Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

File Shredder software causes KSOD - Possibly registry related?


  • Please log in to reply
1 reply to this topic

#1 JayBroni

JayBroni

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:14 AM

Posted 17 September 2014 - 01:42 PM

I'll try to make this post as all encompassing as possible. I have literally spent hours reading forums and trying to fix this. I was able to boot from UBUNTU and backed up all my documents. However I would like to avoid having to re-install Windows if at all possible as I have years of programs, settings, etc that would be lost. There has to be a solution out there somewhere.

 

System: Windows 7 Home Ed. 64bit

 

Problem: KSOD on login. Black screen of Death with moving cursor.

 

Problem Caused by: A file shedder program I downloaded. I ran a file shredder program on my recycling bin. The program kicked back an error message stating that not all items could be deleted and that they would be deleted upon system restart. Restarted the system = KSOD. This was not caused by a virus or malware.

 

Issues: Cannot boot windows regularly OR in safe mode, thus cannot attempt any solution using ctrl+alt+del / explorer.exe. Cannot even get sticky keys to come up at login. System goes through the normal process of starting up (windows logo shows up, etc) but pends indefinitely right before user login screen.

 

Solutions Attempted: F8 at startup - Ran every option including Last Known Good Config, Low Res Graphics, etc. Also ran every option in Repair Mode. Startup Repair...comes back with "windows cannot automatically repair problem". In the command prompt, ran DSKCHK and came back with no problems. Ran sfc /scannow and no problems were detected. Did not attempt system restore as unfortunately, the only restore point exists in 2011, which would essentially end up being the same as a re-install.

 

Conclusion: From what I've been able to gather, the shredder program created a task to be run upon restart. I believe it added the task to C:\Windows\Tasks. I deleted the task(s) in question, however it appears the program wrote to the registry and that is where the problem lies. The fact that sfc /SCANNOW and DSKCHK came back normal and the fact I have been able to access the hard disk and back up all personal docs says to me that this is not a corrupt hard disk issue or a corrupt system file issue.

 

I have attached my ntbtlog.txt log to show what drivers are and aren't loading at startup.

 

I've also downloaded and run FRST from the forum here and I have attached that log as well. Mod Edit:  FRST data removed, nof allowed/used in this forum, used for malware issues and such are not addressed in this forum - Hamluis.

 

I believe part of the problem may lie in the last item of the Registry (whitelisted) : "GroupPolicyUsers\S-1-5-21-338922759-1711156823-1435235650-1003\User: Group Policy restriction detected <======= ATTENTION". Could this be causing it? Is there a way to remove the restriction? I know these "S-1-5-x" folders were showing up when I was wiping the recycle bin.

 

Finally I've attached my pending.xml item where the "rpcss.dll" is referenced. I'm not sure how to read this file but I have read where the "rpcss.dll" file can cause KSOD issues. FYI, I removed the pending.xml file from the Windows\winsxs\ folder (was told this was a possible solution) but it did not help.

 

I'm not well versed with understanding the registry, but I do know how to edit it and can access regedit through the command prompt in recovery mode so hopefully someone has a solution for me! At my wits end here! Thanks in advance.


Edited by hamluis, 17 September 2014 - 04:25 PM.


BC AdBot (Login to Remove)

 


#2 JayBroni

JayBroni
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:14 AM

Posted 17 September 2014 - 01:43 PM

Evidently I can't attach any files! Here are the pastes for the various files I referenced. Sorry for the long post!

 

Pending.xml:

 

<PendingTransaction Identifier="39f3c0d49cc7cf01fa3400003053900e" Repair="true" Version="3.1">

<Repaired>

<Component Identity="Microsoft-Windows-COM-Base-QFE-RPCSS, Culture=neutral, Version=6.1.7600.16385, PublicKeyToken=31bf3856ad364e35,

ProcessorArchitecture=amd64, versionScope=NonSxS" Flags="0x00000000"/>

</Repaired>

<POQ>

<MoveFile source="\SystemRoot\WinSxS\Temp\PendingRenames\11b9add49cc7cf01f73400003053900e._0000000000000000.cdf-ms" destination="\SystemRoot\WinSxS\FileMaps\_0000000000000000.cdf-ms"/>

<MoveFile source="\SystemRoot\WinSxS\Temp\PendingRenames\3207aed49cc7cf01f83400003053900e.$$.cdf-ms" destination="\SystemRoot\WinSxS\FileMaps\$$.cdf-ms"/>

<MoveFile source="\SystemRoot\WinSxS\Temp\PendingRenames\3082bed49cc7cf01f93400003053900e.$$_system32_21f9a9c4a2f8b514.cdf-ms" destination="\SystemRoot\WinSxS\FileMaps\$$_system32_21f9a9c4a2f8b514.cdf-ms"/>

<HardlinkFile source="\SystemRoot\WinSxS\amd64_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7600.16385_none_c5bfcda3579104e3\rpcss.dll" destination="\??\C:\Windows\System32\rpcss.dll"/>

<DeleteKeyValue path="\Registry\Machine\COMPONENTS" name="RepairTransactionPended"/>

</POQ>

</PendingTransaction>

 

The ntbtlog.txt seemed too long to post, but lmk if it is needed. Thanks!


Edited by hamluis, 17 September 2014 - 04:27 PM.
Removed FRST data - Hamluis.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users