Automatic logoff as soon as i logon

Posted on 2004-08-04
Last Modified: 2011-08-18
Can anyone help me?

When i logon to win xp pro. it automatically will logoff. Its a continuos loop - even in safe mode, under different user accounts.

I was installing some software (i just got this pc) like SQL server tools, Plus!, Money, Sonic Record Now!, PowerDVD, Office 2003.

Baffling... Any ideas?
I am in the recovery console as we speak...
Question by:jagoodie
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
  • 3
  • +9
LVL 18

Accepted Solution

Crash2100 earned 250 total points
ID: 11722102
You could try doing a repair installation of windows.

How to Perform an In-Place Upgrade (Reinstallation) of Windows XP;en-us;315341

Author Comment

ID: 11722245
trying that now..
LVL 34

Expert Comment

ID: 11723250
This is caused by a malware named BlazeFind. It adds an entry in the registry which is causing the problem.

From Recovery Console, make a copy of the file userinit.exe and name it WSAUPDATER.EXE

There was a KB article at Lavasoftusa and now been removed. So, look at the previous newsgroup posting:


(Type this in Start/Run box)

Once done, you should be able to login successfully. Next, correct the registry setting, as explained here:

(Type this in Start/Run box)

The Userinit value must be changed in the registry.
What Is Transaction Monitoring and who needs it?

Synthetic Transaction Monitoring that you need for the day to day, which ensures your business website keeps running optimally, and that there is no downtime to impact your customer experience.

LVL 34

Expert Comment

ID: 11723513
Clearly documented at:

Quick Launch settings are not saved; Search Assistant Toolbar in Taskbar:

Author Comment

ID: 11725635
after i did the in-place install it logged in successfully.  i did a scan for blazefind, and it was not present.  i never get spyware.

Expert Comment

ID: 11858437
Hi - I solved my automatic LOGOFF problem that occurred everytime I LOGGED ON - even in SAFE Mode. The problem turned out to be that the Winlogon userinit entry was set to "wsupdater.exe," and not "userinit.exe,".  I fixed the problem by 1) booting to a Repair Console (IBM provides this on their laptops), 2) changing directory to C:\WINDOWS\System32, and 3) copying userinit.exe to wsaupdater.exe (there was no wsaupdater.exe present). I then 4) rebooted into Safe mode and successfully logged-on as Adminstrator (for the first time in several days!)  Next step was to 5) edit the registry and change userinit in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon from "wsaupdater.exe," to "userinit.exe,"; 6)  final reboot and back to normal!  

If this doesn't work, there are other things to try.  See posting in microsoft.public.windowsxp.security_admin:

Good luck
--Rick Lewis--

Expert Comment

ID: 12132772
The problem seems to be that blazefind (malware) copies the userinit.exe file to wsaupdater.exe and refers to this file in the registry instead of userinit.exe. Anti virus programs (i noticed it with NAV myself in several cases) then delete this file which result in the problem as described.

This is easy to solve with the recovery console of windows xp. Copy (rename) the userinit.exe file to wsaupdater.exe in the recovery console. Now you're able to log on again and you can restore the original situation in the registry.

More information on how to use the revovery console us easy to find at microsoft's site.

This solution is actually the same as sramesh2k's.


Author Comment

ID: 12133032
Yes, which didnt work.

Expert Comment

ID: 12234754
Try the instructions listed below.  The renaming the file thing mentioned above worked for me for about a week, then it seemed the malware updated itself to use a different malicious registry edit, one which I haven't figured out yet.

Note I got these instructions from a google cache of an lavasoft forum page.  The latter seems unavailable and I can't find the link to the the former right now, but below is a possible alternative solution if copying the userinit.exe into wsaupdater.exe:.  This gives you instructions on how to recover from a previously known good software registry hive (if I said that right).  It should allow you to repair your newest registry using an old registry then go back to the newest regisry after it has been repaired.

My problem is that I don't know yet what the new malicious registry edit is to repair it.  I am gonna try a text comparison tool on export of the 2 registries, but I will save that for another night.

Hope this helps,



First it is necessary to go to the recovery console. If you are unsure of how to get to recovery console please see .

At the recovery console, it is necessary to replace the software hive with a previous good backup. Please type in each of the following bold lines, pressing ENTER after each one.

C:\windows>cd %windir%\system32\config
C:\windows\system32\config>ren software software.old
This renames the current software hive to software.old
C:\windows\system32\config>copy C:\%windir%\repair\software

It should indicate: "1 file(s) copied"

NOTE: After the next step, remove the CD, then boot into safe mode. If you do not boot into safe mode in Windows XP, it may prompt you to reactivate and you may not be able to get into Windows.


Now hit the F8 key and boot into safe mode. Logon to the administrator account when you reach the Welcome screen.

The next step is to edit the old registry to change the path to the userinit.exe file:

open regedit.exe
Highlight HKEY_LOCAL_MACHINE (note: this is important, if you do not highlight this the next step will not work)
goto file - load hive...

Select your old registry file which should be in C:\windows\system32\config\software.old
It will ask you what to name it, if you don't understand, just type "test".

Navigate to the following:
HKEY_LOCAL_MACHINE\<what your named this in the previous step>\microsoft\windows nt\currentversion\winlogon.
Look at what the userinit value is. It is likely something like %system32%\userinit.exe which is invalid.

Next change the value to read C:\windows\system32\userinit.exe

Now close the registry editor, and go back to recovery console to put your original registry back. It should look like this:
C:\windows>cd system32\config
C:\windows\system32\config>del software
C:\windows\system32\config>ren software.old software


This issue is resolved with Definition File SE1R10 28.09.2004.
Special thanks to Lavasoft Member dorkfish for his assistance in this matter.


Expert Comment

ID: 12239671
Thank you very much for the instruction I have the same problem and follow this instruction it backup and working great

Expert Comment

ID: 12572891
works for me too!! great thanks nyashinsky!! i've been doing every method out there in existence.. and yours work perfectly!!!! i've been looking for a solution for DAYS AND DAYS on END!!! WHEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEW!!!!!!!!!!!!!!!

Expert Comment

ID: 12575466
I want to thank everyone for their assistance on this frustrating problem.

I'm posting a bit of a followup!  I wasted a few hours because I thought I was following all of the instructions, but in fact I was not!  I see that a few others have indicated that they tried to follow the instructions and it didn't work.  It may be that they also did not follow the work around EXACTLY.

1)  I tried to do my file copies from the DOS PROMPT using a DOS BOOT DISK.  The files appear to copy and work, but IN FACT IT DOES NOT.  Once I finally went to the original Windows Install CD and entered using the Recovery Console, everything worked correctly.  From the DOS prompt using the Recovery Console, copy the userinit.exe to the wsauserupdater.exe file.
2) REBOOT INTO SAFE MODE and you should be able to logon as the administrator.
3) Correct your registry using REGEDIT.  NOTE: - one user commented to watch the case sensitivity of the entry.  I didn't take any chances, and made the changes to the WINLOGON entry as "C:WINDOWS\system32\userinit.exe," following it exactly for the upper and lower case, and to include the comma at the end, and everything worked for me!

I probably spent an hour or two researching this problem, and the fix should only have taken about 10 to 15 minutes.  I wasted several hours by not going to the Recovery Console the first time around!

Thanks everyone!


Expert Comment

ID: 12577120
Dear bobert2,

I cannot speak for thomas101, and andreni78 directly on this regard, though I have every reason to believe them, but I can assure you that I did "follow the work around" _EXACTLY_.  As a matter of fact if you read my post carefully you'll see I followed those instructions exactly and succesfully, once.  The second time around it was exactly and unsuccessfully.  Both times I used the recovery console, the second time I was even told that the file in question already existed.

I can certainly sympathize with your plight having been in a similar situations where I nearly followed the directions and only recognized my mistake after nearly doing it until I did it exactly.  In the end, one truth (usually) prevails or so says Conan Edogawa, so I must thank you for your contribution to the discussion, but politely refute your suggestion that there are not variants out there that make the registry value in question simply unreadable, and the original work around, ineffective.  

While I am at it, I will happy to say to thomas101 and andreni78, You're Welcome!  Share and Share alike

I would also say, since I already on my soap box, that while the original answer by crash2100, would have solved the problem, it wasn't nearly as good as the one later posted by sramesh2k who I also like to Thank.  He provided much more insight on the problem and his solution was much lower risk to loose existing settings, and it didnt require reapplying MS Updates.  Without his posting I would have been unlikely to find the way to work around BlazeFind's, evolving evil ways.  

Expert Comment

ID: 12582156
i fixed it.. but it came back.. then i fixed it again.. rescanned my computer with adaware.. and only found cookies... what's the deal? hmmm

Author Comment

ID: 12583402
Fun.  Windows can really bite sometimes.  By chance, is your PC a Dell?  Mine is.

Expert Comment

ID: 12587221
yes my pc is a dell.. but that's irrelevant?

Expert Comment

ID: 12587230
by the way.. this is my 3rd time fixing it...

Expert Comment

ID: 12587316
every time.. it changes my setting to c:\winnt\system32\userinit.exe when my root NT folder is winxp.. and next to it.. is always: iprotect.exe... so what i did is.. made a folder winnt\system32 and copied userinit.exe in it.. and copied userinit.exe over iprotect.exe and gave it a read only attribute.. hopefully this solves the problem

Expert Comment

ID: 12589228

Do you have a software wirewall running our your machine?  I found after installing zone alarms free version, updates/mutations to the spyware/malware were stopped.  This was a decisive turning point for me.


Expert Comment

ID: 21950693
Hey Guys,

thank you so much for your solutions.  I have tried all of them and I am not able to get rid of the problem.  Have there ever been a situation where none of solutions worked.  I have run out time and patience.  I thought about removing the hard drive from the desktop and making in a USB connection to another computer and try to scan and remove the virus.  Do you if this is a possible solutions?  If you guys have any other solutions, please let me know because if not I have no other choice but to wipe it.  


Expert Comment

ID: 22297005
I have tried everything above.  It seems it is not related to adaware.

Could i get some advice on this?

Expert Comment

ID: 33643044
I was like a lot of you and none of the above listed helped me, but everything i searched pointed me here.  What I did was follow an article about changing the boot drive letter....This is your only warning...Incorrectly following these instructions will more than likely cause a complete reload.... Now that you have been warned....

It came to me that something else was causing this issue besides a old virus..  So I ghosted the drive and set the image to cause the drive to chkdsk...  Well with only one drive connected to the machine, I booted the computer and the Blue Chkdsk screen that comes up said it wanted to check drive E:...Well it checked the drive and found a few things wrong, and went right back into to doing the same auto logout issue.  

The drive letter it wanted to check was E: and it should have been C: which leads to using a windows PE boot cd like hirens.   I booted into the mini-xp mode, and used regedit to load the system hive, and followed the instructions on this page :

To change my boot drive letter back to C: from E:..  Unloaded the hive rebooted and I was in...

Hope this helps....

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If your system is showing symptoms of browser hijacks or 'google search redirects' check out my other article ( first and run the tool TDSSKiller ( to get rid of the infection. Once done, and if the …
Sometimes people don't understand why download speed shows differently for Windows than Linux.Specially, this article covers and shows the solution for throughput difference for Windows than a Linux machine. For this, I arranged a test scenario.I…
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
If you’ve ever visited a web page and noticed a cool font that you really liked the look of, but couldn’t figure out which font it was so that you could use it for your own work, then this video is for you! In this Micro Tutorial, you'll learn yo…

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question