Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1004
  • Last Modified:

Corrupt hibernation profile -> Corrupt security registry -> LSASS.EXE password errors -> and licensed software that can't be lost...

After carefully tip-toeing down the rabbit hole, I managed to trip and fall quite far on this one.

Here's the story as simply put as possible:

I took a workstation out of someone's office being it was taking up too much space.  However, the workstation has a very old software program which is no longer supported.  The program is not even able to be licensed by the manufacturer anymore!  By that, I mean the company claims that they "cannot" get us an activation key anymore.

This workstation was going to be setup with remote desktop and the user was to connect to the computer over our network.  The user currently had two computers in his office, and it was taking up way too much space.

When I powered on the computer, the desktop went into an infinite reboot.  I did not see a blue screen of any kind.  I was completely unable to log into any safe mode variant either.

The workstation does not have a recovery partition installed, as well.

I noticed as the computer booted, a gray, progress bar that loaded just prior to the Windows XP splash screen during the boot.  I assumed that this was the computer coming out of hibernation.

On a Live CD of Knoppix 5.3, I deleted hiberfil.sys and pagefile.sys (spelling may not be exact, but I'm sure you get the point).  These files were in the root C:\ and I am certain I deleted the right files.

Upon deletion, the computer still rebooted with no ability to go into safe mode.  I then thought I should try to repair the registry.  I followed the instructions at: http://support.microsoft.com/default.aspx?scid=kb;en-us;307545 .  All went smoothly....

Then the blue screen.  Stop: c0000218 {Registry File Failure} The registry cannot load the hive (file): \SystemRoot\System32\Config\SOFTWARE or its log or alternate

So... I attempted to repair the registry for a SECOND time.  Everything went smoothly....

Then the LSASS.EXE error!  Now, when I attempt to log into safe mode, I get LSASS.EXE "The value provided as the password is not correct".  Windows then instantly reboots... in all modes....

So... I try to go into recovery console again...  this time just to load my .bak files... nope.  I am then prompted for the administrator's password (leave blank if nothing).  I've tried that as well.

I am downloading a tool from SourceForge that should help get the password for the administrator.  I am not sure of the rules on Experts-Exchange regarding password cracking, so I will not list the name of the specific tool.  All I'll say about it is that it is a bootable cd.

I do have access to Acronis Universal Restore, but I have yet to walk that road.  I am almost certain that even if I get the computer to boot back up, the registration keys used for my archaic program will be expired.  Sadly, there are many formulas and other important files that would be needed to be extracted from this program.  I am not sure what exactly I can do at this point, but any help would be appreciated.


One other thing.  Please don't suggest this is a virus.  I am 100% certain it is not.

Thank You.
0
stlbridge
Asked:
stlbridge
  • 8
  • 4
  • 3
  • +1
1 Solution
 
arnoldCommented:
If you have an image backup of the system, you can try performing a repair install and see whether that corrects the booting of the issue and should not affect/alter the installed software base.
Have you using the live CD checked the system for viruses?
0
 
stlbridgeAuthor Commented:
Again, I realize that this sounds very similar to a virus, but this computer was on a stand-alone network which had no connection to the internet, nor any users who would have put any viruses on it.  The computer worked perfectly until I connected the new hardware to it (monitor, keyboard, mouse).
0
 
arnoldCommented:
The addition of a mouse, keyboard and monitor does not explain the situation.
Something else is going on. The avenue you are exploring does not seem to reveal a pattern.

Here is a possible explanation, the computer was setup long ago and has not received updates.  The move from the isolated network to the one on which it is connected exposed it to a virus that most of the other systems on the network can resist but this one, lacking windows updates, can not.

When the workstation was in the individual's office, how was it accessed?

If you put the system back into the office from which it came, can it boot?
0
 
stlbridgeAuthor Commented:
Arnold,

Listen,  I am 1000000% positive that I did not acquire a virus whilst restoring the registry.  The computer WAS NOT on an active network while I was troubleshooting, nor was it prior to the fact.  The network the computer would have "potentially" been exposed to is clean.  Please, stop suggesting the viruses.

Arnold, try to remember, that a virus' behaviour often replicates the behaviour of a corrupted operating system.  The virus finds the OS vulnerabilities and then uses those vulnerabilities against itself.  This is common sense, and please take no offense to my stating the extreme obvious.

Secondly, I did try to put the computer back with it's original hardware/prephrial configuration, but much to my regret, this did not remedy the issue.  However, I had already brought back the fresh registry prior to setting the computer up in its original environment.

I am extremely tired, and I do hope you forgive my short and seemingly rude retort.  I am at a loss on this one, and I guess I'm just waiting for someone to state the obvious - I have further corrupted the registry thus wiping the OS from its potential existience.

Bart PE would be nice, but I am not sure how it would help at this point, nor am I well versed enough to feel comfortable in going that direction.  Again... I do have Acronis Universal Restore... but I have no images of this computer to use.  I would be slightly inclined to create an image at this point, then going to a fresh OS to reinstall to.  I don't know.  Goodnight.
0
 
arnoldCommented:
you should image the drive prior to proceeding any further.

I think the only option you have is to perform an OS repair install without formatting the HD.  This will/should fix the OS so it can boot. Most of the applications should work with the exception in the event that your registry attempt corrupted the registry and the application you are intent on preserving relies on registry data.

Alternatively, you could try booting the system and get into the bios to see whether the system is rebooting because of power fluctuations. I.e. power supply can not maintain a stable 3.3V output to memory. Once memory voltage dips below threshold ~2.9V the system will panic and reboot.
Run memtest86 from http://www.memtest86.com/ see if the system reboots while performing memory test.

 
0
 
stlbridgeAuthor Commented:
I never thought of the MEMTEST.  The funny thing of that is, I could have launched that while I was using the live cd.  I'll check that in the AM.  The power issue would be wonderful.  I had let the simple mechanics escape me while I was diving down into this mess.

Honestly, this could make sense.  I'm quite certain that my restoring of all primary contents of the registry has more than likely corrupted all that was worth saving.

I guess we're off to AutoCAD if this doesn't work.

I'd love to hear more thoughts on this issue... preferrably from another user.
0
 
nobusCommented:
i would suggest to download Darts (old ERD Commander)
you can do system restore, repair, and delete or change passwords :
http://www.microsoft.com/downloads/details.aspx?familyid=5D600369-0554-4595-8AB4-C34B2860E087&displaylang=en            
0
 
stlbridgeAuthor Commented:
Nobus,

The ERD appears very promising.  It also seems to be easier to use than BartPE. Would there be any chance you could help me in further depth with navigating ERD to my benefit?

I tried to launch the application that I am desperate to use.  I receive an error message regarding licensing, to no surprise!  It is showing:

CAUSE:
The program "ckserve" is not running on the server or your computer.

SUGGESTION:
In order to run this program over a network, ckserve must be running on the network server.  Talk to your network administrator.

IF YOU ARE RUNNING WINDOWS NT...
Ckserve must be running on the server or your computer even if you do not wish to share licenses over a network.  Reinstalling this program should install the ckserve program.
0
 
nobusCommented:
0
 
stlbridgeAuthor Commented:
CrypKey service disabled did not change the error.  The ERD boot disk is wonderful.  It's basically a ripped down version of windows that allows you to have a very detailed GUI.  This application will definitely be in my diagnostic tool box for the future.

I am still desperate to get this working.  Anyone else have thoughts?

Nobus, do you think you could give me a little guidance on how to make use of the System Vol. Information folder?  I have old restore images, but I'm not sure how to use them on this live cd platform.
0
 
DavidWilkinsCommented:
It's time for us upgrade, sadly.  The cost for time spent troubleshooting is by far costing more than it would just to upgrade the software used to run the program.  I am awarding the points to Nobus.  Nobus chose to actually answer my question AFTER reading my entire description.  Plus, he introduced me to an extremely useful troubleshooting/GUI for Windows.

Thanks, Nobus!
0
 
stlbridgeAuthor Commented:
Thanks for the help, nobus.  You'll have to excuse my last entry.  I entered it on a co-worker's computer and forgot he was logged in!

The ERD is a very nice touch!
0
 
nobusCommented:
grateful - but how is this possible ? asker = stlbridge  - and now DavidWilkins ????
boot from ERD - then select  Start>system tools>system restore and pick the restore date you want
0
 
stlbridgeAuthor Commented:
I was following up on the question from a colleague's workstation.  My mistake.  Did you see the comment I left under the accepted solution?  I identified this there too.  Don't worry, I'm not "farming" my questions.
0
 
nobusCommented:
just that i di not understand how it was posqsible - i learn every day here
tx for the info !
0
 
stlbridgeAuthor Commented:
... My colleague has a separate account from my own.  Quite simple, really.  Far more simple than my registry issues!
0
  • 8
  • 4
  • 3
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now