Solved

Corrupt dll needs to be replaced

Posted on 2004-09-16
16
956 Views
Last Modified: 2012-06-22
I have a corrupt dll file (advpack.dll) that is causing a lot of problems - primarily I can't install updates.  How do I replace it with the 'advpack.dl_' file in my c:/I386 folder?  Or is there a better solution?
0
Comment
Question by:humeniuk
  • 7
  • 7
  • 2
16 Comments
 
LVL 8

Expert Comment

by:sgstuart
ID: 12081317
HI humenluk,
       Follow these steps and you should be good.
1)   Log into the machine with the corrupt .dll with an account that has Admin rights.

2)  Run regsvr32 -u advpack.dll   now rename the file to advpack.old
      If it would not let you unregister the file, you still might be able to rename the file, and do that.

3)   Restart the machine

4)   Run "Expand advpack.dl_ advpack.dll"
     move the new advpack.dll to its proper location

5) Run regsvr32 advpack.dll

6)  You may need to restart the machine one more time, but you should not need to.

Now try it again.

Thanks,
Steven Stuart
0
 
LVL 2

Assisted Solution

by:andyswarbs
andyswarbs earned 50 total points
ID: 12084593
You may run into Windows file protection issues with the above process.  Although you replace the file, on reboot the original (bad file) is put back in place. Also are you sure this is the bad file?  perhaps there are others.

the pukkah way to solve this is to click start_> run and enter "sfc /scannow".  This should run through your entire set of MS dlls and fix any that are wrong.  It knows about your service pack updates as well. It may ask your for your win2k cd.


Andy
0
 
LVL 33

Author Comment

by:humeniuk
ID: 12085136
Thanks for the prompt response.

sgstuart,

When I follow step 2, I get the following error message:
"advpack.dll was loaded, but the DllUnregisterServer entery point was not found.
DllUnregisterServer may not be exported, or a corrupt version of advpack.dll may be in memory.  Consider using PView to detect and remove it."

If I rename the file (I used advpack.bak), the .dll file is replaced within seconds, not even after reboot as andy suggested.  I tried step 4 anyway, but with no success.


andywarbs,

I ran 'sfc /scannow' and the problem wasn't resolved.


Here's why I think that file is corrupt:

When I try to update Windows, I get the following error message -
"Error creating process <C:\ . . . etc . . . > Reason: INNT\system32\advpack.dll
I can't see the rest of the error message because thanks to the wonders of MS, it runs of the side of the dialog box into oblivion.

I have researched this problem on E-E and on the web via Google and it is generally referred to as being caused by a corrupt advpack.dll file.  Additional suggestions I've tried include running a repair install, but nothing has worked, I still can't install updates.  Similarly, Windows Media Player has vanished from my system and can't be reinstalled.  I've checked repeatedly for viruses and other types of malware (spybot, AdAware, HijackThis, etc.), but come up clean every time.

The only solution I've seen for this is the one I'm trying to avoid - a clean reinstall.
0
 
LVL 8

Expert Comment

by:sgstuart
ID: 12085839
HI humeniuk,
      I should have realized that it would not work and that it was going to be harder, I forgot that it gets recreated in mere seconds, because it is Windows 2000.

       Microsoft actually has a tool that you can use called "inuse.exe" that will allow you to replace in-use dll's on the fly.   I have used it many times in the past, on servers.  It is very simple to use.
     Download it from Microsoft at  http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/inuse-o.asp
 by going to this link, and clicking on the inuse.exe download icon in the upper right.


    After you have the inuse.exe on the machine in question.  
1) Have an uncorrupted version of the advpack.dll placed somewhere, on or off the server, on is easier.
2) open a command prompt to the directory that has the inuse.exe
3) at the prompt type 'inuse.exe c:\directory\advpack.dll c:\winnt\system32\advpack.dll /y'
4) the /y makes it promptless, if you want to be prompted to hit Y or N  then leave that off.,  the c:\directory\advpack.dll is the path to the uncorrupted version,   the c:\winnt\system32\advpack.dll is the path to where the in-use dll is located.

This should do the trick, let me know if you have more questions.

Thanks,
Steven Stuart
0
 
LVL 8

Expert Comment

by:sgstuart
ID: 12085857
Hi Humeniuk,
    I should have said,  5) restart at the end of that.   It will tell you that the Changes do not take affect until you reboot though.

Thanks,
Steven Stuart
0
 
LVL 33

Author Comment

by:humeniuk
ID: 12087165
Thanks for the tip, Steven.  I gave it a try and got the following message:

"c:\winnt\system32\advpack.dll is protected by WFP"

Is there a way to turn of WFP or can I circumvent it by attempting this in safe mode (or something like that)?
0
 
LVL 8

Accepted Solution

by:
sgstuart earned 250 total points
ID: 12087371
Hi humeniuk,
     I am seeing if that happens to disable WFP  by changing a registry setting.  
  The registry is at
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

These are the Registry Values that are relevant to play with
Registry Values

SFCDisable (REG_DWORD)
0 = enabled (default)
1 = disabled, prompt at boot to re-enable
2 = disabled at next boot only, no prompt to re-enable
4 = enabled, with popups disabled

NOTE: For options 1 and 2: Both of these options require a kernel debugger to be hooked up for those options to become useable. If a kernel debugger is not hooked up, Windows File Protection is not disabled.
SFCScan (REG_DWORD)
0 = do not scan protected files at boot (default)
1 = scan protected files at every boot
2 = scan protected files once

Because it states that you may need to have a kernel debugger hooked up it may not work.  However, this is the easiest suggestion.

      Another suggestion that I have seen is  to try slaving it in another machine and overwriting it that way, but you would need a spare computer.

Thanks,
Steven Stuart
0
 
LVL 8

Expert Comment

by:sgstuart
ID: 12087558
Hi Humeniuk,
     I found this article which my add some additional tips to disabling WFP.

http://www.roger.id.au/tweaks/visual/fileprotection.php


Thanks,
Steven Stuart
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 2

Expert Comment

by:andyswarbs
ID: 12111306
I have beaten WFP by copying the file to the clipboard and have a couple of explorer dlg boxes open on sys32 and sys32\dllcache.  Then as the system gets close to shutting down paste, paste, paste repeatedly. At some point WFP gives up and bang your last paste kicks in.  

Also WFP sometimes restore from where service pack files are stored (in case both sys32 and dllcache are corrupt, I guess) - so if you overwrite that advpack it might be an easy fix.  Actually the more I think about it simply overrite the servicepack file and lets WFP "correct" the situation for you.  I would certainly like to know if this works - since it implies that WFP can be usurped and it can be turned against itself.

Sounds interesting huh? I am dying to know if you have luck with this.
0
 
LVL 33

Author Comment

by:humeniuk
ID: 12114404
andyswarbs,
I tried your methods first (potentially simple solution), but to no avail.  I replaced all instances of advpack.dll and advpack.dl_ with known good versions, etc., but the problem persists.


sgstuart,
I reviewed the link you provided and downloaded the recommended hex editor, but I was lost when I opened the sfc.dll file to edit it.  Can you give any directions as to how to find/edit the entry I am supposed to fix according to the info in that link?  (ie. " SFC.DLL from Win2000 SP2: go to physical offset 00006211 (6211h) and change the 8BC6 bytes to read 9090.")
0
 
LVL 33

Author Comment

by:humeniuk
ID: 12114559
FYI - I also tried disabling through the registry entry as outlined, but still got the "c:\winnt\system32\advpack.dll is protected by WFP" message.
0
 
LVL 8

Expert Comment

by:sgstuart
ID: 12117909
Hi Humeniuk,
      Try following this website instead, I think it is easier to follow there is no hex editing, which the one I previously gave you  (which happens to only be valid for W2k SP2)  I have SP4 and it is not a valid address.    If one does not know how to use it,  I would not.

    So try the following instead, move down to the how to disable WFP part.

http://www.griffin-digital.com/wfp.htm

The main thing, which the other one showed as well, but could have been over looked. is change that registry key to ffffff9d,   see if it works first without a reboot, if it does great, if not,  reboot again and try again.   Make sure after the reboot, that the registry still has that change.

    I hope this works for you this time.

Thanks,
Steven Stuart
0
 
LVL 33

Author Comment

by:humeniuk
ID: 12118286
That explains it to some degree.  I also have SP4.  I tried the registry change, but didn't check it after rebooting.  I'll review the link and then try again.

Thanks for sticking with this.
0
 
LVL 33

Author Comment

by:humeniuk
ID: 12118444
The registry change has been made and is holding, but it still says the file is protected by WFP.  I noticed in the process of checking everything that I have no dllcache, though.  Any thoughts?
0
 
LVL 8

Expert Comment

by:sgstuart
ID: 12119663
hi humeiuk,
      I am running out of suggestions.   The only other thing I can think of.   Is try to run from another boot partition.   Another Hard Drive or another disk.  A harder way would be the slave computer, but I do not know enough to give you directions going that route.

     If you can get a boot CD or DVD with enough of the operating System on it, so that you can see your current System folder, then you would be able to get to it as those files would not be protected anymore, as they would not be the boot partition.  At that point you could just move the file in and rename the old one or what ever you wish.    This will fix the file if it is truly corrupted, but if it is something else, it probably will not.   Make sure to use a file that you know is good.

Thanks,
Steven Stuart
0
 
LVL 33

Author Comment

by:humeniuk
ID: 12124197
I'd thought about that - using another computer, but at this point, based on the fact that I can't even be completely sure that the problem is that the file is corrupt, I would prefer to just go the re-install route.  This is what I was trying to avoid in the first place, but I've already spent as much time trying to avoid it as I would have accepting it  :-)

Thank you for your persistence and good advice.
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Short answer to this question: there is no effective WiFi manager in iOS devices as seen in Windows WiFi or Macbook OSx WiFi management, but this article will try and provide some amicable solutions to better suite your needs.
NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now