[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 592
  • Last Modified:

duplicate userinit.exe prevents logoff or shutdown

After booting and logging on, I notice two instances of the userinit.exe process.  The first terminates normally.  The second hangs on, without any child processes, for an indeterminate period of time.  Sometimes it exits after a few minutes, sometimes never.   When the second instance is running, a shutdown or logoff takes several minutes (>5 mins, when all other applications are already shutdown).   The is only one mention of userinit.exe is in the  registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit.

Any ideas?

Thanks.


0
robrien99
Asked:
robrien99
  • 7
  • 6
1 Solution
 
SheharyaarSaahilCommented:
Hello robrien99 =)

Not sure what is causing this,,,,, may be any junk item or wrong registry entry,,, can u Download HijackThis v1.98.2, run it, Save the LOG file and Post it here:
http://tools.radiosplace.com/HijackThis.exe

so that i can check if there is any entry present for this process on ur system or not ??
0
 
robrien99Author Commented:
Thanks SheharyaarSaahil :->

Here's the Hijack this log...

Logfile of HijackThis v1.98.2
Scan saved at 10:50:09 AM, on 8/26/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\msdtc.exe
C:\WINNT\System32\svchost.exe
C:\ePOAgent\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\WINNT\system32\mqsvc.exe
C:\WINNT\system32\userinit.exe
C:\WINNT\Explorer.EXE
C:\ePOAgent\UpdaterUI.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\rko\sysinternals\procexpnt\procexp.exe
C:\Documents and Settings\rko\Desktop\HijackThis.exe

F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\ePOAgent\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Launch Microsoft Outlook.lnk = C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
O4 - Startup: procexp.lnk = C:\rko\sysinternals\procexpnt\procexp.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Edit with &XML Spy - C:\Program Files\Altova\xmlspy\spy.htm
O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Program Files\IrfanView\Ebay\Ebay.htm
O9 - Extra button: Edit with XML Spy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\xmlspy\spy.htm (HKCU)
O9 - Extra 'Tools' menuitem: Edit with XML Spy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\xmlspy\spy.htm (HKCU)
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = i-nj.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = i-nj.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = i-nj.com
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: qrev - {9DE24BAC-FC3C-42C4-9FC4-76B3FAFDBD90} - C:\PROGRA~1\QUESTS~1\TOAD\RNetPin.dll

0
 
SheharyaarSaahilCommented:
im not sure but one thing is confuing me...... see the value for this line >> UserInit=C:\WINNT\system32\userinit.exe
and as far as i know, this shud be >> UserInit=C:\WINNT\system32\userinit.exe,

note the comma thing.... i mean i admit its a tiny thing,,, but really its the Correct and Real Value
why there is not a comma included in ur registry entry ??
0
Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

 
robrien99Author Commented:

i took the comma out based on a hunch i got from another soulution.  the comma's since been replaced.  problem continues.

0
 
robrien99Author Commented:

ok, this may be self induced.  looks like zonealarm was preventing a subprocess of userinit (started  by a logon script?) from accepting connections from a domain controller.  i reduced the zonealarm internet protection level to medium and the problem goes away.  set the protection level to high, problem returns.

does any of this make sense to anyone?


0
 
SheharyaarSaahilCommented:
i dont think that zone alarm shud do this.... try an uninstall and reinstall of xone alram.... may be it has some corruption and that's why behaving like this :-?
0
 
robrien99Author Commented:
reinstalled zonealarm as suggested.  seems work for now...
0
 
SheharyaarSaahilCommented:
great =)

so as te problem is solved,,, u can close this question.... as u can see the ACCEPT button infront of each comment,,,,, hit the button for that comment which solved ur problem and then assign a grade, that's all :)
for more info. on how to close a Question, plzz refer here >> http://www.experts-exchange.com/help.jsp#hs5
0
 
robrien99Author Commented:
problem still exists after 2nd zonealarm uninstall/reinstall cycle.... and the reason seems to be a lack of understanding on my part.   lowering the internet protection level to med.  does the trick for now.

0
 
SheharyaarSaahilCommented:
that's strange indeed :-o

tell me have u tet tries a SFC scan ??
Goto START>RUN and type  sfc /scannow
u will need ur WinXP CD in order to fix the corrupted windows system files, if found by scan.
0
 
robrien99Author Commented:

i did the sfc /scannow and it does ask for several files, but our IT dept won't fork over the win2k disk.  so the case is closed (for now).   if i do without zonealarm the problem is gone.  although, zonealarm has saved me from the last two worms that bored thier way through here.

SheharyaarSaahil:  Many thanks for the help!  



0
 
SheharyaarSaahilCommented:
hmmmmmmm.... i can understand that !!

so if the case is closed for u,,,,, then u can close this question also.... if u think someone helped u, u can hit the Accept button infront of his comment, and can assing a grade... that's all :)

and if u think u didn't get help or solution to ur poblem, u can goto support area and can ask a moderator to close this qeustion and refund ur points.... as u wish =)
for more info. on how to close a Question, plzz refer here >> http://www.experts-exchange.com/help.jsp#hs5

!! Good Luck !!
0
 
robrien99Author Commented:
i've abandoned this issue.  it appears that the company's policies and tools for pc software mgmt are incompatible with zonealarm.  can't get past that.
0
 
Computer101Commented:
PAQed, with points refunded (500)

Computer101
E-E Admin
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 7
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now