Vista reboots after logon

M

MobileTechie

Well-Known Member
Reaction score
32
Location
UK
I've a Vista machine in. Customer had a virus and let a friend sort it out. Result is it no longer works.

It boots to login fine but whichever profile account you select it reboots. I don't mean crashes and resets but actually says "windows is shutting down" and reboots properly. On one account it got as far as the wallpaper showing and an error message saying explorer.exe needed to close because of a problem. Closing this message triggered the reboot. So clearly something to do with explorer.exe.

Safe mode doesn't even get to login and just reboots towards the end.

System restore won't complete on the 3 different points I've tried. SFC via ERD disk won't run (I'm finding this a lot). Offline scan shows no viruses. Disk test shows no disk problems. Offline Chkdsk shows no file system errors. I can see some Found folders indicating that there has been previous corruption and some of it I'd date as being recent enough to be the amateur fixer's efforts.

So I'm guessing were looking at damage to the registry or system files.

I tried reg restore wizard but it wouldn't find any restore points even though the ERD found some as previously mentioned.

So I'm thinking maybe to replace explorer.exe with a known good copy? However I've not done it for a while. With XP it was easy to use Expand in recovery console but I can't remember what the process is with Vista. I seem to remember having to mount the WIM on another machine, extract all the files and copy the ones needed over on a USB but surely there is an easier way than that?

Another question: anyone know what will happen if you run SFC on say a Windows 7 machine pointed at the mounted Vista disk? Will it refuse it, mess it up with Windows 7 files or recognise the OS and ask for a Vista disk if it needs files?
 
Check the shell and Userinit registry values @

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

and make sure "Shell" is set to "Explorer.exe" and "Userinit" is set to "C:\WINDOWS\system32\userinit.exe," (Comma intended).

Disclaimer: These are the correct values on an XP machine, I don't have a Vista machine readily available to confirm.
 
Have you tried the start up repair from MSDaRT? Does this computer have a Recovery option during the start up. If so try the Boot Repair.

How far does it go in Safe Mode. (which driver does it stop on if any before it reboots.)

I'm not trying to insult you. I see you post on here a lot and you seem knowledgeable. But you didn't say so I just wanted to clarify.

Also try Hirens or UBCD4Win to boot to MiniXP then try the SFC. (I haven't done this yet so not sure if it will work or not.)
 
Last edited:
ATTech said:
Check the shell and Userinit registry values @

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

and make sure "Shell" is set to "Explorer.exe" and "Userinit" is set to "C:\WINDOWS\system32\userinit.exe," (Comma intended).

Disclaimer: These are the correct values on an XP machine, I don't have a Vista machine readily available to confirm.
Click to expand...

Sorry should have said - I already checked the Winlogon key and it's normal.

It does look like that in Vista dn 7 too by the way!
 
AdamsAPlus said:
Have you tried the start up repair from MSDaRT? Does this computer have a Recovery option during the start up. If so try the Boot Repair.

How far does it go in Safe Mode. (which driver does it stop on if any before it reboots.)

I'm not trying to insult you. I see you post on here a lot and you seem knowledgeable. But you didn't say so I just wanted to clarify.

Also try Hirens or UBCD4Win to boot to MiniXP then try the SFC. (I haven't done this yet so not sure if it will work or not.)
Click to expand...

If I'm unintentionally insulted I'll let you know by reacting badly and becoming abusive so don't worry ;)

In safe mode it hangs around a bit at crcdisk.sys, gives you a mouse pointer on a black screen and then reboots.

Yes tried the startup / boot repair options on the installation and on the DART disk several times to no effect I'm afraid.
 
Load up Autoruns and run it on the slaved drive, see what turns up. Have you run any scans to determine if the malware is completely gone? Could turn out that it's not all gone, a driver is infected (idea influenced by not getting through to safe mode), or it could have had some file infector on there.
 
also check for 0 byte drivers (malicious, and not completely/properly removed) located in the system32/drivers folder. Never had this problem myself, but remember seeing someone post about it on technibble one time.

Also, a fixmbr might be worth a shot...had similar issues with a boot sector virus a while back...not exact symptoms, but similar.

Regarding replacing explorer.exe, you might want to just grab the file off another running system which has the same service pack level. Easiest way I've found anyway. I know Vista discs have the system files in a .WIM image or something, so I'm not sure how to get them out manually from the disc.
 
MobileTechie said:
In safe mode it hangs around a bit at crcdisk.sys, gives you a mouse pointer on a black screen and then reboots.
Click to expand...

Doesn't appear to be hanging on any drivers because that driver should be the last one it loads.

So I would go with the other suggestions. Boot to a liveCD and check for any 0 Bit drivers (I'm not guessing this is it because safe mode appears to load all the drivers before it reboots but it's worth a try) Check all the auto run reg keys. Maybe able to find something there.

What iisjman07 said I have never gotten to work. Maybe I haven't played around with it enough.
 
I'm fairly sure it's virus free. All offline scans have proved negative. I can't see anything suspicious in the drivers folders so far, certainly nothing with zero bytes size.
 
B Trevathan said:
SFC won't run from your Vista disc?

Have you looked at the sfc log?
Maybe rename it, like CBSLOG.old or something and retry the scan.
Maybe try just the verify scan, sfc /VERIFYONLY
Click to expand...

Good ideas. I see how they work out. I've had quite a few computers not allow the SFC scan from the vista disk.
 
MobileTechie said:
Sorry should have said - I already checked the Winlogon key and it's normal.

It does look like that in Vista dn 7 too by the way!
Click to expand...
You could be right, It could be a corrupted explorer binary that was put in palce by the malicious software. I don't know off the top of my head the easy way to replace it, but I'm sure there is something on the internet about it. Have you tried manually copying in the default registry? You could do that to at least isolate it to a registry issue.
 
If there is a Vista install disc available, fixing the boot files (fixmbr and fixboot) would be worth giving a shot...wouldn't it?
 
Countryside said:
If there is a Vista install disc available, fixing the boot files (fixmbr and fixboot) would be worth giving a shot...wouldn't it?
Click to expand...

It's booting fine so I doubt it. The only reason you'd use fixmbr in this situation is to rule out a bootkit.
 
MobileTechie said:
So I'm thinking maybe to replace explorer.exe with a known good copy? However I've not done it for a while. With XP it was easy to use Expand in recovery console but I can't remember what the process is with Vista. I seem to remember having to mount the WIM on another machine, extract all the files and copy the ones needed over on a USB but surely there is an easier way than that?
Click to expand...
Looks like loading install.wim with 7-Zip File Manager maybe the way to go:orDid you ever get sfc to work, did the log give you any information?


Since someone messed it up before you got it, have you looked at the files that have been recently created or modified?
I think there is a dir command to list all files recently modified but I can't remember it. The dir command to list files in order of creation to a file is:
dir c:\ /a /q /o:-d > c:\newfiles.txt


Have you checked explorer.exe and userinit.exe to see if they are the right ones (date, size, company, etc.)?
 
B Trevathan said:
Looks like loading install.wim with 7-Zip File Manager maybe the way to go:orDid you ever get sfc to work, did the log give you any information?


Since someone messed it up before you got it, have you looked at the files that have been recently created or modified?
I think there is a dir command to list all files recently modified but I can't remember it. The dir command to list files in order of creation to a file is:
dir c:\ /a /q /o:-d > c:\newfiles.txt


Have you checked explorer.exe and userinit.exe to see if they are the right ones (date, size, company, etc.)?
Click to expand...

Well I'm getting somewhere.

Your idea about the sfc log was spot on. I deleted the old sfc log and ran it again from the dart disk and it failed. The new log file created said it could't run because a repair was in process. I guessed this might be a Windows update in progress and so I deleted the pending.xml file and this worked enabling sfc to run successfully on the next try. It repaired one dll file. This also allowed Windows to start without rebooting, although explorer.exe is still broken and you cannot do anything. If I try to start a process from task manager then that freezes up. However the explorer.exe error is providing more information now and specified a problem with ntdll.dll file.

I'm aware of the WIM extraction and I've done this before. I was hoping for a nice quick method as per XP but it doesn't appear to exist. I've installed the same version of Vista on a VM so I have a reference system and can just as easily transfer files from there.

So next step I'll take is to see if any of this allows system restore to work since if it does it might solve it all in one fell swoop. Failing that, I'll replace ntdll.dll and have a look around at the mod dates etc.
 
Last edited:
If the ntdll.dll is not damaged then the error may be cause by a third party application loading at start up. Try booting into safe mode and/or hold down the shift key after log in and until the desktop icons appear.
 
Already tried safe mode pretty much at every point in the the process. It makes no difference so it's definitely a core Windows thing

I think it's a lost cause to be honest. Replacing the files in question doesn't make any difference.

I can't invest any more time in it. I've already put way too much in just for personal interest and pride.

Still - some of this will certainly come in handy later I'm sure.

Shame they did away with the repair install, or at least the ability to do it from a boot CD. I wonder if it's possible to approximate it with a PE disk and a script basically copying over system files like drivers and dlls? What other files would need to be copied over I wonder? Seems like a good project to work on since it it worked it could be very handy.
 
Last edited:
I know what you mean I hate to give up but time is money. I was hoping now that you had windows starting that whatever was causing the dll error would not load in safe mode.


MobileTechie said:
Shame they did away with the repair install, or at least the ability to do it from a boot CD.
Click to expand...
How To Perform a Repair Installation For Vista
http://www.vistax64.com/tutorials/88236-repair-install-vista.html


Did you try "Startup Repair" from the System Recovery options menu?
http://www.vistax64.com/tutorials/91467-startup-repair.html


Did you try "Repair your computer" from the Vista installation?
http://maximumpcguides.com/windows-vista/repair-windows-vista/
 
You must log in or register to reply here.

Similar threads

backwoodsman
[SOLVED] Blank screen after Windows update
Replies
8
Views
1K
britechguy
britechguy
HCHTech
Slow opening times for files on a network drive
Replies
10
Views
3K
trevm999
trevm999
xxenon
Keep personal files and apps greyed out
Replies
6
Views
644
stroy
stroy
thecomputerguy
How do I find an email that was sent via token theft?
Replies
14
Views
426
John Kennedy
John Kennedy
HCHTech
Keyboard randomly stops working, temp fix after reboot
Replies
2
Views
409
HCHTech
HCHTech
Back
Top