Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

XP Boot Issues After Data Recovery


  • Please log in to reply
11 replies to this topic

#1 Mondrian

Mondrian

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:36 PM

Posted 25 September 2014 - 12:04 PM

I am a Data Recovery technician and a machine was recently brought to me that I am stuck on. This is a machine that was configured for backups, but the backups were not being performed correctly, and the important data is within a SQL DB so it is imperative that I get this machine booting again.

 

The machine is a Dell XP Home machine, when it first came to me it would not boot with a 'HAL.DLL is missing' error. The HDD was failing pretty fantastically but recovery was possible. Standard DR techniques allowed us to get a great amount of the data back, but about 10K LBA's had to be read without error correction, a process that reads about 10 times and then writes the average of these reads to the destination disk. After DR, I ran CHKDSK on the drive, which (as expected) had a lot of errors to fix. This is where things got interesting. The system still would not boot with a 'HAL.DLL is missing', upon further inspection the *entirety* of the system32 folder, the main User folder, the entire Registry, along with some miscellaneous other folders were relocated to the FOUND.000 folder after CHKDSK. It is a reasonable assumption that much of the system32 folder was corrupted, and through trial and error on Boot BSODS, and restoring individual system files through recovery console/WinPE, was able to get the splash screen back.

 

Using REGEDIT PE, I am able to mount every registry hive except for SOFTWARE and DEFAULT, and both the SOFTWARE and DEFAULT hives in the %systemroot%/REPAIR directory can be mounted, leading me to believe these are not corrupted. Ideally, I would be able to run a repair install to get the system files back to a stable state. I am very aware that there is a real possibility that the Program has little chance of actually running after this machine boots, but I hope to at least give it everything I've got. The problem is that the XP install cd does not give the option to repair the installation. At first it did not recognize an installation at all but currently the repair install process hangs at 'Searching for Windows installations...' and will just sit there as long as you do. Its not a very fun staring contest.

 

Where the system is now: Currently, I have the system in a state where all registry hives are mountable by REGEDIT PE, The system boots past the XP splash screen, flickers between backlit/dark like it is trying to initialize display drivers/GUI then BSODs with 'the windows logon process terminated unexpectedly with a status of 0x135'. This happens in both regular boot and Safe Mode (last driver displayed is mup.sys). I have replaced the winlogon.exe file from an xp cd, but have the same problem. My hope is that I will be able to at least get this machine to repair install, or to boot on its own so I can do some digging within the OS to the extent of the damage. I have lurked BleepingComputer for quite a while and really enjoyed the cryptolocker discussions, hoping you guys might be able to help in this situation too.


Edited by Mondrian, 25 September 2014 - 12:06 PM.


BC AdBot (Login to Remove)

 


m

#2 old rocker

old rocker

  • Members
  • 431 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:East Tennessee
  • Local time:02:36 PM

Posted 25 September 2014 - 01:39 PM

Hi

 

Have a look here

http://support2.microsoft.com/kb/307545

 

Refer to the section titled More information

 

If you have a Linus disk laying around you can cut the process time in half,

using copy/paste delete rename etc.

 

Best of luck and please, Keep BC posted



#3 Mondrian

Mondrian
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:36 PM

Posted 25 September 2014 - 02:07 PM

This was the %windir%/REPAIR option I mentioned trying. There are a couple of corrupted hives in the config folder. Restoring from the REPAIR directory makes no difference. 

 

Also, it is to note that there are no backups of the registry in any system restore (System Volume Information) folders. 

 

I have started verifying corruption of some of the system files dealing with winlogon. Winlogon.exe csrss.exe and msgina.dll all have been md5 verified. It could be a permissions issue from creating the folders that did not exist?

 

If I had to narrow it down, really the main questions are: 

1) Is there any way to verify system files offline on XP? SFC does not run in recovery console. 

2) What is necessary for a XP install cd to recognize a Windows installation in order to perform a repair install.

3) What is wrong with the system in the first place that is causing the 'Windows Logon process terminated unexpectedly' BSOD

4) Is there any way to repair the permissions of system folders offline in XP? I know you can use cacls to hit them individually, but is SYSTEM the only account that needs access to everything? 

 

I really really do enjoy these problems. They're all like little puzzles, and once you put the right piece in and finally get to that boot screen it's like angels singing. 


Edited by Mondrian, 25 September 2014 - 02:52 PM.


#4 JohnC_21

JohnC_21

  • Members
  • 21,655 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:36 PM

Posted 25 September 2014 - 03:02 PM

1) In XP you can run sfc /scannow offline.

 

http://lifehacker.com/5597854/use-system-file-checker-to-repair-your-unbootable-windows-pc

 

2)  could be a bad file system but look for these files on the root of C: boot.ini, ntdetect.com and ntldr (hidden files)


Edited by JohnC_21, 25 September 2014 - 03:07 PM.


#5 Mondrian

Mondrian
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:36 PM

Posted 25 September 2014 - 03:05 PM

According to the exact article you linked, you cannot do this in XP. The title mentions Vista and 7, the comments say you cannot do in XP. 

 

Are you suggesting I can use /offbootdir and /offwindir in Win7 on an XP installation?



#6 JohnC_21

JohnC_21

  • Members
  • 21,655 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:36 PM

Posted 25 September 2014 - 03:11 PM

Yea, sorry about that. You are right. This is only available in Windows Vista and Win7

 

Edit: Bluescreening like that could be due to a driver problem. Does the computer still bluescreen in safe mode?

 

One thing I don't understand is that the computer boots to the XP login screen but yet the OS is not recognized for repair install.

 

I would suggest you take a look at this article. It may let XP get to a state where it is recognized for the repair.


Edited by JohnC_21, 25 September 2014 - 03:17 PM.


#7 Mondrian

Mondrian
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:36 PM

Posted 25 September 2014 - 03:17 PM

No problem, I'm grasping at straws on this one and will take all of the help I can get :)



#8 old rocker

old rocker

  • Members
  • 431 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:East Tennessee
  • Local time:02:36 PM

Posted 25 September 2014 - 03:57 PM

Follow

http://michaelstevenstech.com/XPrepairinstall.htm

 

For  repair install instructions.

 

Hopefully you will find the right straw!



#9 Mondrian

Mondrian
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:36 PM

Posted 25 September 2014 - 04:10 PM

Yup. That is surely what I want to do. Unfortunately after you press F8 to accept the EULA, Setup will search for current windows installations. Setup does not find any current win installations and proceeds to the 'install the operating system' screen. I can boot into the recovery console, where it correctly identifies the Windows installation, but I cannot run repair install because I am not given the option. 

 

I have also gone through all of the steps listed in the WARNING #2 section of that tutorial, all to no avail. 

 

I have actually found this post: http://animaltracker.wordpress.com/2010/07/31/stop-c000021a-fatal-system-error-status-of-0xc0000135-the-solution/

 

Which describes someone in the exact same situation and indicates that the BSOD could be caused by either corrupted or missing DLL files. It seems extremely likely that this is what is going on with this machine, especially after the entirety of the system32 folder was in FOUND.000 after CHKDSK. 

 

My next step is to install XP Home SP3 to a new HDD, copy the contents of system32 to a flash drive, and add (not overwrite) any missing files into the corrupted OS. Will update when finished. Let me know if you guys have any thoughts in the meantime. 



#10 old rocker

old rocker

  • Members
  • 431 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:East Tennessee
  • Local time:02:36 PM

Posted 26 September 2014 - 09:41 AM

Let's go back for a minute. When you attempt a repair install you do not see the original windows installation?
Please try the following in the order listed.

1. Boot the Windows Recovery Console answer the prompts and get to the C:\> prompt. and type dir/a/p pressing the spacebar you should be able to page through the whole C drive.

2. At the C:\> prompt, type fixmbr (no specifics necessary)
acknowledge your intentions.

3. At the C:\> prompt, type fixboot (no specifics necessary)
acknowledge your intentions.

4. At the C:\> prompt, type chkdsk /r (/r implies /f if scan is not used)
acknowledge your intentions.

5. When completed, reboot the system with the XP cd. Attempt a repair install of Windows XP. (see if it now identifies the existing installation partition).

If yes... attempt the repair install.

 

If no... proceed with a parallel install of Windows XP
http://support2.microsoft.com/kb/978307 method 4
(in some cases the existing installation is miraculously identified, don't ask me why).



#11 Mondrian

Mondrian
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:36 PM

Posted 01 October 2014 - 03:16 PM

Touching base again because I resolved the problem, and wanted to update the results for anyone else going through the same issue. 

 

I have gone through many steps outlined above before I got to this Stop error: 

 

STOP: c000021a {Fatal System Error}
The Windows Logon Process system process terminated unexpectedly with a status of 0xc0000135 (0x00000000 0x00000000).
The system has been shut down.

 

According to the link in the previous post, I found out that this could be due to corruptions with Winlogon/msgina. I verified these files were not corrupted and the other way you can get this BSOD is from missing dll's in the %windir%. This was the most probable problem due to the entirety of the system32 folder being moved during chkdsk. I ended up installing a new HDD, installing windows, and then adding (not overwriting) any missing files from the new win install, to the windir on the old drive. After that, rebooted to the logon screen with the old drive!

 

There were plenty of other issues following dealing with corrupted program files and the like, but the hardest part was over. I got all programs back up and working correctly, as well as *finally* configured proper backup. 

 

Thanks for the help guys!



#12 JohnC_21

JohnC_21

  • Members
  • 21,655 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:36 PM

Posted 01 October 2014 - 03:33 PM

Very Nice Troubleshooting. Thanks for the update.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users