asked on

duplicate userinit.exe prevents logoff or shutdown

After booting and logging on, I notice two instances of the userinit.exe process. The first terminates normally. The second hangs on, without any child processes, for an indeterminate period of time. Sometimes it exits after a few minutes, sometimes never. When the second instance is running, a shutdown or logoff takes several minutes (>5 mins, when all other applications are already shutdown). The is only one mention of userinit.exe is in the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit.

Any ideas?

Thanks.

SheharyaarSaahil

Hello robrien99 =)

Not sure what is causing this,,,,, may be any junk item or wrong registry entry,,, can u Download HijackThis v1.98.2, run it, Save the LOG file and Post it here:
http://tools.radiosplace.com/HijackThis.exe

so that i can check if there is any entry present for this process on ur system or not ??

robrien99

ASKER

Thanks SheharyaarSaahil :->

Here's the Hijack this log...

Logfile of HijackThis v1.98.2
Scan saved at 10:50:09 AM, on 8/26/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\msdtc.exe
C:\WINNT\System32\svchost.exe
C:\ePOAgent\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\WINNT\system32\mqsvc.exe
C:\WINNT\system32\userinit.exe
C:\WINNT\Explorer.EXE
C:\ePOAgent\UpdaterUI.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\rko\sysinternals\procexpnt\procexp.exe
C:\Documents and Settings\rko\Desktop\HijackThis.exe

F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\ePOAgent\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Launch Microsoft Outlook.lnk = C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
O4 - Startup: procexp.lnk = C:\rko\sysinternals\procexpnt\procexp.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Edit with &XML Spy - C:\Program Files\Altova\xmlspy\spy.htm
O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Program Files\IrfanView\Ebay\Ebay.htm
O9 - Extra button: Edit with XML Spy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\xmlspy\spy.htm (HKCU)
O9 - Extra 'Tools' menuitem: Edit with XML Spy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\xmlspy\spy.htm (HKCU)
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = i-nj.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = i-nj.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = i-nj.com
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: qrev - {9DE24BAC-FC3C-42C4-9FC4-76B3FAFDBD90} - C:\PROGRA~1\QUESTS~1\TOAD\RNetPin.dll

SheharyaarSaahil

im not sure but one thing is confuing me...... see the value for this line >> UserInit=C:\WINNT\system32\userinit.exe
and as far as i know, this shud be >> UserInit=C:\WINNT\system32\userinit.exe,

note the comma thing.... i mean i admit its a tiny thing,,, but really its the Correct and Real Value
why there is not a comma included in ur registry entry ??

robrien99

ASKER

i took the comma out based on a hunch i got from another soulution. the comma's since been replaced. problem continues.

robrien99

ASKER

ok, this may be self induced. looks like zonealarm was preventing a subprocess of userinit (started by a logon script?) from accepting connections from a domain controller. i reduced the zonealarm internet protection level to medium and the problem goes away. set the protection level to high, problem returns.

does any of this make sense to anyone?

SheharyaarSaahil

i dont think that zone alarm shud do this.... try an uninstall and reinstall of xone alram.... may be it has some corruption and that's why behaving like this :-?

robrien99

ASKER

reinstalled zonealarm as suggested. seems work for now...

SheharyaarSaahil

great =)

so as te problem is solved,,, u can close this question.... as u can see the ACCEPT button infront of each comment,,,,, hit the button for that comment which solved ur problem and then assign a grade, that's all :)
for more info. on how to close a Question, plzz refer here >> https://www.experts-exchange.com/help.jsp#hs5

robrien99

ASKER

problem still exists after 2nd zonealarm uninstall/reinstall cycle.... and the reason seems to be a lack of understanding on my part. lowering the internet protection level to med. does the trick for now.

SheharyaarSaahil

that's strange indeed :-o

tell me have u tet tries a SFC scan ??
Goto START>RUN and type sfc /scannow
u will need ur WinXP CD in order to fix the corrupted windows system files, if found by scan.

robrien99

ASKER

i did the sfc /scannow and it does ask for several files, but our IT dept won't fork over the win2k disk. so the case is closed (for now). if i do without zonealarm the problem is gone. although, zonealarm has saved me from the last two worms that bored thier way through here.

SheharyaarSaahil: Many thanks for the help!

SheharyaarSaahil

hmmmmmmm.... i can understand that !!

so if the case is closed for u,,,,, then u can close this question also.... if u think someone helped u, u can hit the Accept button infront of his comment, and can assing a grade... that's all :)

and if u think u didn't get help or solution to ur poblem, u can goto support area and can ask a moderator to close this qeustion and refund ur points.... as u wish =)
for more info. on how to close a Question, plzz refer here >> https://www.experts-exchange.com/help.jsp#hs5

!! Good Luck !!

robrien99

ASKER

i've abandoned this issue. it appears that the company's policies and tools for pc software mgmt are incompatible with zonealarm. can't get past that.

ASKER CERTIFIED SOLUTION

Computer101

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial