Link to home
Start Free TrialLog in
Avatar of yessirnosir
yessirnosir

asked on

XP hangs at welcome screen. Creates new localservice and networkservice D&S folders. Maybe caused by Norton Internet Security?

Client called with an XP Home SP2 machine that would hang at "welcome" login screen, without even displaying user account icons.  Same behavior in safe mode.  No luck with "last known good configuration".  So I repaired installation from recovery console by manually copying restore point registry hives to system32/config folder, and system works fine now.  But I noticed that in the documents and settings folder, there are now a whole series of new folders that were apparently created every time the system hung.  They are labelled "LocalService.NT Authority.XXX" and "NetworkService.NT Authority.XXX" where the XXX are sequentially numbered 001, 002, 003 and the time stamps on the folders are consistent with one of each being created at each unsuccessful boot.  There are also two folders "LocalService" and "NetworkService", that have been there for a long time, and there are two folders, labelled "LocalService.NT Authority" and "NetworkService.NT Authority" (without the .XXX) that have time stamps a little earlier in the same day (i.e. BEFORE the machine started locking up).  Client had installed Norton Internet Security 2005 that day, which may have created those folders, and may have been the event that triggered everything else, but client wasn't sure of exactly what happened when.   Client had previously had Norton Anti-Virus 2003 on the machine and did not uninstall and purge remnants of it from the machine before installing the new product, which in my experience with Norton products has caused many prior problems.

Based on above, can anyone diagnose why the system wasn't booting properly?   If I run into the problem again, is there a quicker fix than restoring the registry? (which took about 1/2 hour)
Avatar of stardust126
stardust126

From what you say it seems Norton ****ed up some stuff and system wasnt able to start properly, maybe a Symantec service wasnt able to start due to old files that were on the system. I would try to run computer management on that station and see if you can disable the Symantec services and then boot the station. I think it will work out...
Also, did you look at the Event Viewer? found anything usefull?
Avatar of yessirnosir

ASKER

didn't think to check Event Viewer.  unfortunately working on client's dime so once I got it fixed I left without taking time to search for root cause of original problem, and now I don't have access to machine.  But it's the first time I've ever seen the creation of all those localservice/networkservice folders so am hoping someone might have seen it before, and has insight into what causes it and whether there is an easy fix.
I had a similar problem with a computer that was not displaying user account icons Same behavior in safe mode, so about same as your problem but i did not find those kind of files on the system the problem was Virus related yes hard to think that a virus can do that

but i Scan the system for virus from dos and the system boot up with no problems after i clean all the viruses i learn something  that day :)  
thanks Natcom.  in my case I did a full virus scan after I repaired system and it was clean.  and spyware scan only found Hotbar and a bunch of tracking cookies, so I don't think that's it either.  
yeah i cant wait to hear my self what is that all about
Now let’s boot the computer in Safe mode, so that we can have more stable environment:
·      If the computer is running, shut down Windows, and then turn off the power
·      Wait 30 seconds, and then turn the computer on.
·      Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
·      Ensure that the Safe mode option is selected.
·      Press Enter. The computer then begins to start in Safe mode.


Now let’s uninstall Norton Antivirus from Add or Remove wizard, but make sure that you have the Norton CD so that you can reinstall it back. After you uninstall Norton again restart the computer in SAFE MODE only.

And after restarting please carry out these steps;

Click Start then Run
Type regedit and click OK
The Registry Editor Window appears.
Click the "+" to the left of HKEY_LOCAL_MACHINE.
Click the "+" to the left of SYSTEM.
Click the "+" to the left of CurrentControlSet. (make sure that you click on just CurrentControlSet, as you may find CurrentControlSet1 or CurrentControlSet2)
Click the "+" to the left of Services.
Now, locate and click on RpcSs. (make sure that it is highlighted)
On the right side pane, under the Name column, find ObjectName
Double click on ObjectName, delete the entry under Value Data (the entry may be “NT Authority\Network service, but not necessarily you may have other value)
Now type “LocalSystem”  in the Value Data field (Without quotes and any space)
Close Register editor and restart the computer.

Now again boot in SAFE Mode and perform following steps-

1.      Open Internet Explorer.
2.      Click the Tools menu then click Internet Options. 
The Internet Options window appears.
3.      Click the Advanced tab and locate and uncheck Enable third-party browser extensions (requires restart).
4.      Click the OK button.
5.      Close all open Internet Explorer windows.

Now let’s us prepare the system for clean booting that will help to boot the computer faster.

Click the Start button, click Run, and then type msconfig in the Open: text box.
Click the OK button to continue.
The System Configuration Utility window appears.
Click to remove the check next to Load Startup Items.
Click the Services tab.
Click to select Hide All Microsoft Services, and then click the Disable All button.
Click the Apply button, and then click the Close button for Windows XP.
A dialogue box appears prompting you to restart the computer.
Click the Restart button.
Try this above steps..
GooDLucK!!

RItesh
engineer_dell:  you may not have noticed from my original post that the computer wouldn't boot in safe mode.   I fixed machine in recovery console by copying registry hives from one of the RPxxx folders to the system32/config folder.  Then I purged all traces of Norton/Symantec products from the registry and hard drives, and reinstalled Norton Internet Security successfully.  My question really wasn't about how to fix the machine (already done!), but rather about diagnosing what exactly could have been causing the problem described, in the hopes that if I see it again I might be able to solve it more expediently.  Particularly, I'm hoping that a Windows XP guru might be able to explain what process leads to creation of all those LocalService and NetworkService folders.
proving that all unsolved problems come back, the same client returned the laptop (a Compaq Presario 2190US) in less than a week with more BSOD lockups.  This time even worse, with BSOD even when trying to access system through recovery console or tyring to reinstall windows from CD.  Consistently received same BSOD message:  Stop 0x00000050 or PAGE_FAULT_IN_NONPAGED_AREA.   I suspected a hard drive failure.  But I was able to access drive with Bart PE (WOW!  what a great tool http://www.nu2.nu/pebuilder/ ) and after copying restore point hives to system32/config, system booted up normally again.  

Then I dug into the Event Viewer, as suggested by stardust126, and found all sorts of error 9, 11, and 51's which all have something to do with the hard
drive or hard drive controller.  Most of them occurred on the date of the first crash, but there were a couple as early as a few weeks ago, and several in the days AFTER the first time I fixed the machine.  Also got an error message in Norton Ghost about an inconsistent NTFS logfile, which I fixed by running scandisk, but I suspect that was caused by my own messing around with files with BartPE, rather than windows (?).   Interestingly, scandisk in thorough mode did not find any other disk errors, so if it was a hard drive crash it didn't leave the kind of debris I might have expected -- or is that normal with self-healing features of NTFS?  Anyway, I got on Compaq's website, and found a BIOS update (SP27646) with a description "Fixes issue where some hard drives could cause an intermittent system error.", so I installed that and after playing with the machine for 24 hours have seen no further errors.  So I returned machine to client, and hopefully problem is now solved.  I still don't totally understand the creation of those NetworkServie and LocalService folders, but now I am of the opinion that it was Windows' response to some kind of hard disk corruption, and that Norton Internet Security may have been just an innocent bystander at the time of the crash.
ASKER CERTIFIED SOLUTION
Avatar of ee_ai_construct
ee_ai_construct
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial