duplicate userinit.exe prevents logoff or shutdown

Posted on 2004-08-25
Last Modified: 2012-06-27
After booting and logging on, I notice two instances of the userinit.exe process.  The first terminates normally.  The second hangs on, without any child processes, for an indeterminate period of time.  Sometimes it exits after a few minutes, sometimes never.   When the second instance is running, a shutdown or logoff takes several minutes (>5 mins, when all other applications are already shutdown).   The is only one mention of userinit.exe is in the  registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit.

Any ideas?


Question by:robrien99
  • 7
  • 6
LVL 65

Expert Comment

ID: 11897266
Hello robrien99 =)

Not sure what is causing this,,,,, may be any junk item or wrong registry entry,,, can u Download HijackThis v1.98.2, run it, Save the LOG file and Post it here:

so that i can check if there is any entry present for this process on ur system or not ??

Author Comment

ID: 11903557
Thanks SheharyaarSaahil :->

Here's the Hijack this log...

Logfile of HijackThis v1.98.2
Scan saved at 10:50:09 AM, on 8/26/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\Documents and Settings\rko\Desktop\HijackThis.exe

F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\ePOAgent\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Launch Microsoft Outlook.lnk = C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
O4 - Startup: procexp.lnk = C:\rko\sysinternals\procexpnt\procexp.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Edit with &XML Spy - C:\Program Files\Altova\xmlspy\spy.htm
O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Program Files\IrfanView\Ebay\Ebay.htm
O9 - Extra button: Edit with XML Spy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\xmlspy\spy.htm (HKCU)
O9 - Extra 'Tools' menuitem: Edit with XML Spy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\xmlspy\spy.htm (HKCU)
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) -
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain =
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain =
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain =
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: qrev - {9DE24BAC-FC3C-42C4-9FC4-76B3FAFDBD90} - C:\PROGRA~1\QUESTS~1\TOAD\RNetPin.dll

LVL 65

Expert Comment

ID: 11905057
im not sure but one thing is confuing me...... see the value for this line >> UserInit=C:\WINNT\system32\userinit.exe
and as far as i know, this shud be >> UserInit=C:\WINNT\system32\userinit.exe,

note the comma thing.... i mean i admit its a tiny thing,,, but really its the Correct and Real Value
why there is not a comma included in ur registry entry ??
Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.


Author Comment

ID: 11905400

i took the comma out based on a hunch i got from another soulution.  the comma's since been replaced.  problem continues.


Author Comment

ID: 11906272

ok, this may be self induced.  looks like zonealarm was preventing a subprocess of userinit (started  by a logon script?) from accepting connections from a domain controller.  i reduced the zonealarm internet protection level to medium and the problem goes away.  set the protection level to high, problem returns.

does any of this make sense to anyone?

LVL 65

Expert Comment

ID: 11906889
i dont think that zone alarm shud do this.... try an uninstall and reinstall of xone alram.... may be it has some corruption and that's why behaving like this :-?

Author Comment

ID: 11922083
reinstalled zonealarm as suggested.  seems work for now...
LVL 65

Expert Comment

ID: 11922095
great =)

so as te problem is solved,,, u can close this question.... as u can see the ACCEPT button infront of each comment,,,,, hit the button for that comment which solved ur problem and then assign a grade, that's all :)
for more info. on how to close a Question, plzz refer here >>

Author Comment

ID: 11931102
problem still exists after 2nd zonealarm uninstall/reinstall cycle.... and the reason seems to be a lack of understanding on my part.   lowering the internet protection level to med.  does the trick for now.

LVL 65

Expert Comment

ID: 11934196
that's strange indeed :-o

tell me have u tet tries a SFC scan ??
Goto START>RUN and type  sfc /scannow
u will need ur WinXP CD in order to fix the corrupted windows system files, if found by scan.

Author Comment

ID: 11968375

i did the sfc /scannow and it does ask for several files, but our IT dept won't fork over the win2k disk.  so the case is closed (for now).   if i do without zonealarm the problem is gone.  although, zonealarm has saved me from the last two worms that bored thier way through here.

SheharyaarSaahil:  Many thanks for the help!  

LVL 65

Expert Comment

ID: 11968440
hmmmmmmm.... i can understand that !!

so if the case is closed for u,,,,, then u can close this question also.... if u think someone helped u, u can hit the Accept button infront of his comment, and can assing a grade... that's all :)

and if u think u didn't get help or solution to ur poblem, u can goto support area and can ask a moderator to close this qeustion and refund ur points.... as u wish =)
for more info. on how to close a Question, plzz refer here >>

!! Good Luck !!

Author Comment

ID: 12201127
i've abandoned this issue.  it appears that the company's policies and tools for pc software mgmt are incompatible with zonealarm.  can't get past that.

Accepted Solution

Computer101 earned 0 total points
ID: 12438885
PAQed, with points refunded (500)

E-E Admin

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Robocopy - migrate user shares access denied 6 1,516
Group Policy 9 559
Domain dunctional level. 4 322
Raising Domain/Forest Level to Windows 2003 (from a retired Windows 2000 DC) 8 148
NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Do you use a spreadsheet like Microsoft's Excel?  Have you ever wanted to link out to a non excel file on your computer or network drive?  This is the way I found to do it!
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question