Solved

Windows 7 KSOD

Posted on 2011-09-09
18
1,147 Views
Last Modified: 2012-06-27
Hi all,

I have a few windows 7 machines that recently started booting to only a black screen with cursor.

It looks like explorer.exe is not loading if the machine is connected to the network during startup, offline the machine boots fine. I’ve observed the following in event viewer:

Event ID 14  “Name resolution for domain.com timed out after none of the configured DNS servers responded.”
Event ID 27 “Intel(R) 82579LM Gigabit Network Connection Network link disconnected”
Event ID 1129 “The processing of Group Policy failed because of lack of network connectivity to a domain controller.”
Event ID 129 “NtpClient was unable to set a domain peer to use as a time source because of discovery error.”

I noticed on a few machines while docked wireless and wired connections were both active, so I set the wireless connection to manually connect. I also flushed the DNS resolver cache and reset the winsock catalog. Client’s machine still did not load explorer.exe

I checked registry settings under “HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon” for any fallacious entries or signs of corruption; everything looked satisfactory. I also checked wininit.exe for any signs of corruption, also not the problem.

I added the following to the registry but it is only producing blank log files. The verbose status didn't tell me anything either.

 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"VerboseStatus"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\Current Version\Winlogon]
"UserenvDebugLevel"=dword:00030002

The problem also occurs in safemode, however it is a profile specific problem. On one machine when I logged in as another user, afterwards the clients profile began to load but using a temp profile. I doubled checked “HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList” and her “ProfileImagePath” value was correctly set. I did however notice that the last modified date on her profile directory was 4 days prior. I deleted the clients profile from HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList, and then renamed her profile directory to user.old, even after renaming the directory its last modified date remained unchanged.

After checking other clients machines I noticed similar inconsistencies, every machine has incorrect last modified dates. I haven't ever seen this on a NTFS file system.

I've ruled out RpcSs as the culprit: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RpcSs is starting under NT AUTHORITY\NetworkService not LocalSystem

Any other ideas would be greatly appreciated.
0
Comment
Question by:Lordy123
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 2
  • 2
  • +2
18 Comments
 
LVL 12

Accepted Solution

by:
DarinTCH earned 167 total points
ID: 36514580
are these on a domain
physical or virtual
roaming profiles?
why is dns failing
SBS or full domain
0
 
LVL 6

Author Comment

by:Lordy123
ID: 36514753
Machines are on a full domain
Physical machines
Local Profiles

No idea why dns is failing. I wasn't sure how to troubleshoot that, I couldn't get to a command prompt.
0
 
LVL 5

Expert Comment

by:Feebleminder
ID: 36514887
Can you log on locally as the local admin? If you can you can test through CMD that way.

Also, have you tried booting up in Debugging Mode or Boot Logging Mode in the Advanced Startup Options Menu?

0
Turn your laptop into a mobile console!

The CV211 Laptop USB Console Adapter provides a direct Laptop-to-Computer connection for fast and easy remote desktop access with no software to install.

 
LVL 10

Assisted Solution

by:Jim-R
Jim-R earned 167 total points
ID: 36517208
Probably the simplest and most expedient way to deal with profile specific problems is to recreate the profile with a fresh one and replace the user data.  Instructions on doing so here:

Fix a corrupted user profile Win 7
0
 
LVL 6

Author Comment

by:Lordy123
ID: 36525293
Feebleminder:

If I log into any other profile besides the clients it becomes impossible to recreate the issue as the clients profile completely corrupts to the point of needing to be recreated.

Jim-R: See above, we are using that as a fix for now, but I would like to reach a root cause diagnosis.

0
 
LVL 6

Author Comment

by:Lordy123
ID: 36525319
So this is what my troubleshooting situation looks like:

Client cannot log in when connected to the network. When we boot offline client can log in with cached credentials. Completely unable to open task manager or cmd prompt when problem occurs. Verbose logging produces no logs. Any other ideas on how I can see what is going on with the network during logon?

I would like to focus more on the last modified date too, any ideas when that would not update? I was thinking a registry or file permissions error.
0
 
LVL 10

Expert Comment

by:Jim-R
ID: 36525741
From johnb6767

This is my standard "canned" answer in dealing with <insert your process problem here>.... Follow this procedure below to isolate exactly what is happening......

Process Monitor

Save this to the root of C as an Admin, and login the problem user. Do a RunAs with your Admin Credentials to launch it, and then set the the filter at the top to Include <whatever you could possibly be looking for> then "Include", and then try and recreate the problem by launching the app. Then go look at the logging, and it will tell you where the problem happened. Once you open those up, keep retrying until you get the desired results....
0
 
LVL 6

Author Comment

by:Lordy123
ID: 36525781
Yes but in this case, I would perform all those steps and see nothing out of the ordinary. Reason being I would have to:

Take machine off network
Log in problem user
Plug in network (At this point it will work fine)
Run PM, see nothing wrong

See what I'm dealing with?
0
 
LVL 66

Assisted Solution

by:johnb6767
johnb6767 earned 166 total points
ID: 36549286
"Client’s machine still did not load explorer.exe"

You cannot even get to the Task Manager using CTRL+SHIFT+ESC?

At the black screen, do the CAPS/NUM lock lights activate?

Can you ping the machines? Might see if PSExec can hit the box from another machine, and launch the Task Manager remotely....

psexec \\thispc -i taskmgr.exe

The -i switch should make it interactive on "thispc's" display....
0
 
LVL 6

Author Comment

by:Lordy123
ID: 36549367
Can't ping the machine while the problem is occurring. And yes CTRL+SHIFT+ESC fails.

I'm completely out of ideas. At this point I had to rebuild the profiles on the last two affected machines I had to work with. Maybe I'll see it pop up on another machine Monday.
0
 
LVL 12

Expert Comment

by:DarinTCH
ID: 36549515
if you boot with cached credentials then connect to the network..does everything work..this would narrow it down to boot processes not network functionality
0
 
LVL 6

Author Comment

by:Lordy123
ID: 36557933
Yes everything works fine if I connect after the user logs in with cached credentials.
0
 
LVL 66

Expert Comment

by:johnb6767
ID: 36564592
Perform a clean startup to determine whether background programs are interfering with your game or program
http://support.microsoft.com/kb/331796

Or else move it to another OU where there is no Startup/Logon scripts in place....
0
 
LVL 6

Author Comment

by:Lordy123
ID: 36569521
johnb6767: Issue occurs in safemode, so a clean install is going to fail as well.

On the OU suggestion, big "Duh" moment for me, I should have tried that already. I'll give that a shot and see how it behaves.  
0
 
LVL 6

Author Closing Comment

by:Lordy123
ID: 36986670
Still haven't figured it out, but it seems the issue is no longer occurring. Split points assigned for the suggestions.
0

Featured Post

Don't Cry: How Liquid Web is Ensuring Security

WannaCry is just the start. Read how Liquid Web is protecting itself and its customers against new threats.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
In this video, viewers will be given step by step instructions on adjusting mouse, pointer and cursor visibility in Microsoft Windows 10. The video seeks to educate those who are struggling with the new Windows 10 Graphical User Interface. Change Cu…
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…

635 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question