XP hangs at welcome screen.  Creates new localservice and networkservice D&S folders.  Maybe caused by Norton Internet Security?

Posted on 2004-10-14
Last Modified: 2008-01-09
Client called with an XP Home SP2 machine that would hang at "welcome" login screen, without even displaying user account icons.  Same behavior in safe mode.  No luck with "last known good configuration".  So I repaired installation from recovery console by manually copying restore point registry hives to system32/config folder, and system works fine now.  But I noticed that in the documents and settings folder, there are now a whole series of new folders that were apparently created every time the system hung.  They are labelled "LocalService.NT Authority.XXX" and "NetworkService.NT Authority.XXX" where the XXX are sequentially numbered 001, 002, 003 and the time stamps on the folders are consistent with one of each being created at each unsuccessful boot.  There are also two folders "LocalService" and "NetworkService", that have been there for a long time, and there are two folders, labelled "LocalService.NT Authority" and "NetworkService.NT Authority" (without the .XXX) that have time stamps a little earlier in the same day (i.e. BEFORE the machine started locking up).  Client had installed Norton Internet Security 2005 that day, which may have created those folders, and may have been the event that triggered everything else, but client wasn't sure of exactly what happened when.   Client had previously had Norton Anti-Virus 2003 on the machine and did not uninstall and purge remnants of it from the machine before installing the new product, which in my experience with Norton products has caused many prior problems.

Based on above, can anyone diagnose why the system wasn't booting properly?   If I run into the problem again, is there a quicker fix than restoring the registry? (which took about 1/2 hour)
Question by:yessirnosir
  • 4
  • 2
  • 2
  • +2

Expert Comment

ID: 12310073
From what you say it seems Norton ****ed up some stuff and system wasnt able to start properly, maybe a Symantec service wasnt able to start due to old files that were on the system. I would try to run computer management on that station and see if you can disable the Symantec services and then boot the station. I think it will work out...
Also, did you look at the Event Viewer? found anything usefull?
LVL 14

Author Comment

ID: 12310209
didn't think to check Event Viewer.  unfortunately working on client's dime so once I got it fixed I left without taking time to search for root cause of original problem, and now I don't have access to machine.  But it's the first time I've ever seen the creation of all those localservice/networkservice folders so am hoping someone might have seen it before, and has insight into what causes it and whether there is an easy fix.

Expert Comment

ID: 12311313
I had a similar problem with a computer that was not displaying user account icons Same behavior in safe mode, so about same as your problem but i did not find those kind of files on the system the problem was Virus related yes hard to think that a virus can do that

but i Scan the system for virus from dos and the system boot up with no problems after i clean all the viruses i learn something  that day :)  
Free Tool: Postgres Monitoring System

A PHP and Perl based system to collect and display usage statistics from PostgreSQL databases.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

LVL 14

Author Comment

ID: 12311636
thanks Natcom.  in my case I did a full virus scan after I repaired system and it was clean.  and spyware scan only found Hotbar and a bunch of tracking cookies, so I don't think that's it either.  

Expert Comment

ID: 12312284
yeah i cant wait to hear my self what is that all about

Expert Comment

ID: 12330410
Now let’s boot the computer in Safe mode, so that we can have more stable environment:
·      If the computer is running, shut down Windows, and then turn off the power
·      Wait 30 seconds, and then turn the computer on.
·      Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
·      Ensure that the Safe mode option is selected.
·      Press Enter. The computer then begins to start in Safe mode.

Now let’s uninstall Norton Antivirus from Add or Remove wizard, but make sure that you have the Norton CD so that you can reinstall it back. After you uninstall Norton again restart the computer in SAFE MODE only.

And after restarting please carry out these steps;

Click Start then Run
Type regedit and click OK
The Registry Editor Window appears.
Click the "+" to the left of HKEY_LOCAL_MACHINE.
Click the "+" to the left of SYSTEM.
Click the "+" to the left of CurrentControlSet. (make sure that you click on just CurrentControlSet, as you may find CurrentControlSet1 or CurrentControlSet2)
Click the "+" to the left of Services.
Now, locate and click on RpcSs. (make sure that it is highlighted)
On the right side pane, under the Name column, find ObjectName
Double click on ObjectName, delete the entry under Value Data (the entry may be “NT Authority\Network service, but not necessarily you may have other value)
Now type “LocalSystem”  in the Value Data field (Without quotes and any space)
Close Register editor and restart the computer.

Now again boot in SAFE Mode and perform following steps-

1.      Open Internet Explorer.
2.      Click the Tools menu then click Internet Options. 
The Internet Options window appears.
3.      Click the Advanced tab and locate and uncheck Enable third-party browser extensions (requires restart).
4.      Click the OK button.
5.      Close all open Internet Explorer windows.

Now let’s us prepare the system for clean booting that will help to boot the computer faster.

Click the Start button, click Run, and then type msconfig in the Open: text box.
Click the OK button to continue.
The System Configuration Utility window appears.
Click to remove the check next to Load Startup Items.
Click the Services tab.
Click to select Hide All Microsoft Services, and then click the Disable All button.
Click the Apply button, and then click the Close button for Windows XP.
A dialogue box appears prompting you to restart the computer.
Click the Restart button.

Expert Comment

ID: 12330421
Try this above steps..

LVL 14

Author Comment

ID: 12332437
engineer_dell:  you may not have noticed from my original post that the computer wouldn't boot in safe mode.   I fixed machine in recovery console by copying registry hives from one of the RPxxx folders to the system32/config folder.  Then I purged all traces of Norton/Symantec products from the registry and hard drives, and reinstalled Norton Internet Security successfully.  My question really wasn't about how to fix the machine (already done!), but rather about diagnosing what exactly could have been causing the problem described, in the hopes that if I see it again I might be able to solve it more expediently.  Particularly, I'm hoping that a Windows XP guru might be able to explain what process leads to creation of all those LocalService and NetworkService folders.
LVL 14

Author Comment

ID: 12384472
proving that all unsolved problems come back, the same client returned the laptop (a Compaq Presario 2190US) in less than a week with more BSOD lockups.  This time even worse, with BSOD even when trying to access system through recovery console or tyring to reinstall windows from CD.  Consistently received same BSOD message:  Stop 0x00000050 or PAGE_FAULT_IN_NONPAGED_AREA.   I suspected a hard drive failure.  But I was able to access drive with Bart PE (WOW!  what a great tool ) and after copying restore point hives to system32/config, system booted up normally again.  

Then I dug into the Event Viewer, as suggested by stardust126, and found all sorts of error 9, 11, and 51's which all have something to do with the hard
drive or hard drive controller.  Most of them occurred on the date of the first crash, but there were a couple as early as a few weeks ago, and several in the days AFTER the first time I fixed the machine.  Also got an error message in Norton Ghost about an inconsistent NTFS logfile, which I fixed by running scandisk, but I suspect that was caused by my own messing around with files with BartPE, rather than windows (?).   Interestingly, scandisk in thorough mode did not find any other disk errors, so if it was a hard drive crash it didn't leave the kind of debris I might have expected -- or is that normal with self-healing features of NTFS?  Anyway, I got on Compaq's website, and found a BIOS update (SP27646) with a description "Fixes issue where some hard drives could cause an intermittent system error.", so I installed that and after playing with the machine for 24 hours have seen no further errors.  So I returned machine to client, and hopefully problem is now solved.  I still don't totally understand the creation of those NetworkServie and LocalService folders, but now I am of the opinion that it was Windows' response to some kind of hard disk corruption, and that Norton Internet Security may have been just an innocent bystander at the time of the crash.

Accepted Solution

ee_ai_construct earned 0 total points
ID: 12578934
Question answered by asker or dialog valuable.
Closed, 500 points refunded.
ee_ai_construct (replacement part #xm34)
Community Support Admin

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Occasionally Windows/Microsoft Updates will fail to update. We have found a code that will delete all temporary files and re-register all dll's related to Windows/Microsoft Updates! This works 99% of the time to get the updates working again! The…
In a recent article here at Experts Exchange (, I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
Hi friends,  in this video  I'll show you how new windows 10 user can learn the using of windows 10. Thank you.

821 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question