[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

BSOD when accessing Trusted Zone

Posted on 2007-08-05
29
Medium Priority
?
415 Views
Last Modified: 2013-12-06
My PC runs Windows XP (MCE SP2) and after some initial problems, I rarely get BSODs.  However, the ones that I do get are very predictable.

They are PAGE_FAULT_IN_NONPAGED_AREA errors and they are all raised when I try to access the list of sites in the Trusted Zone. I attempted to access the Trusted Zone list through IE (through the Security option), through regedit (HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains) and when running HijackThis (the O15 category) and in all cases, I got the BSOD. Other than this, the PC runs okay and I was wondering if the registry had got corrupted.

I have googled on this but I can't find anything remotely like this problem.  I wouldn't be too bothered except I might need to run HiJackThis in the future and I can't.  This has not always been a problem because I've run HiJackThis on this PC in the past.
0
Comment
Question by:iancunn
  • 15
  • 11
26 Comments
 
LVL 19

Expert Comment

by:weellio
ID: 19634709
try this
open regedit and go here
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
rename
the "internet settings" key to "internet settings_"
open IE and see if you can go to the sites,.
then manually add your trusted sites, maybe your zones key was mangled,..

or you can just try renameing the "domains' subkey and go from there,.
0
 

Author Comment

by:iancunn
ID: 19641102
Hi weellio,

I attempted to save the registry before editing it and I got the same BSOD (the hex errors were STOP: 0x00000050 (0xFFFFFEF8, 0x00000000, 0x8054A51A, 0x00000000)).  When I attempted to rename the "Internet Settings" to "Internet Settings_" and hit Enter, I got exactly the same BSOD and hex values.  On restart, the rename had not worked (i.e. the registry area was still "Internet Settings").

It seems that any interrogation at all of this region of the registry produces this BSOD.  Any suggestions?
0
 
LVL 19

Expert Comment

by:weellio
ID: 19643663
do you utilize roaming profiles?
try creatig a seperate user account on this computer and see if things work well, if so, then you have a corrupt profile.,. and it is a pain to uncorrupt,..
0
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

 

Author Comment

by:iancunn
ID: 19649640
I don't use roaming profiles (is that possible in MCE?) but I do have other profiles set up on this PC.  I tried to click on the Trusted Zone in IE, look at the dodgy registry key and even run HijackThis on another profile.  They all worked correctly on the second profile, which implies that it is the original profile/registry that is corrupt.

You said that it's a pain to uncorrupt a profile - any pointers?  Would deleting the profile and setting it up again work (though that would be the last thing I'd want to do, short of reinstalling XP, as the corrupt profile is the main one).
0
 
LVL 19

Expert Comment

by:weellio
ID: 19650908
export the "internet settings" registry keys from a working profile and import them into the nonworking one.. maybe that is a possibility
0
 

Author Comment

by:iancunn
ID: 19703811
Sorry it's taken so long to get back to you but I haven't had the opportunity to try your last suggestion.  I exported the "Internet Settings" registry branch from the profile that's okay and double-clicked it in the duff profile - it appeared to be imported okay, in that it didn't say that it failed.  However, when I attempted to access the Trusted Zone in IE in the duff profile, I got the same BSOD as usual.

Any other ideas?
0
 
LVL 19

Expert Comment

by:weellio
ID: 19704169
well it appears the registry is corrupted in other places. normally during the circumstances i would rename the ntuser.dat file within the duff profile and let it create a new one at next logon. if there is specific things that you need from the duff profile you can open up the corrupted one from regedit (load hive) and export the specifics as you need them.
0
 

Author Comment

by:iancunn
ID: 19718563
I'm rather loathe to start fiddling around with the ntuser.dat file.  What I've seen when Googling it is "leave it alone!"  If the registry is corrrupted in other places then I may end up losing my old profile and not be able to get the "new" one running as the old one was.
0
 
LVL 19

Expert Comment

by:weellio
ID: 19719127
i 'fiddle' with it all the time i'm a registry freak i suppose.

anything listed under HKCU can be auto recreated.
therefore.
if you want to make a backup of the ntuser.dat so you can always start back at square one.
then you can go through the registry keys and rename the internet related ones.
for example.

HKEY_CURRENT_USER\Software\Microsoft\Internet explorer
rename this one and try again..
0
 

Author Comment

by:iancunn
ID: 19720235
When I attempted to rename the Internet Explorer related key before (by adding underline) I got a BSOD - see my reply to your first suggestion.  Are you suggesting that I take a back-up of ntuser.dat (say ntuser.old) and then edit ntuser.dat when in another profile?  What app should I use to edit ntuser.dat?  
0
 
LVL 19

Expert Comment

by:weellio
ID: 19721193
my first suggestion was
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
and this one is
HKEY_CURRENT_USER\Software\Microsoft\Internet explorer

two seperate keys

yes copy the ntuser.dat => ntuser.old so that you will have a backup of it.

the ntuser.dat is your HKCU registry settings they are one in the same...

do this
log as an admin
open regedit
click on Hkey_local_machine
click file - load hive
find the corrupted ntuser.dat
click open
now go rename the internet settings key and then logon as that user.

0
 
LVL 19

Expert Comment

by:weellio
ID: 19721202
i guess i should give you all the sets of instructions,...
after you rename the internet settings key to internet settings_
goto file - unload hive
then log out andlogon as theother user


possible you could just do a run as and load ie to test as well

runas /user:<domainname>\<username> C:\Program Files\Internet Explorer\iexplore.exe

then a command prompt wil as you for your password,..

it will either bluescreen, or you'll be fixed :)
0
 

Author Comment

by:iancunn
ID: 19726763
After I clicked on open for the corrupted ntuser.dat, I got a pop-up window entitled "Load Hive" and I was asked for a "Key Name".  Clicking with nothing in it didn't work and I didn't know what to put so I entered "NTUSER.DAT" instead.  I then got the error message "Cannot load C:\Documents and Settings\<dodgy username>\NTUSER.DAT: The process cannot access the file because it is being used by another process".

Given I tried this from another admin user (i.e not <dodgy username>) in normal boot mode and then the "Administrator" user in safe mode with the same results, which process could be using the dodgy ntuser.dat and how can I release it?  Can the Unlocker tool be of use here?  I didn't want to rash...
0
 
LVL 19

Expert Comment

by:weellio
ID: 19726834
heh

reboot the machine and don't log in with the 'dodgy' account
just login with admin, then open the ntuser.dat

once you've logged in with the account, you can't open it, because it has the settings loaded. and although when you log off it is supposed to release the settings, it does not appear to be doing this, so a reboot is the only option..

make sure you are opening the

c:\documents an settings\<dodgy profile>\ntuser.dat
0
 

Author Comment

by:iancunn
ID: 19726864
I DIDN'T log in with the 'dodgy' account since switching on the PC and when I logged in safe mode, I obviously had had to reboot the PC to get there.  You also haven't confirmed what I should have entered in the pop-up window.  I've also obviously attempted to open the correct ntuser.dat because it's mentioned in the error message I get...
0
 
LVL 19

Expert Comment

by:weellio
ID: 19726892
just enter a temp name for the profile,.

type 123

it is just looking for a place holder
0
 
LVL 19

Expert Comment

by:weellio
ID: 19726898
also if you can make a copy of it, then just open the copy,. it shoudl be linked to anything...
then overwrite the original with the copy once you edit it.
0
 

Author Comment

by:iancunn
ID: 19727032
Thanks very much for your patience but there's yet another twist I'm afraid.  I copied the dodgy ntuser.dat to ntuser.upd (when I was logged in as another user), rebooted the PC into safe mode and then did the following as the "Administrator" user.

I did as you said and then edited under the "123" folder under HKCU.  The "Internet explorer" folder name was changed without any problems but as soon as I hit enter after editing "Internet Settings" to "Internet Settings_", I got the same old BSOD.

I tried the same with the ntuser.upd copy and that blew up as well!  It seems to be a problem inherent in whatever is under "Internet Settings" ("Domains" specifically) that the PC cannot handle.  Do you know what PAGE_FAULT_IN_NONPAGED_AREA errors actually mean?  It seems like an area has overflowed and the PC doesn't know what to do with it...
0
 
LVL 19

Expert Comment

by:weellio
ID: 19727080
try logging on the the <dodgy profile>

run the script below and then open an IE trusted site

regdel.vbs



const HKEY_LOCAL_MACHINE = &H80000002
strComputer = "."
Set oReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" &_
strComputer & "\root\default:StdRegProv")
oReg.DeleteKey HKEY_LOCAL_MACHINE, "Software\Microsoft\Internet explorer"
oReg.DeleteKey HKEY_LOCAL_MACHINE, "Software\Microsoft\Windows\CurrentVersion\Internet Settings"
wscript.echo "Done"

0
 
LVL 19

Expert Comment

by:weellio
ID: 19727087
oops don't run that one, run this one...


const HKEY_CURRENT_USER = &H80000001
strComputer = "."
Set oReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" &_
strComputer & "\root\default:StdRegProv")
oReg.DeleteKey HKEY_CURRENT_USER, "Software\Microsoft\Internet explorer"
oReg.DeleteKey HKEY_CURRENT_USER, "Software\Microsoft\Windows\CurrentVersion\Internet Settings"
wscript.echo "Done"
0
 

Author Comment

by:iancunn
ID: 19727173
I ran the script, the pop-up window said "Done" but when I attempted to list the Trusted Sites list in IE, I got the BSOD.  The script appeared to work in the same way as importing the registry key from a correct user "appeared" to work until I attempted to use the affected registry key.  There's something really weird going on here...

Thanks very much for all your help.  I'm going to bed now so have a good night.
0
 

Author Comment

by:iancunn
ID: 19733746
Here's an image of the BSOD - I don't know if it'll be of any use to you.

http://img20.imageshack.us/img20/4343/1001378dk4.jpg

The crashes that I get are different from those in your links because they never occur at start up and are completely predictable i.e when the trusted or restricted zone registry info is accessed.  This BSOD was produced by running Hijack This and I could see the PC hanging when it had got to O15 (to do with the trusted zone).
0
 
LVL 19

Expert Comment

by:weellio
ID: 19735349
write down the time
create a BSOD
reboot
open eventviewer (eventvwr.msc)
look under anything related to the time (give or take a minute)
mainly you will be looking under the "application" folder
and paste them in here so i can see the related errors

still researchign on my end..

to make sure it isn't hardware, try unplugging everything except
keyboard, mouse, and monitor from the computer
(yes keep the power cord plugged in as well)



do you have a USB Universal Reader from Lexar Media?
0
 
LVL 19

Expert Comment

by:weellio
ID: 19735359
maybe try updating some of the drivers o nyour computer to see if they are related?
video, sounds, modems?

have you tried reinstall ing IE?
or reregistering it?

try runnig this fom the run line

"%ProgramFiles%\Internet Explorer\iexplore.exe" /rereg


maybe upload a copy of the ntuser.dat file, so i can take a look at it?
0
 

Accepted Solution

by:
iancunn earned 0 total points
ID: 19786370
Hi again,

I didn't really want to get into updating drivers or reinstalling IE, especially as I knew that other profiles on the PC were fine.  I was going to leave it as it was when I thought about transferring to another profile.  I googled on "copy xp user" and found this link:

http://support.microsoft.com/kb/811151

I did what this said and then deleted the duff profile and renamed the new profile to the old name.  It works!  The only thing that I found not mentioned in the article was that I had to log on to the new profile in normal (not safe) mode before the C:\Documents and Settings\New_Username folder was actually set up.  The biggest pain was setting up Outlook Express accounts again, otherwise things went quite smoothly.

I'd like to accept this entry as the Solution but I'd like to give weelio half the points for the time they've spent on this and for allowing us to rule out a lot of proposed solutions.  How do I go about this?
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Sometimes people don't understand why download speed shows differently for Windows than Linux.Specially, this article covers and shows the solution for throughput difference for Windows than a Linux machine. For this, I arranged a test scenario.I…
When you start your Windows 10 PC and got an "Operating system not found" error or just saw  "Auto repair for startup" or a blinking cursor with black screen. A loop for Auto repair will start but fix nothing.  You will be panic as there are no back…
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Suggested Courses

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question