Connor, where the appostrpphy causes some scripts problems?
Is the user in question in different groups so getting a different part of the kix script run than the other users?
You may need to post the script  here.
0
 

Author Comment

by:reedler
ID: 10835104
No, all users are the same format. I am noticing when McAfee tries to open at logon it hangs and I get the winlogon error message. I am now investigating with them. Will let you know how it turns out.  
0
 

Author Comment

by:reedler
ID: 10932684
Looks like it was a problem with McAfee. Thanks for your help though
0
 

Expert Comment

by:jgessing
ID: 11153986
I had this too, and it turned out to be spyware. VX-2 better internet.
You can actually not respond to the application error, just move the window out of the way.
Then you can look at the "send error report to microsoft" popup
Click on details, and it tells you that:
RUN DLL as APP 6uo4svc.dll has caused a problem.
When I did a search on 6uo4svc, I got three references to VX2 better internet.
Ran Ad-Aware, and it picked it up, and removed it.
0
 

Expert Comment

by:keyser_soze111
ID: 11190125
i have the same issue on a corperate network, where one user out of 300 has this issue, all of which run the same logon script, and they log on to a system what is running windows XP which has all of the latest updates on it, with office 2003, lotus notes 6.5.1, eTrust AV, and some in house access database's. this user has the issue on there PC, and on our terminal server, but they apear to be seperate issues.. any help would be much appreciated.
o, and it apears to be and intermitant problem, has happened about 6 times in the last month.. but causes the user not to be able to logon

thanks in advance,

Keyser_soze
0
 

Expert Comment

by:jgessing
ID: 11192809
Keyser,

If you can ignore the front popup (Failure message)
Focus on the standard Windows error dialog that asks to send the error report to Microsoft.
In that box click the details link, and see what DLL, or other file is actually casuing the failure.
We can continue from there later.

jgessing
0
 

Expert Comment

by:keyser_soze111
ID: 11193832
jgessing,

we don't get the windows error dialog send box, doesn't come up is there any other things i can look for?

thanks
0
 

Expert Comment

by:jgessing
ID: 11193918
Can you get the PC to come up in safe mode ?
If not, can you still move the "application error" window down to a corner, and still perform otehr windows tasks (don't press either of the buttons on the error dialog)

If so, can you search the hard drive and see how many winlogon.exe files you have ?

I have heard that the viurus Netsky can disguise itself as winlogon.exe.

You should only have one file by this name and it should be in the \windows\system32\   directory
If it is also in \Windows then it is probably an imposter.  rename it with a .old extension.
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 

Expert Comment

by:keyser_soze111
ID: 11194220
ok, i've had a look at the computer over the LAN, and there is only one copy of winlogon.exe, but the wired thing about this error, is that it doesn't have happen every time the user log's on, and we have deleted the users' profile about 10 times thinking that t was the problem, to no avail, i have had a look to see if it was the sasser virus, as i had seen else where that the sasser virus can have the same symtoms, and it didn't have it ether. so basicly i have come on here to see if any of you guys know of this problem, and wether there is a known fix for it with out having to reimage the computer since there mission critical database's on there..

Thanks in advance

Keyser Soze
0
 
LVL 11

Expert Comment

by:Joseph O'Loughlin
ID: 11194592
Two things to try
If the problem is that services and drivers have not started, Restart the machine and wait until all disk activity has stopped for over a minute before logging in.
To check if the problem is another startup item, after typing the password but before pressing return, hold down the left shift key, agdin until the profile is loaded and all disk activity has stopped for over a minute.
The more memory the machine has the less time to wait for the idle minute.
0
 

Expert Comment

by:HEC1152
ID: 11481909
Just found this information after experiencing same (?) problem.   I've tried all that was suggested above, but still have problem.  Details are that I suspect problem started after eliminating virus/adware and then restarting computer (not sure).  Anyway symptoms are as described above re error message from WINLOGON.   Except, I cannot move window and see any indication of another startup process running as suggested above.  However, it's pretty clear that something else is running as I get the Windows Registration window, etc and can run through that.   The reason I get this, is that in desparation, I tried doing XP repair and now Windows wants me to register again.   But otherwise the WINLOGON problem is same as before the repair.   Also, I note that only when I bring the machine up in SAFE mode letting it load all services and devices, will it even come up at all.  Other attempts to bring up in diagnostic mode (few services and/or startup routines loaded don't even come up (system hangs in perpetual wait for logon).  Here's possibly another clue - at one time long ago I had McAfee loaded.  Before this problem, after it had gotten rid of unknown trojan, I uninstalled McAfee (or so I think).  However, I still notice a FRAMEWORK service that runs which Google tells me might be a residual of McAfee.  Mention this only because of someone in thread saying that their problem ended up getting resolved by McAfee except they didn't say how.   Anyway, I've tried everything I can think of to include copying known good (but later) version of Winlogon.exe to machine with problem  That resulted in machine now even coming up in SAFE mode of windows - just continuously rebooting.   Had to use recovery console to change back to original winlogon.exe to get back to place where the only way I could come up at all was in SAFE mode.   I'm about ready to just toss the entire Harddrive load, reformat and reload XP, but before resorting to that (ugh) desparate act, I thought I would seek one more option from this Board.  BTW - I did try atheist's comment about waiting for no disk activity had ceased but that didn't make any difference.  

Thanks in advance for any advice even if it's it confirms my hunch that I need to give up
Harry Cooper
0
 
LVL 11

Expert Comment

by:Joseph O'Loughlin
ID: 11486858
Assuming you can get into safe mode
Run msconfig and roll back to when things were working better.  Temporarly disable this feature before using Antivirus tools.
Download stinger from mcafee and rename the executable before running it in safe mode.
Put in the Windows XP cd and run sfc /scannow.  Thie replaces windows files by the versions on the CD (undoing the updates done since).  Run WindowsUpdate untill all critical updates are installed.  You will likely have to take the machine to somewhere that has broadband.  If you are trying to download the 180MB of Windows patches over dialup do giveup.  As a minimal halfway house install ZoneAlarm or another personal firewall.  I use OutPost on my laptop.
Install a different browser - for example Firefox, and only use IE for WindowsUpdate.  
0
 

Expert Comment

by:HEC1152
ID: 11497642
Thanks for the quick reply.   I appreciate your advice and wish I'd come here sooner else I might not have been so deep in my self inflicted rat hole.

Turns out there are no restore points that I can revert to.  My presumption is that I (unwittingly) blew them all away when I did the XP repair install (along with all the various MS updates, hence the window/process that requests I "activate windows" even though I have the stupid winlogon error window right next to it).   On another computer, I did download Stinger, moved it, renamed executable (why?), and ran it in safe mode as you advised.  It didn't find anything.  Also, I'm not sure what/how you mean to "disable this feature before using Anitvirus tools".  Do you mean the Rollback?  If so, how do I disable?  Also, I'm not (to my knowledge) using any Anti-Virus tools since I had uninstalled McAfee long before I noted this problem.  In fact no evidence of McAfee shows up in the Add/Remove Programs.  The only indication I have that it might still have left something behind, that may be a factor, is that when in Safe Mode, using MSCONFIG, I note that one of the listed services (that are stopped while in Safe Mode, I guess) is the "McAfee Framework Service".  Don't know why that should still be around assuming uninstall of McAfee cleaned itself out.   Only thought it might be a factor because someone in this thread implicated McAfee in their post.

Given my situation (no restore points & XP repair already installed), is there any benefit in running sfc /scannow from XP CD as you suggest or is it too late to do anything now - i.e. is this equivalent to what I did with the XP repair install that blew away my restore points? (BTW - booting into safe mode with Network support doesn't work - system just hangs).   I do have broadband high speed connection available but can't get to it on affected computer.   Several other computers are available though so not a problem to get to a lot of data.

Am I hosed up beyond hope or what?

Thanks again for your help,
Harry

I'd heard about Firefox instead of IE and have taken that precaution on other machines, but probably too late on one I'm having problem with.
0
 
LVL 11

Expert Comment

by:Joseph O'Loughlin
ID: 11499410
The reason for renaming stinger is because some viruses contain a list of tasks to kill if they see them running.  I guess you systrem is free from viruses.  SFC is still worth trying but it is also likely that your problem stems from a corrupt registry (so if you have a system state backup restore that).  The reason for disabling rollback is because Windows can  replace newly cured files with older infected files as part of the mechanism to stop applications replacing current windows files with obsolete versions.

Review the system and application logs to see the errors that are occurning.  Save these files from eventviewer  in both .txt and .evt format and upload them to a website or ftp site and post the url here so we can review them.

It llooks like you will have to do a clean or over the top install of XP.  Before connecting to the web install ZoneAlarm (or XP SP2 when it comes out without ZoneAlarm).  Try each applicatrion - many will need to be reinstalled.  Install and udpate a antivirus program.   Update the system using WIndows Update.   Installl Spybot including teatimer to see programs adding themselvees to startup.  Install firefox or a different browser as IE has proved to be full of security holes and make it your default browser.  Only use IE for WindowsUpdate.

0
 

Expert Comment

by:keyser_soze111
ID: 11500388
hey guys, the only way we worked out to get around this issue was to reimage the computer and it appears to clean up the problem, which is quite wired..
but any way thats how we got around it..

0
 

Expert Comment

by:HEC1152
ID: 11507543
Thanks atheist. I will look at error logs as suggested and see what I can do to post them somewhere if they're of any use.   Will repost when I've done so.

Let me see if I understand keyser_soze111 - when you say "reimage" I assume you meant that on the machine with the error you used a 3rd party utility such as PowerQuest DriveImage to create an image of the system drive contents.  Then you reloaded this image onto (another or same?) drive that became new system drive for PC.  After that all worked okay (i.e. no winlogon.exe errors, etc).   Is that ocrrect ?   Also, could you confirm drive image tool that you used along with any unique/special setups as applicable.

Thanks again,
Harry

P.S. I'm getting another new hard drive in preparation for rebuilding the system as I have a bad feeling about this but will continue to try suggestions.
0
 

Expert Comment

by:keyser_soze111
ID: 11510390
HEC1152,
we well have like 200 computers, so we have an image of a computer that can be installed on all computers, so basicly we reinstalled the computer, but the thing was that it is the same files as what was on the last "version" of the computer, so the question has to be asked why does it happen...??

steve
0
 
LVL 11

Expert Comment

by:Joseph O'Loughlin
ID: 11514267
When the system is off info is stored in two places - files on the HD, and a battery backed CMOS to keep disk configuration and other low level stuff.
Once Windows starts loading it loads the registry - a database of configuration settings that is large and complex.  After that there thousands of files on your system.  Corruption of either could be the cause.
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Disclosure: Use this tutorial only when no other options helps to get Windows XP running without any problems and you don't want to format the drive. The back up of the data is the responsible of the user, however there is a description of how t…
Issue: Unstable cursor in Windows XP and Windows runs extremely slow in that any click will bring up the Hour glass (sometimes for several seconds before giving you what you want) . Troubleshooting Process and the FINAL FIX: This issue see…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now