Link to home
Create AccountLog in
Avatar of yargls
yarglsFlag for United States of America

asked on

lsasrv.dll disappears

Customer's machine.  XP Pro SP3 (I think or at least it was).

Customer stated that the last 2 things he did with this machine were to receive support for an application, I'm not sure if they employed remote access or not, and that he installed the current set of MS updates.  After reboot the machine complains about "lsasrv.dll" missing.  He then tried a repair install and the problem persists.  As you would expect the machine does not boot into safe mode.

I have done the following from the repair console:

-chkdsk /p until no errors are reported
-expanded lsasrv.dll off the cd


I also tried a repair install not realizing he had already tried that as well.

I have pulled the drive and run a Malwarebytes scan with the drive attached to my machine (no infections).  I then put another copy of lsasrv.dll on the machine and made it read-only.  The machine booted to XP installation/setup screen but failed to complete (I'm assuming because that file was marked read-only).  After I flipped the read-only bit the file disappeared again.

I also cloned the drive to another hard disk and the symptoms are the same with the cloned disk.

 I have also run a couple AVG scans using their rescue ISO (using the online update of the definitions) the last scan I ran last night.  Machine comes up clean.

I would like to repair this as he's got a couple of software licences on this computer that would be expensive/difficult for him to replace.  Not sure what the applications are off hand, they would be specific to the translation industry....not sure if any key recover software would even know where to look.

Any ideas?

Thanks!

--yargls.
Avatar of Majo2469
Majo2469
Flag of United States of America image

To get rid of this error message, insert your XP CD and boot from it. At the first menu press R to enter the recovery console and once at the command prompt type the following:

CD C:\WINDWOS\SYSTEM32

EXPAND E:\I386\LSASRV.DL_

When asked if you wish to overwite, say yes. Now type EXIT to reboot the machine and windows should start-up just fine.
lsasrv.dll = Local Security Authority SeRVer
A system process needed to decrypt all local password hashing schemes.

Since you extracted the file from the install CD and tried using it, presumably you were able to boot Windows, get into an account, and copy the file onto the hard disk (unless you used the old OS partition as a slave to some other instance of Windows that you booted and then did the copy).  Don't know how you got the extracted file into the problematic OS partition on the hard drive.  If you were able to login and then get the error, see if registering the DLL file and rebooting Windows gets it working again.

Load Windows, login under an admin-level account, and run (in a command shell):
regsrv32 lsasrv.dll

Rather than extract the file from the install CD, have you instead tried running the system file checker (sfc.exe /scannow)?  You'll need the install CD (unless you have the windows\i386) folder copied locally or available on a networked drive).

You never mentioned what anti-virus software, if any, or other security products are running on the problematic host.  It's possible, for example, there was a false positive on the lsasrv.dll file, the user got a prompt (if the AV program was configured to do so rather than make changes silently) about a suspect file, and the user opted to have the AV program quarantine the file.  The AV program will continue quarantining the file until the user says otherwise (if the choice is offered).  AV programs have, in the past, managed to corrupt or halt an OS because they end up deleting or quarantining system files either due to false positives or they were infected.

Avatar of johnb6767
"expanded lsasrv.dll off the cd"

Might want to get one from a more recent installation....... In the event you used an older CD, might be too old, and even though it is now present, might have a problem with that.... Slave the drive to access the partitions......
Avatar of yargls

ASKER

I used an SP2 OEM cd.  I've got hard drive dock on my Win 7 Pro box and I also copied the file off of the copy of XP that's used for the XP virtual machine (I've tried more than once).

The problem is that the file disappears when the machine boots.  The XP splash screen shows, then, when you would expect the repair installation to continue, I get a "This application has failed to start because LSASRV.dll was not found" dialog.  As I noted, if I make the file read-only, setup will proceed, only to fail (I'm assuming it fails because the file has been marked read-only, don't recall the exact error).

My customer didn't mention anything about a virus warning and he's the type who make note of something like that.  I'm not sure what AV he uses.

I cannot get into Windows at all, safe mode has the same problem.

And, to be clear, the file disappears, ceases to exist on the drive.  I've put it in the dock and looked for it, I've looked for it while running the recover console and it just ain't there.  Yes, I've verified it is there after I've expanded or copied the file when it's attached to my win 7 box.  It gets deleted sometime during boot up.

Thanks!

--Steve.
Autoruns
http://live.sysinternals.com/autoruns.exe

You can use this to scan the Offline System, from the File Menu. Post us an .arn file please, which is the native saved file format for Autoruns.....
Avatar of yargls

ASKER

Here ya go!

Thanks!

--yargls
AutoRuns.arn
Outside of crudload of extra bloat, I dont see anything malicious.....

Can you disable McAfee on this system (uncheck the startups/services in AutoRuns) and retest to 100% rule that out?
Actually, not sure what these are.....

Probbaly no tmalicious entries, but perhaps remnants of another security app?

Services:
NPF                  File not found: system32\DRIVERS\npf.sys
SNTNLUSB                  File not found: system32\DRIVERS\SNTNLUSB.SYS
tmcfw                  File not found: system32\DRIVERS\TM_CFW.sys
Avatar of yargls

ASKER

Okay, that didn't help.  I disabled anything from McAfee, I also disabled all the entries that had a "file not found" just for kicks.

If this thing were working, it would be finishing a repair install when these errors come up.  What processes are running at this point?

Also, does anyone know of a good software key recovery app that will run from UBCD4WIN?  Keyfinder doesn't find enough extra stuff.  I'm thinking the only fix here is to reload windows, but I would like to recover these software keys before I do.

Thanks!

--Steve.
ProduKey v1.45 - Recover lost Windows product key (CD-Key) and Office 2003/2007 product key.
http://www.nirsoft.net/utils/product_cd_key_viewer.html

This one works well.....

Finishing the repair install in GUI Mode? If so, hit SHIFT+F11 (maybe 12 or 10), and youll get a cmd prompt. Start taskmgr.exe, so you can see whats running...... Might be a clue......

Wondering if maybe you have a Backdooe.TDSS variant, which affects the MBR? Will Recovery Console load on this OS?
ASKER CERTIFIED SOLUTION
Avatar of yargls
yargls
Flag of United States of America image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Avatar of yargls

ASKER

I found the answer via a google group I'm a member of.