Setup is being restarted..

NYEEI
NYEEI used Ask the Experts™
on
Greetings experts.. Here is a unique problem, which is vexing me.. I have a Windows XP pro machine with a ton of installed items on it. It was a victim of spyware, which we removed. Upon removing the spyware, it disassociated .EXE files. I was having difficulty adding in the registry fixes to resolve this issue so I ran a repair on it.. Big mistake.. During the repair process, several instances of rundll.exe were unable to run. Upon restarting the machine, i encountered a black screen after the XP startup logo.

I then did what I should have done in the first place, which is boot from BARTPE, offloaded the SOFTWARE hive, made the .exe association fixes on a working machine and then placed it back. Now when I boot, I receive a 'Setup is being restarted' screen and then it freezes after some minor hard drive activity... Also, the repair option from the Windows CD is no longer available (probably because it thinks there is already a repair/setup going on).

So basically I have a situation where I need to 'turn off' whatever registry or boot flag is being set that makes windows restart the setup process. I believe in doing so, the repair option may return on the Windows CD. Here is what i've done so far.

Checked boot.ini for any erroneous settings (there aren't any).
Tried the /SOS and /SAFEBOOT options (they don't work)
Checked the NTBTLOG (shows nothing useful)
Checked the RunOnce and RunOnceEx registry settings on the offloaded hive (nothing showing that setup is being started)

Obviously something is telling windows to restart the setup process on boot. Usually it is boot.ini, but that is not the case here. It most likely is a registry key. I just need to know which one.. By the way, as much time as i've spent on this issue, it would take far longer to format/rebuild this machine due to the unique software loaded on it.

Any suggestions would be appreciated...
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Rob HutchinsonTech Lead, Desktop Support

Commented:
Did you check the run command keys:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
Rob HutchinsonTech Lead, Desktop Support

Commented:
opps, read afterwards that you said you did, umm, take a look at this article:

Windows XP Setup Restarts the Setup Program When Your Computer Restarts:
http://support.microsoft.com/kb/826976
Im sure you have tried already if you have done everything you mentioned above but did  you try booting to repair console and fixing boot and mbr?  Very small chance the mbr was affected but anyway it could be a quick fix.  One thing you may consider is backing up certain hives and doing a repair install of windows then adding the hives when back in windows.  This would prevent you from having to reinstall as much of the software and if you are lucky, won't have to install any of it.  
Become a CompTIA Certified Healthcare IT Tech

This course will help prep you to earn the CompTIA Healthcare IT Technician certification showing that you have the knowledge and skills needed to succeed in installing, managing, and troubleshooting IT systems in medical and clinical settings.

Top Expert 2009

Commented:
Firstly, do you have a backup/image of that system?
If you do, try system restore
http://2pure.net/index.php?session=0&action=read&click=open&article=1150238652
(Or if you had Erd Commander it will also work to system restore)

If system restore works(dont pick the newest/highest restore point)
Rescan that system for malware etc....
Malwarebytes http://www.malwarebytes.org/mbam-download.php

Author

Commented:
Ah yes I left this part out.. The spyware wiped out the restore points.. and there is no backup..
Top Expert 2009

Commented:
If the data is important then back it up. You can use this linux live cd to boot your machine and copy the data off to a usb drive
http://www.knoppix.net/

Author

Commented:
I have already cloned the drive just in case. I can access the drive.. I can make changes to system files. I can also modify the registry by loading the hive onto another machine.

At this point the only question I need answered is how to prevent windows from attempting to start setup upon boot. Every single thread with a similiar problem does not have the answer to this. One of them is close, but it references a Vista machine and the key that does that in Vista doesn't exist in XP.. Someone knows the answer to this somewhere :)

Author

Commented:
yes I read it.. There is no CD in the drive.. The system begins to load windows, going so far as to display the Windows XP prompt. Then it pops up the light blue screen and "Setup will be restarted.." .. What is telling it to go to that screen.. Thats all I need to know..

Author

Commented:
The burning question is:

What tells windows to go into setup after having checked the Run/RunOnce/RunOnceEx keys and boot.ini?
In bartpe do you have something like hijack this that allows for remote registrys?  Something like a2hijack, maybe there is still a service trying to run that should not be.  If you can find ERD 2005 you can try running the System File Repair tool that may help you out some.

Author

Commented:
ERD is not a bad idea.. In Vista there is a key called SetupInProgress that needs to be set to (0) instead of a (1) which fixes this.. would like to know the XP equivalent..
Is there a recovery partition on the drive?  Maybe a reference is getting crossed somewhere in one of the entries to the wrong partition.

Author

Commented:
Being a dell machine there is a recovery partition.. however, I know it is looking at the correct partition since various log files on that partition are being updated with the correct time/date stamp..
sorry I cant give an exact answer right now im still looking around, have you tried bootlogging or anything to see if it will spit out any explicit error or bsod?

Author

Commented:
bootlogging shows nothing except the usual drivers being loaded.. once it switches into setup mode though, all logging stops..
Commented:
On my XP SP3 system, there's a key:
HKLM\SYSTEM\Setup\SystemSetupInProgress (DWORD value) that is set to "0".

Author

Commented:
The key is HKLM\SYSTEM\Setup\SystemSetupInProgress

There is also a key called 'UpgradeInProgress'


Clearing them both had the desired effect.. Thanks :)

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial