Solved

Server Login ok but No desktop, cnt alt del ok but no taskmanager

Posted on 2008-06-17
14
983 Views
Last Modified: 2013-11-05
A Strange one.
Windows 2003 Standard SP1.
Running as a simple share with terminal server. No Domains or AD just local users and groups.
The server rebooted due to a power outage.
Clean shutdown.
On reboot, system starts up ok One message a service failed to start. On cnt alt del, you can login but you do not get a desktop, just a mouse pointer. If you hit cnt alt del, you can shutdown, logoff etc but if you click on taksmanager nothing happens.
After much mucking about, we decided to image the drives and move to new hardware using aconis.
Once the image was completed, we started up windows and the logon worked and the system showed desktop. It then went on to install the various missing hardwared drivers and all appeared ok.
Then we rebooted and have the same issue.
Using barts boot cd, we accesed the dirves and scanned for virus - nothing.
Tried copying registry hives from repair to system32 config - same.
Safe mode reboots.
Directory Rstore mode - give us a safe windows layout but when you login, you get the same no desktop, cnt alt del behavior.

0
Comment
Question by:Zombite
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
14 Comments
 
LVL 7

Expert Comment

by:supports
ID: 21809892
have u tried with another user loggin... and i am not sure if ur facing the issue in safe mode as well..ie. it reboots itself
0
 
LVL 3

Expert Comment

by:exhaust
ID: 21810270
What if you tried another copy of C:\Windows\Explorer.exe from a working server?
0
 
LVL 4

Author Comment

by:Zombite
ID: 21810627
Was able to grab the event log remotely.

[14508] Application Popup   Type:     INFORMATION
Computer: SERVER01   Time:     18/06/2008 2:09:22 PM   ID:       26
userinit.exe - Application Error The application failed to initialize properly (0xc0000005). Click on OK to terminate the application

Same error for taskmgr.

The server doesnt start in any mode. Safe mode reboots.

Have checked the file versions and sizes.
While in the "first time booted" running version, ran sp2 on the sever which replaces mode of these files. Same result when booted second time.

This is what gets me - the thing will boot first time after image via acronis - then second boot - dead.


0
NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

 
LVL 6

Expert Comment

by:JapyDooge
ID: 21810824
0
 
LVL 6

Expert Comment

by:JapyDooge
ID: 21810827
Microsoft's workaround:

To work around this issue, delete the invalid registry value: 1. Start Registry Editor (Regedt32.exe).
2. Locate the following registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\IniFile Times  
3. Locate the invalid value (this is usually a value with no name).
4. Click the invalid value.
5. On the Edit menu, click Delete, and then click Yes.
6. Quit Registry Editor.
0
 
LVL 4

Author Comment

by:Zombite
ID: 21811441
Seemed like a good bet but no go.
Checked the entries - all ok
Deleted all the shadow registy inf times - no effect.
Still get the same error or lack of response
0
 
LVL 6

Expert Comment

by:JapyDooge
ID: 21811824
Hmm, running "sfc / scannow" would maybe work but you don't have that access to the system except...

You can edit the registery, so you can add "sfc /scannow" to the Run or RunOnce keys in HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
or
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce (runonce will be even better)

There create a new key of the type String named 'Run' or something like that and give it the following value:
C:\\Windows\\System32\\sfc.exe /scannow

At boot the computer will run sfc /scannow to check all windows system files and restore damaged ones. (I hope the reg keys are loaded, maybe they load after userinit...)

Good luck again
0
 
LVL 4

Author Comment

by:Zombite
ID: 21820827
Got it up and booted with the "first time run after imaging"
sfc - no results - same on reboot.
sp1 and sp2 - same
As terminal services doesnt run on first boot, I am investigating regisry and profile.
There is much about inituser.exe and time stamps in shadow registry for termial server.
I notice that the usercmd doesnt run wither.
Will report back findings - thanks for suggestions.
0
 
LVL 4

Accepted Solution

by:
Zombite earned 0 total points
ID: 21828995
JapyDooge: Can you enter this as a solution

This is a nasty virus via a js script on a web page.

http://www.threatexpert.com/report.aspx?uid=82cc0907-16ed-4868-88a9-cebdbdc8cff4

Drops some beasts into winlogon notify

QUOTE: Speaking of Malware, the Drive-By's are getting worse. First Whitepages and other websites were hacking us and now the UNICEF website got hacked. This getting ridiculous. There is one particular that I am seeing more and more.
The symptoms (At least on a domain) are excruciatingly long log offs, dodgy internet and even as the administrator, you can't RWW to the machine or RDP to it internally. If you go to the file system through the network (Connect to \\workstation\c$) you can see some hidden files in C:\Windows\System32. They are rotr.sys or rotw.sys. If the user logs off, you can delete these files remotely or do it in safe mode. As the files are a part of a rootkit, you can't actually see them as the user. Once deleted and the system is rebooted, everything is back to normal.


0
 
LVL 6

Expert Comment

by:JapyDooge
ID: 21829843
That's not nice. Ah well you can click the 'Accept as a solution' button on the bottom of your own post to close the question becouse you fixed it yourself.

Good luck man.
0
 
LVL 4

Author Comment

by:Zombite
ID: 21839161
Thanks -
By using barts boot disk and getting rid of the registry entries, and the files in system32 the server now lives.

0

Featured Post

On Demand Webinar - Networking for the Cloud Era

This webinar discusses:
-Common barriers companies experience when moving to the cloud
-How SD-WAN changes the way we look at networks
-Best practices customers should employ moving forward with cloud migration
-What happens behind the scenes of SteelConnect’s one-click button

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The HP utility "HP Lights-Out Online Configuration Utility for Windows Server 2003/2008" could be of great use when it comes to remotely configure a HP servers ILO WITHOUT rebooting the server. We would only need to create and run scripts using thi…
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

756 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question