[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2049
  • Last Modified:

Win 7, Win 2008 Enterprise Server Black Screen on login

Hello all,

I am having an issue with a Win 7 physical machine and 3 Win 2008 Enterprise server virtual machines. Ill start from the beginning...

I am securing my test environment for deployment. I have 4 win 2008 enterprise servers running in VM fusion, and 2 win 7 pro physical machines. This seems to be a GPO issue as this is the only thing I am tweaking that can reach all of these machines and because the only machine not affected is my Domain controller (because it has its own GPO). I have read posts where Admins have scripts for XP that are effecting win 7 machines but this is not the case here. These machines are the only thing on the Domain. I have an extensive GPO Defined, I am thinking that maybe it was the Computer/Policies/Windows/Security/Local/User rights/Profile system performance value that was causing my issue, originally this was set to only include admins and the diagnostic host profile (WdiServiceHost), I removed admins due to the customer requirements,

 I began getting errors in the event log so I added system Local system and sevice accounts just to see if they went away, Then one at a time (After my GPO refresh intervals) the machines started dropping like flies (both Physical and virtual alike). When they boot up they get past the bios screen, then the black screen after the boot animation but before the OS splash screen and Ctrl+Alt+Del screen is displayed, the cursor is loaded, and I am able to control it, but that is is. I let them sit all weekend to see if they would recover but to no success. I disabled the GPO and restored the snapshot of the VMs  and let them run all weekend and it did not happen again so I am confident it was the GPO,

 My question is how do  I recover my physical machine? I could do a system restore but I would like to find a way to fix this with out losing data. So i think I am trying to remove the cached GPO so it will redownload on next boot. I read that you can delete the network user profiles from the machines and this is where the cached GPO is stored, unfortunately I cannot get into the system at all, safe mode just gives me a bigger cursor but still a black screen, I can get into the command prompt in the system recovery portion of the win 7 pro CD, but when I try to del the profiles it seems to complete but nothing is deleted. I tried the win resource tool DELPROF.EXE but since the system is not completely booted it is not responding to any network requests. Anyone have any suggestions on how to remove the cached GPO so I can boot this system without system restore?
0
PMP_Admin
Asked:
PMP_Admin
  • 20
  • 6
  • 5
  • +2
1 Solution
 
PMP_AdminAuthor Commented:
I have since booted to UBCD and deleted the user profiles and this does not allow for normal boot. I am booting to my Win 7 Pro CD and I am noticing that the drive letter assignment for the windows partition is D: and it was C: before, I have read that this can affect the boot and can cause sy mptoms like I am seeing but only on the physical machine
0
 
johnb6767Commented:
"I could do a system restore but I would like to find a way to fix this with out losing data."

You don't lose Data, but would lose installed apps that were done after your latest restore point....
0
 
johnb6767Commented:
Also, assuming that Last Known Good configuration was tried?
0
NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

 
PMP_AdminAuthor Commented:
yea so I tried everything i could and so I resorted to system restore, but the most recent restore point I made failed to restore. So I had to roll back to the oldest point, (It was a new install) I would still like to know what is causing this. I snapshotted my VMs for troubleshooting before restoring. Unfortunately this keeps happening. Im going to try to get the test win 7 physical machine I am working on to black screen again.
0
 
PMP_AdminAuthor Commented:
So I think I have narrowed it down . I had to restrict access to the c:/windows/system32/winevt/ application security, and system logs to a non builtin user group and remove the administrators write access, I did it so many times I figured if I  just did the entire winevt folder then this would do the same thing, well I think this was causing my black screens, can anybody else think of a reason why this would not be the case, or supporting reason why this is the case?
0
 
johnb6767Commented:
I think that explains allot. Did you remove the SYSTEM account as well from there? If you have to restrict it, leave the SYSTEM and the EventLog groups with their default permissions and THEN remove the others, I think you would be fine.....

Why so granular in trying to lock down this directory?
0
 
PMP_AdminAuthor Commented:
Customers requirement. By default there is NT SERVICE/WdiServicehost and administrator. I let the GPO sit all day yesterday and did other work on the server, and the system black screened again, I am starting to think that the GPO may be corrupt. anyone know a way to verify?
0
 
PMP_AdminAuthor Commented:
Domain controller has also been affected
0
 
PMP_AdminAuthor Commented:
I assume since I have not been able to log into the site, that others are having the same issue and thats why there has not been any new posts for a week..... when will the site be somewhat reliable again?
0
 
David Johnson, CD, MVPOwnerCommented:
You keep saying it is needed as per customer request, so the customer knows that there are extreme pitfalls in fulfilling this request.
Did you also change EVERY service that uses Local System to use your 'customized account?' the same with NETWORK service?

Why does the customer believe that by using a different name that it will enhance security? or do they believe in security by obscurity?

you will also have to go through EVERYTHING that starts on boot up to use the customized user account. and you've had your one chance to do this. and it failed.. and no proper backup to restore things to before you started.. bad move.
0
 
PMP_AdminAuthor Commented:
I apologize for the confusion, that statement was aimed at the question "Why so granular in trying to lock down this directory?"

this question was referring to the event logs, in this domain, only an auditor can have access to edit and write to these logs.

I did not remove or change permissions or user rights to any services or any other startup functions, only resticted write access to the logs

Here is a copy of the gpo

Security Settings
Account Policies/Password Policy
Policy      Setting
Enforce password history      24 passwords remembered
Maximum password age      42 days
Minimum password age      1 days
Minimum password length      14 characters
Password must meet complexity requirements      Enabled
Store passwords using reversible encryption      Disabled
Account Policies/Account Lockout Policy
Policy      Setting
Account lockout duration      0 minutes
Account lockout threshold      3 invalid logon attempts
Reset account lockout counter after      60 minutes
Account Policies/Kerberos Policy
Policy      Setting
Enforce user logon restrictions      Enabled
Maximum lifetime for service ticket      600 minutes
Maximum lifetime for user ticket      10 hours
Maximum lifetime for user ticket renewal      7 days
Maximum tolerance for computer clock synchronization      5 minutes
Local Policies/Audit Policy
Policy      Setting
Audit account logon events      Success, Failure
Audit logon events      Success, Failure
Audit object access      No auditing
Audit policy change      Success, Failure
Audit privilege use      Failure
Audit process tracking      No auditing
Audit system events      No auditing
Local Policies/User Rights Assignment
Policy      Setting
Access Credential Manager as a trusted caller      
Access this computer from the network      NT AUTHORITY\Authenticated Users, BUILTIN\Administrators
Act as part of the operating system      
Add workstations to domain      BUILTIN\Administrators
Adjust memory quotas for a process      NT AUTHORITY\NETWORK SERVICE, NT AUTHORITY\LOCAL SERVICE, BUILTIN\Administrators
Allow log on locally       Domain Admins, BUILTIN\Administrators
Allow log on through Terminal Services      BUILTIN\Administrators
Back up files and directories      BUILTIN\Administrators
Bypass traverse checking      NT AUTHORITY\NETWORK SERVICE, NT AUTHORITY\LOCAL SERVICE, NT AUTHORITY\Authenticated Users, BUILTIN\Administrators
Change the system time      NT AUTHORITY\LOCAL SERVICE, BUILTIN\Administrators
Change the time zone      NT AUTHORITY\LOCAL SERVICE, BUILTIN\Administrators
Create a pagefile      BUILTIN\Administrators
Create a token object      
Create global objects      NT AUTHORITY\SERVICE, NT AUTHORITY\NETWORK SERVICE, NT AUTHORITY\LOCAL SERVICE, BUILTIN\Administrators
Create permanent shared objects      
Create symbolic links      BUILTIN\Administrators
Debug programs      
Deny access to this computer from the network      BUILTIN\Guests
Deny log on as a batch job      BUILTIN\Guests
Deny log on as a service      
Deny log on locally      BUILTIN\Guests
Deny log on through Terminal Services      BUILTIN\Guests
Enable computer and user accounts to be trusted for delegation      BUILTIN\Administrators
Force shutdown from a remote system      BUILTIN\Administrators
Generate security audits      NT AUTHORITY\NETWORK SERVICE, NT AUTHORITY\LOCAL SERVICE
Impersonate a client after authentication      NT AUTHORITY\SERVICE, NT AUTHORITY\NETWORK SERVICE, NT AUTHORITY\LOCAL SERVICE, BUILTIN\Administrators
Increase a process working set      NT AUTHORITY\LOCAL SERVICE, BUILTIN\Administrators
Increase scheduling priority      BUILTIN\Administrators
Load and unload device drivers      BUILTIN\Administrators
Lock pages in memory      
Log on as a batch job      BUILTIN\Administrators
Manage auditing and security log      PMP\Auditor Group
Modify an object label      BUILTIN\Administrators
Modify firmware environment values      BUILTIN\Administrators
Perform volume maintenance tasks      BUILTIN\Administrators
Profile single process      BUILTIN\Administrators
Profile system performance      BUILTIN\Administrators
Remove computer from docking station      BUILTIN\Administrators
Replace a process level token      NT AUTHORITY\NETWORK SERVICE, NT AUTHORITY\LOCAL SERVICE
Restore files and directories      BUILTIN\Administrators
Shut down the system      BUILTIN\Administrators
Synchronize directory service data      
Take ownership of files or other objects      BUILTIN\Administrators
Local Policies/Security Options
Accounts
Policy      Setting
Accounts: Administrator account status      Enabled
Accounts: Guest account status      Disabled
Accounts: Limit local account use of blank passwords to console logon only      Enabled
Accounts: Rename administrator account      "DELETED"
Accounts: Rename guest account      "DELETED"
Audit
Policy      Setting
Audit: Audit the access of global system objects      Disabled
Audit: Audit the use of Backup and Restore privilege      Disabled
Audit: Shut down system immediately if unable to log security audits      Disabled
Devices
Policy      Setting
Devices: Allow undock without having to log on      Disabled
Devices: Allowed to format and eject removable media      Administrators
Devices: Prevent users from installing printer drivers      Enabled
Devices: Restrict CD-ROM access to locally logged-on user only      Disabled
Domain Member
Policy      Setting
Domain member: Digitally encrypt or sign secure channel data (always)      Enabled
Domain member: Digitally encrypt secure channel data (when possible)      Enabled
Domain member: Digitally sign secure channel data (when possible)      Enabled
Domain member: Disable machine account password changes      Disabled
Domain member: Maximum machine account password age      30 days
Domain member: Require strong (Windows 2000 or later) session key      Enabled

DELETED

Interactive logon: Number of previous logons to cache (in case domain controller is not available)      1 logons
Interactive logon: Prompt user to change password before expiration      14 days
Interactive logon: Require Domain Controller authentication to unlock workstation      Disabled
Interactive logon: Require smart card      Disabled
Interactive logon: Smart card removal behavior      Lock Workstation
Microsoft Network Client
Policy      Setting
Microsoft network client: Digitally sign communications (always)      Enabled
Microsoft network client: Digitally sign communications (if server agrees)      Enabled
Microsoft network client: Send unencrypted password to third-party SMB servers      Disabled
Microsoft Network Server
Policy      Setting
Microsoft network server: Amount of idle time required before suspending session      15 minutes
Microsoft network server: Digitally sign communications (always)      Enabled
Microsoft network server: Digitally sign communications (if client agrees)      Enabled
Microsoft network server: Disconnect clients when logon hours expire      Enabled
Network Access
Policy      Setting
Network access: Allow anonymous SID/Name translation      Disabled
Network access: Do not allow anonymous enumeration of SAM accounts      Enabled
Network access: Do not allow anonymous enumeration of SAM accounts and shares      Enabled
Network access: Do not allow storage of credentials or .NET Passports for network authentication      Enabled
Network access: Let Everyone permissions apply to anonymous users      Disabled

DELETED

Network Security
Policy      Setting
Network security: Do not store LAN Manager hash value on next password change      Enabled
Network security: Force logoff when logon hours expire      Disabled
Network security: LAN Manager authentication level      Send NTLMv2 response only. Refuse LM & NTLM
Network security: LDAP client signing requirements      Negotiate signing
Network security: Minimum session security for NTLM SSP based (including secure RPC) clients      Enabled
Require NTLMv2 session security      Enabled
Require 128-bit encryption      Enabled
Network security: Minimum session security for NTLM SSP based (including secure RPC) servers      Enabled
Require NTLMv2 session security      Enabled
Require 128-bit encryption      Enabled
Recovery Console
Policy      Setting
Recovery console: Allow automatic administrative logon      Disabled
Recovery console: Allow floppy copy and access to all drives and all folders      Disabled
Shutdown
Policy      Setting
Shutdown: Allow system to be shut down without having to log on      Disabled
Shutdown: Clear virtual memory pagefile      Disabled
System Cryptography
Policy      Setting
System cryptography: Force strong key protection for user keys stored on the computer      User must enter a password each time they use a key
System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing      Disabled
System Objects
Policy      Setting
System objects: Require case insensitivity for non-Windows subsystems      Enabled
System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)      Enabled
System Settings
Policy      Setting
System settings: Optional subsystems      
System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies      Enabled
User Account Control
Policy      Setting
User Account Control: Admin Approval Mode for the Built-in Administrator account      Enabled
User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode      Prompt for credentials
User Account Control: Behavior of the elevation prompt for standard users      Automatically deny elevation requests
User Account Control: Detect application installations and prompt for elevation      Enabled
User Account Control: Only elevate executables that are signed and validated      Disabled
User Account Control: Run all administrators in Admin Approval Mode      Enabled
User Account Control: Switch to the secure desktop when prompting for elevation      Enabled
User Account Control: Virtualize file and registry write failures to per-user locations      Enabled
Other
Policy      Setting
Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings      Enabled
MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)      Highest protection, source routing is completely disabled
MSS: (NtfsDisable8dot3NameCreation) Enable the computer to stop generating 8.3 style filenames (recommended)      Enabled
MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)      Enabled
User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop      Disabled
User Account Control: Only elevate UIAccess applications that are installed in secure locations      Enabled
Event Log
Policy      Setting
Maximum application log size      16384 kilobytes
Maximum security log size      1000064 kilobytes
Maximum system log size      16384 kilobytes
Prevent local guests group from accessing application log      Enabled
Prevent local guests group from accessing security log      Enabled
Prevent local guests group from accessing system log      Enabled
Retention method for application log      As needed
Retention method for security log      Manually
Retention method for system log      As needed
Restricted Groups
Group                        Members                Member of
BUILTIN\Remote Desktop Users    Administrators

DELETED
0
 
PMP_AdminAuthor Commented:
the profile system performance entry was the one in question and I have restored it to its defaults, It is not shown here because I had to restore my snapshot to get the printout
0
 
PMP_AdminAuthor Commented:
Loose ends:

 "I am noticing that the drive letter assignment for the windows partition is D: and it was C: before"
I do not think this is a factor, maybe the Win 7 cd reassigns drive letter when it is the boot source

"Did you remove the SYSTEM account as well from there(event logs)? If you have to restrict it, leave the SYSTEM and the EventLog groups"
I only removed "users" read and write access and administrators write access, then added the auditors group with full access, all System and service accounts were not modified.

The GPO printout does not reflect registry permissions or changes that are pushed by the GPO. my policy resrticts access to the HKLM/software/microsoft/windowsNT/currentversion/winlogon key in the following manner - remove and non administrative users read and write access, no system or service changes,

also auditing to HKLM/System and Software was enabled on any failed attempt to write changes.

there are many other registry changes that are pushed, most of them configure the anti-virus software, as it is an enterprise version with no user configurable options, the registry is the only way to configure scanning and detection, also IPv6 is disabled through the GPO as the customer has no mitigation plan for ipv6, there will be no internet access, the only devices that will be on the network are the machines that are listed in the OP, all of which are statically addressed using IPv4

0
 
PMP_AdminAuthor Commented:
"you will also have to go through EVERYTHING that starts on boot up to use the customized user account. and you've had your one chance to do this. and it failed.. and no proper backup to restore things to before you started.. bad move. "
I believe you made this comment on a false assumption that I had changed the system user account without a backup plan, but I will address it anyway. This is not the case, and I did system restore my physicals and snapshots on my virtuals, all physicals are "test" machines with only base loads of the win7 pro os, I am more worried about deployment, and I would like to know how to recover from this. The system restore point says it fails but then I am able to boot after the "failure"
0
 
Run5kCommented:
"I am noticing that the drive letter assignment for the windows partition is D: and it was C: before"
I do not think this is a factor, maybe the Win 7 cd reassigns drive letter when it is the boot source.

Probably not, but I wouldn't completely dismiss this, either.  I have seen some rather strange behavior occur in a Windows build because of a partition that somehow managed to change drive letters in the midst of its life cycle.
0
 
David Johnson, CD, MVPOwnerCommented:
did you assign a drive letter to the 'recovery partition' ?? oops saw that you were referring to the drive assignment from the windows 7 install cd.. yes it will assign drive letters as it sees them
first primary partition (on each physical drive) then next partition on each (physical drive) i.e. and it does see the recovery partition and assigns it a drive letter
drive 0 partition 1 partition 2 partition 3
drive 1 partition 1
drive 2 partition 1 partition 2

drive 2 boot device partition 1 is active
drive letter assignment
drive 0 C F H
drive 1 D
drive 2 E G
which on boot
drive 0 D F H
drive 1 E G
drive 2 C
drive 0 and drive 1 it can flip depending on which order windows sees them in boot unless you change the drive letters using diskmgmt.msc


can have access to edit and write to these logs
not correct as "system" has to have full access to write these logs or they will never be written.

0
 
David Johnson, CD, MVPOwnerCommented:
and the recovery partition (which does not get an assigned drive letter) will be assigned drive C: from the windows installation or other  boot media
0
 
PMP_AdminAuthor Commented:
26/10/11 07:38 AM, ID: 37030288 "I only removed "users" read and write access and administrators write access, then added the auditors group with full access, all System and service accounts were not modified."

To reduce confusion I am only working on the 08 server which is a VM, and has no recovery partitions. But the physical machines have been completely formatted the only other partition other than the OS is the system reserved 100MB hidden partitioning.

I ran MPS reports on the VM server and I did find this in the DMDIAG file,

---------- Consolidated LDM Configuration Data ----------

ERROR: scan operation failed:
      A format error was found in the private region of the disk
ERROR: scan operation failed:
      A format error was found in the private region of the disk

I googled it and I think its normal.

I am running HijjackThis and I cannot save the log file, the results come up with an owner permissions issue on alot of files. Does anyone know who is supposed to be the owner of the system files, such as most of the system32 folder, currently they are set to trusted installer, but 'he' has no access in the permissions
0
 
PMP_AdminAuthor Commented:
I think I have the root of the cause pinned down, just no fix. I have desperately tried everything I can think of to figure out the cause of this black screen and decided to try HiJackThis just to see, I first ran it on the Server 2008 VM, and I got the following output



 Running processes:

C:\Users\ME\Desktop\Trend Micro\HiJackThis\HiJackThis.exe



R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://iesetup.dll/SoftAdmin.htm

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

F2 - REG:system.ini: Shell=

F2 - REG:system.ini: UserInit=

O1 - Hosts: ::1 localhost

O10 - Unknown file in Winsock LSP: c:\program files\vmware\vmware tools\vsock sdk\bin\win32\vsocklib.dll

O10 - Unknown file in Winsock LSP: c:\program files\vmware\vmware tools\vsock sdk\bin\win32\vsocklib.dll

O15 - ESC Trusted Zone: http://runonce.msn.com (HKLM)

O15 - ESC Trusted Zone: http://*.windowsupdate.com (HKLM)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = MYdomain

O17 - HKLM\System\CCS\Services\Tcpip\..\{5010909C-DD77-403D-B4EC-A2868CCF822A}: NameServer = My DNS Servers

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = MYdomain

O17 - HKLM\System\CS1\Services\Tcpip\..\{5010909C-DD77-403D-B4EC-A2868CCF822A}: NameServer = My DNS Servers

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll

O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)

O23 - Service: @%systemroot%\system32\dfssvc.exe,-101 (Dfs) - Unknown owner - C:\Windows\system32\dfssvc.exe (file missing)

O23 - Service: @dfsrress.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSRs.exe (file missing)

O23 - Service: @%systemroot%\system32\dns.exe,-49157 (DNS) - Unknown owner - C:\Windows\system32\dns.exe (file missing)

O23 - Service: @%SystemRoot%\System32\ismserv.exe,-1 (IsmServ) - Unknown owner - C:\Windows\System32\ismserv.exe (file missing)

O23 - Service: @%SystemRoot%\System32\kdcsvc.dll,-1 (kdc) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)

O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: McAfee McShield (McShield) - Unknown owner - C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\McShield.exe (file missing)

O23 - Service: McAfee Task Manager (McTaskManager) - Unknown owner - C:\Program Files (x86)\McAfee\VirusScan Enterprise\VsTskMgr.exe (file missing)

O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - Unknown owner - C:\Windows\system32\mfevtps.exe (file missing)

O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)

O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: @%SystemRoot%\System32\ntdsmsg.dll,-1 (NTDS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)

O23 - Service: File Replication (NtFrs) - Unknown owner - C:\Windows\system32\ntfrs.exe (file missing)

O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)

O23 - Service: @gpapi.dll,-114 (RSoPProv) - Unknown owner - C:\Windows\system32\RSoPProv.exe (file missing)

O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing)

O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)

O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)

O23 - Service: TP AutoConnect Service (TPAutoConnSvc) - ThinPrint AG - C:\Program Files\VMware\VMware Tools\TPAutoConnSvc.exe

O23 - Service: TP VC Gateway Service (TPVCGateway) - ThinPrint AG - C:\Program Files\VMware\VMware Tools\TPVCGateway.exe

O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)

O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)

O23 - Service: VMware Tools Service (VMTools) - VMware, Inc. - C:\Program Files\VMware\VMware Tools\vmtoolsd.exe

O23 - Service: VMware Upgrade Helper (VMUpgradeHelper) - VMware, Inc. - C:\Program Files\VMware\VMware Tools\VMUpgradeHelper.exe

O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)

O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)



--

End of file - 5775 bytes





Out of this I would like to turn your attention to



F2 - REG:system.ini: Shell=

F2 - REG:system.ini: UserInit=


as shell is what is not loading and Userinit is the program that is run before the shell this makes sense that I have nothing but a black screen. So I run it on a known good configuration and these items do not appear. So I google this and find that the system.ini file is mapped (via inimapping registry entry) to the HKLM/Software/Microsoft/WindowsNT/CurrentVersion/Winlogin directory, but when I look there the correct information is entered (Shell=Explorer.exe and Userinit=C:/windows/system32/userinit.exe,) these entries are also contained in the WOW64 registr path as well but with no path just file name.





I then ran HijackThis on another machine known to black screen and I got the same empty entries. So I am sure I am on the correct path. Anyone know where HijackThis is pulling this from? I checked their(and many other Forums)and they all just say it pulls from the above registry entries. Also the auto-correct feature does not fix the issue. So at least I have now found one consistent thing within the black screen.
0
 
PMP_AdminAuthor Commented:
I manually verified all of the unknown owners / missing files are there and the owner is Trustedinstaller, I also verified this is the correct owner on a base install of the OS
0
 
PMP_AdminAuthor Commented:
Run5k:, If this was the case would I still get the boot animation or would I get an error like " No bootable volumes available" or "no operating systems found"
0
 
LeeTutorretiredCommented:
I've requested that this question be deleted for the following reason:

This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0
 
PMP_AdminAuthor Commented:
How bout instead of "Deleting" this post you instead offer some assistance in the form of directing some additional help?

This is what I have paid for?  

Crappy reliability from your Web hosting then forcing deletion?

Great site......
0
 
David Johnson, CD, MVPOwnerCommented:
windows nt based systems do not use these

F2 - REG:system.ini: Shell=
F2 - REG:system.ini: UserInit=

system.ini is only used in windows prior to windows 2000 and excluding windows NT

instead it use htlm\software\microsoft\windows\currentversion\winlogon\shell\   c:\windows\explorer.exe
due to windows security hijack this is not that good anymore .. many of the items it reports as missing are actually there but it cannot access it.

have you tried editing the boot options and adding the boot log entry and then examining this log and seeing where it fails.


0
 
PMP_AdminAuthor Commented:
I did enable boot logging in october and this is what I was able to retrieve out of the ntbtlog.txt file that is created - as you can see not much help


 Service Pack 210 21 2011 07:11:34.484
Loaded driver \SystemRoot\system32\ntoskrnl.exe
Loaded driver \SystemRoot\system32\hal.dll
Loaded driver \SystemRoot\system32\kdcom.dll
Loaded driver \SystemRoot\system32\mcupdate_GenuineIntel.dll
Loaded driver \SystemRoot\system32\PSHED.dll
Loaded driver \SystemRoot\system32\CLFS.SYS
Loaded driver \SystemRoot\system32\CI.dll
Loaded driver \SystemRoot\system32\DRIVERS\sacdrv.sys
Loaded driver \SystemRoot\system32\DRIVERS\NDIS.SYS
Loaded driver \SystemRoot\system32\DRIVERS\msrpc.sys
Loaded driver \SystemRoot\system32\DRIVERS\NETIO.SYS
Loaded driver \SystemRoot\system32\drivers\Wdf01000.sys
Loaded driver \SystemRoot\system32\drivers\WDFLDR.SYS
Loaded driver \SystemRoot\system32\drivers\acpi.sys
Loaded driver \SystemRoot\system32\drivers\WMILIB.SYS
Loaded driver \SystemRoot\system32\drivers\msisadrv.sys
Loaded driver \SystemRoot\system32\drivers\pci.sys
Loaded driver \SystemRoot\System32\drivers\partmgr.sys
Loaded driver \SystemRoot\system32\DRIVERS\compbatt.sys
Loaded driver \SystemRoot\system32\DRIVERS\BATTC.SYS
Loaded driver \SystemRoot\system32\drivers\volmgr.sys
Loaded driver \SystemRoot\System32\drivers\volmgrx.sys
Loaded driver \SystemRoot\system32\drivers\intelide.sys
Loaded driver \SystemRoot\system32\drivers\PCIIDEX.SYS
Loaded driver \SystemRoot\System32\drivers\mountmgr.sys
Loaded driver \SystemRoot\system32\drivers\atapi.sys
Loaded driver \SystemRoot\system32\drivers\ataport.SYS
Loaded driver \SystemRoot\system32\drivers\lsi_sas.sys
Loaded driver \SystemRoot\system32\drivers\storport.sys
Loaded driver \SystemRoot\system32\drivers\fltmgr.sys
Loaded driver \SystemRoot\System32\Drivers\ksecdd.sys
Loaded driver \SystemRoot\System32\drivers\tcpip.sys
Loaded driver \SystemRoot\System32\drivers\fwpkclnt.sys
Loaded driver \SystemRoot\system32\drivers\storflt.sys
Loaded driver \SystemRoot\System32\Drivers\Ntfs.sys
Loaded driver \SystemRoot\system32\drivers\volsnap.sys
Loaded driver \SystemRoot\System32\Drivers\spldr.sys
Loaded driver \SystemRoot\System32\Drivers\mup.sys
Loaded driver \SystemRoot\system32\drivers\mfehidk.sys
Loaded driver \SystemRoot\system32\drivers\disk.sys
Loaded driver \SystemRoot\system32\drivers\CLASSPNP.SYS
Loaded driver \SystemRoot\system32\drivers\crcdisk.sys
Loaded driver \SystemRoot\system32\DRIVERS\tunmp.sys
Loaded driver \SystemRoot\system32\DRIVERS\i8042prt.sys
Loaded driver \SystemRoot\system32\DRIVERS\kbdclass.sys
Loaded driver \SystemRoot\system32\DRIVERS\vmmouse.sys
Loaded driver \SystemRoot\system32\DRIVERS\mouclass.sys
Loaded driver \SystemRoot\system32\DRIVERS\parport.sys
Loaded driver \SystemRoot\system32\DRIVERS\serial.sys
Loaded driver \SystemRoot\system32\DRIVERS\serenum.sys
Loaded driver \SystemRoot\system32\DRIVERS\fdc.sys
Loaded driver \SystemRoot\system32\DRIVERS\cdrom.sys
Loaded driver \SystemRoot\system32\DRIVERS\vmci.sys
Loaded driver \SystemRoot\System32\drivers\dxgkrnl.sys
Loaded driver \SystemRoot\system32\DRIVERS\vm3dmp.sys
Loaded driver \SystemRoot\system32\DRIVERS\usbuhci.sys
Loaded driver \SystemRoot\system32\DRIVERS\E1G6032E.sys
Loaded driver \SystemRoot\system32\drivers\vmaudio.sys
Loaded driver \SystemRoot\system32\drivers\ksthunk.sys
Loaded driver \SystemRoot\system32\DRIVERS\usbehci.sys
Loaded driver \SystemRoot\system32\DRIVERS\CmBatt.sys
Loaded driver \SystemRoot\system32\DRIVERS\intelppm.sys
Loaded driver \SystemRoot\system32\DRIVERS\msiscsi.sys
Loaded driver \SystemRoot\system32\DRIVERS\rasl2tp.sys
Loaded driver \SystemRoot\system32\DRIVERS\ndistapi.sys
Loaded driver \SystemRoot\system32\DRIVERS\ndiswan.sys
Loaded driver \SystemRoot\system32\DRIVERS\raspppoe.sys
Loaded driver \SystemRoot\system32\DRIVERS\raspptp.sys
Loaded driver \SystemRoot\system32\DRIVERS\rassstp.sys
Loaded driver \SystemRoot\system32\DRIVERS\rdpdr.sys
Loaded driver \SystemRoot\system32\DRIVERS\termdd.sys
Loaded driver \SystemRoot\system32\DRIVERS\swenum.sys
Loaded driver \SystemRoot\system32\DRIVERS\mssmbios.sys
Loaded driver \SystemRoot\system32\DRIVERS\umbus.sys
Loaded driver \SystemRoot\system32\DRIVERS\flpydisk.sys
Loaded driver \SystemRoot\system32\DRIVERS\usbhub.sys
Loaded driver \SystemRoot\System32\Drivers\NDProxy.SYS
Did not load driver \SystemRoot\System32\Drivers\NDProxy.SYS
Loaded driver \SystemRoot\system32\drivers\dfs.sys
Loaded driver \SystemRoot\System32\Drivers\Fs_Rec.SYS
Loaded driver \SystemRoot\System32\Drivers\Null.SYS
Did not load driver \SystemRoot\C:\Program Files\VMware\VMware Tools\vmrawdsk.sys
Loaded driver \SystemRoot\system32\DRIVERS\usbccgp.sys
Loaded driver \SystemRoot\System32\drivers\vga.sys
Loaded driver \SystemRoot\system32\DRIVERS\hidusb.sys
Loaded driver \SystemRoot\system32\DRIVERS\mouhid.sys
Loaded driver \SystemRoot\System32\DRIVERS\RDPCDD.sys
Loaded driver \SystemRoot\system32\drivers\rdpencdd.sys
Loaded driver \SystemRoot\System32\Drivers\Msfs.SYS
Loaded driver \SystemRoot\System32\Drivers\Npfs.SYS
Loaded driver \SystemRoot\System32\DRIVERS\rasacd.sys
Loaded driver \SystemRoot\system32\DRIVERS\tdx.sys
Loaded driver \SystemRoot\system32\drivers\mfetdik.sys
Loaded driver \SystemRoot\system32\DRIVERS\smb.sys
Loaded driver \SystemRoot\System32\DRIVERS\netbt.sys
Loaded driver \SystemRoot\system32\drivers\afd.sys
Loaded driver \SystemRoot\system32\drivers\ws2ifsl.sys
Loaded driver \SystemRoot\system32\DRIVERS\pacer.sys
Loaded driver \SystemRoot\system32\DRIVERS\netbios.sys
Loaded driver \SystemRoot\System32\DRIVERS\vmhgfs.sys
Did not load driver \SystemRoot\C:\Windows\system32\Drivers\vmdebug.sys
Loaded driver \SystemRoot\system32\DRIVERS\wanarp.sys
Loaded driver \SystemRoot\system32\DRIVERS\rdbss.sys
Loaded driver \SystemRoot\system32\drivers\nsiproxy.sys
Loaded driver \SystemRoot\System32\Drivers\dfsc.sys
Loaded driver \SystemRoot\system32\DRIVERS\udfs.sys
Loaded driver \SystemRoot\system32\DRIVERS\monitor.sys
Loaded driver \SystemRoot\system32\drivers\luafv.sys
Loaded driver \SystemRoot\system32\DRIVERS\lltdio.sys
Loaded driver \SystemRoot\system32\DRIVERS\rspndr.sys
Loaded driver \SystemRoot\System32\DRIVERS\srvnet.sys
Loaded driver \SystemRoot\System32\DRIVERS\srv2.sys
Loaded driver \SystemRoot\System32\DRIVERS\srv.sys
Loaded driver \SystemRoot\system32\drivers\HTTP.sys
Did not load driver \SystemRoot\C:\Program Files\VMware\VMware Tools\Drivers\memctl\vmmemctl.sys
Loaded driver \SystemRoot\system32\DRIVERS\bowser.sys
Loaded driver \SystemRoot\System32\drivers\mpsdrv.sys
Loaded driver \SystemRoot\system32\DRIVERS\mrxsmb.sys
Loaded driver \SystemRoot\system32\DRIVERS\mrxsmb10.sys
Loaded driver \SystemRoot\system32\DRIVERS\mrxsmb20.sys
Loaded driver \SystemRoot\system32\drivers\peauth.sys
Loaded driver \SystemRoot\System32\Drivers\secdrv.SYS
Loaded driver \SystemRoot\System32\drivers\tcpipreg.sys

I looked into the "driver not loaded" and the answer I got (don't know if its correct or not) is that just because it says driver not loaded doesn't point to an error- the system may not have needed the driver.
0
 
Run5kCommented:
I have one more thing for you to double-check.  Earlier today, one of my protégées was being a bit too proactive at locking down a file server.  She went into the local Computer Management interface and modified the Users group by removing NT AUTHORITY\INTERACTIVE.  When we went to load a patch on that server this afternoon, we tried to login and simply saw a black screen with the mouse cursor.  Once we added used the remote Computer Management interface from another computer and added NT AUTHORITY\INTERACTIVE back into the local Users group, everything returned to normal.
0
 
PMP_AdminAuthor Commented:
close but no cigar- 2 problems with that theory - Domain controller so no local users and groups and I cannot launch Taskman like the article says -

good try though. U said u had this happen- in a domain environment?

I do not have that user in any of my 2008 server installations, you are saying that you added this user into the local users and groups correct? are you using R2? I just built a fresh load and do not have that user on a standalone server
0
 
Run5kCommented:
Yes, we are using Windows Server 2008 R2, but in this regard it shouldn't be any different from Server 2008.

Our machine is part of a domain, and as a result the NT AUTHORITY\INTERACTIVE account should be in the Users group (along with NT AUTHORITY\Authenticated Users) by default.  As I mentioned in my previous post, one of our new co-workers removed both of them from the Users group so we needed to add them back in again.
0
 
David Johnson, CD, MVPOwnerCommented:
restore from a backup as per my original suggestion. Irreparable harm has been done to the O/S
0
 
Run5kCommented:
Ultimately, I would tend to agree with the advice offered by Johnb6767 and Ve3ofa throughout the last two months.

There isn't anything inherently wrong with customizing the security settings on your Windows operating systems.  However, I think that this scenario along with the one I described earlier where my protégée was a bit too proactive locking down a file server clearly illustrate that it is possible to take things a bit too far to the detriment of standard Windows functionality.

We have had a few of the best Windows experts in the EE community chiming in on this one, and also had the moderators send out a pair of e-mail notifications to enlist additional help.  Unless someone else chimes in with a last-minute epiphany, I'm afraid that it may be time to consider an operating system restore or wipe/reload.
0
 
PMP_AdminAuthor Commented:
I have already rebuilt these systems- luckily this was all in a test environment.  I am now attempting to find the thorn that caused the issue. There is no interactive user in 2008 - must be new to R2

and once again these were all customers requirements - I was able to take the GPO settings above and put them in my new environment with no  issues, so as you can imagine I am curious what caused this and would like to be able to fix it if it happens again. This is why we built this in a test environment

So this is going unsolved, thanks for the ideas guys
0
 
PMP_AdminAuthor Commented:
another unsolved mystery
0
 
Run5kCommented:
"There is no interactive user in 2008 - must be new to R2" - PMP_Admin

Just to clarify a bit further, no, it isn't new to Server 2008 R2.  In fact, NT Authority\Interactive has been present in the local Users group since the dawn of the Windows XP era (see the screen shot below).  Here is an old TechNet article that may help explain things:

http://technet.microsoft.com/en-us/library/bb457115.aspx

 WinXP Users Group
0

Featured Post

NEW Veeam Backup for Microsoft Office 365 1.5

With Office 365, it’s your data and your responsibility to protect it. NEW Veeam Backup for Microsoft Office 365 eliminates the risk of losing access to your Office 365 data.

  • 20
  • 6
  • 5
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now