HMTech.ca

I recently received a call from a client who was unable to login to Windows XP after trying to remove malware with Spybot S&D. As the computer started, it would pass the welcome screen, display the wallpaper, and then suddenly jump back to the login screen. If a user name was clicked, it would say “loading settings…” and return once again to the login screen.

I tried the following with no success:

• Starting the computer in safe mode and logging in as both the standard user and Administrator. It didn’t matter which one was selected, the problem was the same.
• Attempted to restore the registry by pressing F8 during startup and selecting “Use Last Known Good Configuration”.
• Running chkdsk from the recovery console to see if there were any errors on the disk. Errors were found and fixed, but it did not solve the problem.

I searched Google and discovered that this is quite a common problem that generally occurs after removing spyware. I figured that Spybot must have caused the problem by removing a file or changing a registry setting.

That was indeed the case. Let me explain how this problem happens.

Normally after a user logs in, Windows will execute the file pointed to by this registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit

The value of Userinit is normally “C:\Windows\System32\userinit.exe”. Userinit.exe is a file that manages different start up sequences.

Certain pieces of spyware will modify this registry setting to point to their own infected version of the file. If you remove the infected file with Spybot, etc., the registry then points to a file that no longer exists. Without the original file in place, you can no longer login to Windows.

THE FIX:

You need to have access to the computer’s registry to identify the value of the Userinit registry key. To do this, you’ll need a boot CD like BartPE or UBCD (Ultimate Boot CD) that includes a registry editor. The following assumes you have an UBCD.

1. Boot from the CD, and select Launch “The Ultimate Boot CD” from the menu.

*** Note: If the UBCD doesn’t load and instead Windows loads, you must configure your BIOS  to boot from the CD-ROM before the hard drive

2. Open the remote registry editor. Click Start -> Programs -> Registry Tools -> RegEdit (Remote)

*** NOTE: You will be presented with the message “Do you wish to load remote user profile(s) for scanning”. Just click NO and the registry of the local machine should load.

3. Navigate to the Winlogon folder by clicking the plus symbols beside the registry folders

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\

4. Double click the “Userinit” key. Change it’s value to “C:\Windows\System32\userinit.exe”.  Try rebooting. If you are now able to login, you are finished. If not, the userinit.exe file may be missing or it may be corrupt in which case you will have to copy the userinit.exe file from the UBCD to your System32 directory.

5. Reboot the computer with the UBCD still in the drive.

6. This time, select to enter the Windows recovery console.You will see a blue screen as files are loaded into memory.

7. At the “Welcome to Setup” screen press the ‘R’ key to enter the Recovery Console.

*** Note: If you get an error message stating “Setup did not find any hard disk drives installed in your computer”, you will have to recreate a new UBCD with SATA drive support. To learn how to do this, click here.

8. Once you are at the recovery console, issue the following command:

copy X:\I386\System32\userinit.exe C:\Windows\System32\

“X” being the drive letter of the CD-ROM that the UBCD is in (typically D, E or F).

The file should copy successfully. Restart the computer – you should now be able to login to Windows.

Related Posts

• No Related Post

Tags: login, problem, xp

29 Responses to “Windows XP Logs out as soon as you Login”

Leave a Reply

Name (required)

Mail (will not be published) (required)

Website