• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 593
  • Last Modified:

Continuous loop in XP. LSASS.exe error

Hello Experts

I'm working on a client's machine.  The original symptom was that Windows hang at the splash screen.  I ran some external scans (Norton, MalwareBytes and SuperAntiSpyware) and found a couple trojans.  Removed them but had the same results.
 
I ran a repair install and now it boots, but I get a lsass.exe error.  It says "When trying to update a password this return status indicates that the value provided as the current password is incorrect".  I went to the recovery console to repair the security file, but it asks for the administrator password.  Tried a blank password and that didn’t work.  So I ran my password removal tool, but a blank password still does not work.

An interesting thing about the results with my password removal tool:  The user's account name didn't show up as one of the accounts.  Ordinarily it shows all the account names.

Because it’s a lsass error, I re-scanned using MalwareBytes, but it came up clean.
I’m currently running a virus scan but if I can get some insight while that’s running, I’d appreciate it.

Any ideas?

Thanks

thedslguy
0
thedslguy
Asked:
thedslguy
  • 7
  • 5
1 Solution
 
johnb6767Commented:
See my second comment here

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Windows/XP/Q_22888110.html

For details on how to remove the Password Prompt in the Recovery Console. Personally, I haven't used the RC in ages, as I would use UBCD instead, MUCH more robust....

Assuming Safe Mode behaves the same?
0
 
flubbsterCommented:
Once you are able to get to the recovery console, or is you use an alternate boot system or can boot to a command prompt, you can try replacing just the security registry hive.

ren c:\windows\sytem32\config\security  security.bak

copy c:\windows\repair\security c:\windows\system32\config\security
0
 
johnb6767Commented:
FYI, the one from the CONFIG directory is from the FIRST boot after installation. Use the ones from the Restore Points if available. Else you might have issues logging in. Those details are listed above in my first link......
0
Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

 
johnb6767Commented:
Not the Config directory, the Repair directory...... Need caffeine.....  :)
0
 
thedslguyComputer and Network ConsultantAuthor Commented:
johnb6767

My copy of UBCD is way outdated.  I'm creating a new one and then I'll run the recovery.

Thanks

tdg
0
 
thedslguyComputer and Network ConsultantAuthor Commented:
I just replaced teh securith hive.  No change.  It still gave me the lsass error:

"When trying to update a password this return status indicates that the value provided as the current password is incorrect".

Sure woule like to fix this without a clean install.

Also:  Sure do like the new UBCD!

tdg
0
 
thedslguyComputer and Network ConsultantAuthor Commented:
Also, when I try to boot from the Windwos CD and go to RC it still says a blank password is not valid.

tdg
0
 
thedslguyComputer and Network ConsultantAuthor Commented:
Typo there.:  Securith hive = security hive.

I also created a new SAM file with the same results.

In other words, it stilll gives the same error (LSALL error: "When trying to update a password this return status indicates that the value provided as the current password is incorrect"

And it' sstill in the restart loop.

tdg
0
 
thedslguyComputer and Network ConsultantAuthor Commented:
johnb6767

One more thing:

I just saw that in the post you had me look at, you said to load the hive.  Well, that option is greyed out.  

I'm going to try it with Bart PE

tdg
0
 
thedslguyComputer and Network ConsultantAuthor Commented:
Does anyone know of a way to view and edit hives when accessing the drive externally?

I made a clond of this drive before I started and when looking at teh original I find the SAM file the same size as the sam file in c:\windows\repair.  I'm afraid the lsass bug destroyed the user's profile and I'd like to find a way to restore it.

Any ideas?
0
 
johnb6767Commented:
"I just saw that in the post you had me look at, you said to load the hive.  Well, that option is greyed out. "

Highlight HKLM first, then Load Hive is visible....
0
 
thedslguyComputer and Network ConsultantAuthor Commented:
It WORKED!!!

The client still has some issues, but I got to his profile.

THANK YOU SOOOOOOOO MUCH, johnb6767!!!

thedslguy
0
 
johnb6767Commented:
Glad it worked....
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: Microsoft Azure 2017

Azure has a changed a lot since it was originally introduce by adding new services and features. Do you know everything you need to about Azure? This course will teach you about the Azure App Service, monitoring and application insights, DevOps, and Team Services.

  • 7
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now