Windows 7 KSOD

Hi all,

I have a few windows 7 machines that recently started booting to only a black screen with cursor.

It looks like explorer.exe is not loading if the machine is connected to the network during startup, offline the machine boots fine. I’ve observed the following in event viewer:

Event ID 14  “Name resolution for timed out after none of the configured DNS servers responded.”
Event ID 27 “Intel(R) 82579LM Gigabit Network Connection Network link disconnected”
Event ID 1129 “The processing of Group Policy failed because of lack of network connectivity to a domain controller.”
Event ID 129 “NtpClient was unable to set a domain peer to use as a time source because of discovery error.”

I noticed on a few machines while docked wireless and wired connections were both active, so I set the wireless connection to manually connect. I also flushed the DNS resolver cache and reset the winsock catalog. Client’s machine still did not load explorer.exe

I checked registry settings under “HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon” for any fallacious entries or signs of corruption; everything looked satisfactory. I also checked wininit.exe for any signs of corruption, also not the problem.

I added the following to the registry but it is only producing blank log files. The verbose status didn't tell me anything either.


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\Current Version\Winlogon]

The problem also occurs in safemode, however it is a profile specific problem. On one machine when I logged in as another user, afterwards the clients profile began to load but using a temp profile. I doubled checked “HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList” and her “ProfileImagePath” value was correctly set. I did however notice that the last modified date on her profile directory was 4 days prior. I deleted the clients profile from HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList, and then renamed her profile directory to user.old, even after renaming the directory its last modified date remained unchanged.

After checking other clients machines I noticed similar inconsistencies, every machine has incorrect last modified dates. I haven't ever seen this on a NTFS file system.

I've ruled out RpcSs as the culprit: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RpcSs is starting under NT AUTHORITY\NetworkService not LocalSystem

Any other ideas would be greatly appreciated.
Who is Participating?

Improve company productivity with a Business Account.Sign Up

DarinTCHConnect With a Mentor Senior CyberSecurity EngineerCommented:
are these on a domain
physical or virtual
roaming profiles?
why is dns failing
SBS or full domain
Lordy123Author Commented:
Machines are on a full domain
Physical machines
Local Profiles

No idea why dns is failing. I wasn't sure how to troubleshoot that, I couldn't get to a command prompt.
Can you log on locally as the local admin? If you can you can test through CMD that way.

Also, have you tried booting up in Debugging Mode or Boot Logging Mode in the Advanced Startup Options Menu?

Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

Jim-RConnect With a Mentor Commented:
Probably the simplest and most expedient way to deal with profile specific problems is to recreate the profile with a fresh one and replace the user data.  Instructions on doing so here:

Fix a corrupted user profile Win 7
Lordy123Author Commented:

If I log into any other profile besides the clients it becomes impossible to recreate the issue as the clients profile completely corrupts to the point of needing to be recreated.

Jim-R: See above, we are using that as a fix for now, but I would like to reach a root cause diagnosis.

Lordy123Author Commented:
So this is what my troubleshooting situation looks like:

Client cannot log in when connected to the network. When we boot offline client can log in with cached credentials. Completely unable to open task manager or cmd prompt when problem occurs. Verbose logging produces no logs. Any other ideas on how I can see what is going on with the network during logon?

I would like to focus more on the last modified date too, any ideas when that would not update? I was thinking a registry or file permissions error.
From johnb6767

This is my standard "canned" answer in dealing with <insert your process problem here>.... Follow this procedure below to isolate exactly what is happening......

Process Monitor

Save this to the root of C as an Admin, and login the problem user. Do a RunAs with your Admin Credentials to launch it, and then set the the filter at the top to Include <whatever you could possibly be looking for> then "Include", and then try and recreate the problem by launching the app. Then go look at the logging, and it will tell you where the problem happened. Once you open those up, keep retrying until you get the desired results....
Lordy123Author Commented:
Yes but in this case, I would perform all those steps and see nothing out of the ordinary. Reason being I would have to:

Take machine off network
Log in problem user
Plug in network (At this point it will work fine)
Run PM, see nothing wrong

See what I'm dealing with?
johnb6767Connect With a Mentor Commented:
"Client’s machine still did not load explorer.exe"

You cannot even get to the Task Manager using CTRL+SHIFT+ESC?

At the black screen, do the CAPS/NUM lock lights activate?

Can you ping the machines? Might see if PSExec can hit the box from another machine, and launch the Task Manager remotely....

psexec \\thispc -i taskmgr.exe

The -i switch should make it interactive on "thispc's" display....
Lordy123Author Commented:
Can't ping the machine while the problem is occurring. And yes CTRL+SHIFT+ESC fails.

I'm completely out of ideas. At this point I had to rebuild the profiles on the last two affected machines I had to work with. Maybe I'll see it pop up on another machine Monday.
DarinTCHSenior CyberSecurity EngineerCommented:
if you boot with cached credentials then connect to the network..does everything work..this would narrow it down to boot processes not network functionality
Lordy123Author Commented:
Yes everything works fine if I connect after the user logs in with cached credentials.
Perform a clean startup to determine whether background programs are interfering with your game or program

Or else move it to another OU where there is no Startup/Logon scripts in place....
Lordy123Author Commented:
johnb6767: Issue occurs in safemode, so a clean install is going to fail as well.

On the OU suggestion, big "Duh" moment for me, I should have tried that already. I'll give that a shot and see how it behaves.  
Lordy123Author Commented:
Still haven't figured it out, but it seems the issue is no longer occurring. Split points assigned for the suggestions.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.