User and Admin account big troubles !

Ashanta · Nov 29, 2010

My issues :

1. Enter to BIOS

2. Little black screen when log in into a user or admin account, and when log off and log in again.

3. UAC locked.

4. SFC / scannow, stops at 99% with the following message : "Windows Resource Protection could not perform the requested operation" I disabled DEP and my hips programs like Onlin Armor ++, Zemana Antilogger, but the same scenario came up.

5. With old admin account, from time to time when entering into the Control Panel, I have the following message:

"(21EC2030-3AEA-1069-A2DD-08002B30309D) No program associated with this file"

Ashanta · Nov 29, 2010

I've just noticed that I don't have Explorer in the menu when clicking right on Start. Message : "No program associated with this file" Again the permissions...lol

Shadowjk · Nov 29, 2010

You may want to see http://www.vistax64.com/tutorials/83196-default-programs-program-default-associations.html?ltr=D For More Information

If this Helps at all, If you follow the Tutorial Then you should be able to Open the Program you wanted to Though If you have Messed with the Registry the Outcome could be good or bad (Unlikely Bad)

Hope This Helps,
Josh

Ashanta · Nov 29, 2010

Thanks Shadowjk, With my new admin account, I don't have such troubles. Should I associated files with my new admin account ? Which files .cpl to access Control Panel ? As you know, my old admin account, I can't access to Control Panel. Sometimes, I haven't troubles to reach Control Panel.

Shadowjk · Nov 29, 2010

Yes do this with your Admin Account this should apply to other Users that you make

niemiro · Nov 29, 2010

Ashanta said:
My issues :

1. Enter to BIOS

2. Little black screen when log in into a user or admin account, and when log off and log in again.

3. UAC locked.

4. SFC / scannow, stops at 99% with the following message : "Windows Resource Protection could not perform the requested operation" I disabled DEP and my hips programs like Onlin Armor ++, Zemana Antilogger, but the same scenario came up.

5. With old admin account, from time to time when entering into the Control Panel, I have the following message:

"(21EC2030-3AEA-1069-A2DD-08002B30309D) No program associated with this file"

I requested help with most of this, because I am out of my depth, however the SFC is within my sphere of knowledge! This can indicate a corruption in the WinSxS which can only be fixed by analysing the whole CBS.log. Please navigate to C:\Windows\Logs\CBS, and copy CBS.log to your Desktop. Right click > Send to > Compressed (zipped) archive, and upload it here for analysis.

Thanks!

Shadowjk · Nov 29, 2010

Or follow the Tip Box At the top of this tutorial Made by Brink

See http://www.vistax64.com/tutorials/66978-system-files-sfc-command.html For More Information

Hope This Helps,
Josh

niemiro · Nov 29, 2010

Shadowjk said:
Or follow the Tip Box At the top of this tutorial Made by Brink

See http://www.vistax64.com/tutorials/66978-system-files-sfc-command.html For More Information

Hope This Helps,
Josh

It would actually be an interesting comparison. I have always been taught that the information required to fix the error is not available when parsing the log, but it would show what files were found corrupt before the failure. It would be interesting to see quite what the difference was.

Ashanta · Nov 29, 2010

Check PM Niemiro

for CBS log

If I change the key ConsentpromptbehaviorAdmin to 2 and I enter to my old admin account, I can't enter to the Control Panel (see on my previous post the error message) neither into Explorer ( it doesn't appear on the right menu of Start button). Nevertheless, I have no troubles with my new admin account to enter into Control Panel and Explorer. Why ? How can I fix this issue ? Something seems to be wrong between two admins accounts.

If I change the value of this key ConsentpromptbehaviorAdmin to 0, I have no troubles with both admins accounts. So strange, but I don't really understand. Is there Vista mistake or something to my misconfiguration in the registry ??

Ashanta · Nov 29, 2010

A.I reboot my laptop always with the key ConsentpromptbehaviorAdmin to 0 and I noticed that I can't load Control Panel and Explorer with the same message. B. I changed the value of this key to 1, I reboot and open my old admin account, and the same result than A. C. I change again the value to 0 and EnableLua to 0 , I reboot and log in to my old admin account, I can run Explorer and Control Panel. By the way, on reboot, the value of EnableLua not changed, always set up to 1. This is bizarre ! Could it be my DEP enabled ?

Ashanta · Nov 30, 2010

Ashanta said:
Here you are Niemiro, Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]

"ConsentPromptBehaviorAdmin"=dword:00000002 "ConsentPromptBehaviorUser"=dword:00000001 "EnableInstallerDetection"=dword:00000001 "EnableSecureUIAPaths"=dword:00000001 "EnableVirtualization"=dword:00000001 "PromptOnSecureDesktop"=dword:00000001 "ValidateAdminCodeSignatures"=dword:00000000 "dontdisplaylastusername"=dword:00000000 "legalnoticecaption"="" "legalnoticetext"="" "scforceoption"=dword:00000000 "shutdownwithoutlogon"=dword:00000001 "undockwithoutlogon"=dword:00000001 "FilterAdministratorToken"=dword:00000000 "DisableRegistryTools"=dword:00000000 "EnableLUA"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\UIPI] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\UIPI\Clipboard] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\UIPI\Clipboard\ExceptionFormats] "CF_TEXT"=dword:00000001 "CF_BITMAP"=dword:00000002 "CF_OEMTEXT"=dword:00000007 "CF_DIB"=dword:00000008 "CF_PALETTE"=dword:00000009 "CF_UNICODETEXT"=dword:0000000d "CF_DIBV5"=dword:00000011

I already changed the 'enableLUA' to set up to '0' but when I start my computer it comes again with 1 and I checked also on the Control Panel, the UAC box checked.

Niemiro, You didn't tell me anything about this. What about ? It will be interesting to check the permission and the owner of System key

Lorien · Nov 30, 2010

Hi Ashanta,

First, regarding the problems with the old administrator account, there's a good chance it is corrupted and needs to be repaired. To fix this use http://windows.microsoft.com/en-AU/windows-vista/Fix-a-corrupted-user-profile. In essence, this means creating a new user account and transferring the information from the old account to the new one. If this is the problem (as I suspect), this should resolve problems (like the one you mentioned in CP) with the old administrator account (which will actually now be your new administrator account).

============================================================

As far as BIOS goes, it may help to upgrade/flash them to the most recent version available for your computer and version of Vista and see if that restores functionality to F2 and permits access. You will need to go to the computer manufacturer's web site for information about your computer and the appropriate download and installation procedures (it varies considerably based on computer, OS, BIOS manufacturer, and other things - it cannot be guessed and it must be done the correct way with the proper version or it not only will not work but may cause additional problems - perhaps some quite severe). If you can without cost, try to talk to someone in Technical Support to verify the download and the procedure.

As Richard said, BIOS has nothing to do with the registry (access occurs before that even comes into play) - so something else is happening here. If updating doesn't work, then I would begin to suspect a problem with the F2 button on the keyboard (or the keyboard itself). Is the keyboard programmable or have you done anything to revise how the F2 key operates? If not, then I recommend you download and install updated device drivers for the keyboard (even if they are the same you already have and they show no problems) and install them and see if that resolves the problem. If you need help, just post - but from reading this thread, you seem uncommonly competent so I won't bore you with those details unless you request them (in which case, I'll be more than happy to help you however is needed). If that doesn't work, do you have any programs that use F2 for any reason so you can confirm that the key itself isn't broken?

===============================================================

Go to Start / Search box and type gpedit.msc and enter and then double-click on the program icon that appears. Go to Computer Configuration / Windows Settings / Security Settings / Local Policies / Security Options and then scroll to near the bottom of the list where there are a number of items relating to UAC. Check each one to make sure it is set properly to permit access and control - make any required adjustments. Save and exit. If you changed anything, reboot and see if UAC now functions properly. More on that can be found in this article - nearer the bottom: http://www.winsupersite.com/showcase/winvista_ff_uac.asp.

When you say UAC is locked, is this true for all accounts or only the old administrator account? If the latter, the prior revision may have resolved that problem. If all accounts and nothing in Group Policy made any difference, then the change is most likely in the registry (even though Group Policy is essential a registry modification tool but doesn't cover everything) and that will require more detailed analysis of SFC and the Registry (plus you sent the files by PM to Richard so I have no access to them to review myself). That's all I can do to help here for now.

================================================================

Regarding the little black box, this is most likely some program running or some error message occurring when that process occurs. I have no idea what it might be. To address this, we will try to gather as much information as we can about your system using a process designed for another purpose but that will serve our needs here as well. Please go to: http://www.vistax64.com/crashes-debugging/282419-blue-screen-death-bsod-posting-instructions.html and follow the instructions there - attaching the resulting files to your next post here. They may help us identify what that black box means and/or what it does and/or why it occurs (or they may not, but it's worth a try as I'm not sure how else to identify it).

Also, download Process Monitor Process Monitor and set it to run and then perform the actions that cause the black box to occur (and I hope the monitor doesn't shut down during the change though I suspect it might). Set it up to run (collect data) automatically at startup and we may capture the event anyway and thereby discover what process is running when it occurs. It's worth a shot to see if we can identify what it is and this is one of the best ways I know to do that normally (though this is admittedly a special case).

==============================================================

I tried to cover 4 of the 5 items on your list (I can't address the SFC issue without the files and even then, I have limited skills in that area).

Just so you know, I'm not "taking over for Richard"' by any means, but merely lending some assistance and offering some suggestions that I didn't notice discussed to this point. We will both be trying to assist you now - though in different ways (and others may also pitch in as well - that sometimes happens here).

I hope these suggestions help or at least help to identify the causes of the problems so we can then work on solutions.

Thank you for your assistance and cooperation - our ability to help is crippled without it.

Good luck!

Ashanta · Nov 30, 2010

1.

I don't think so it's something corrupt but instead, I feel something to do with the security and permissions (DEP enabled and others security programs). I remind you that this old admin account, 'Fleur de Vie' was working well before I run the nine steps recommended by a person from another forum (see my previous posts). For now, I've 'Secours' is the newest admin account. When I wasn't enable to enter into Fleur de Vie admin, (open and close session automatically) at that time I created a new admin with the same name Fleur de vie, then I change into 'Secours'. The location belonging were different, one is belonging to PC-WINDOWS, and the other one PC-WINDOWS/Administrateurs if I remember well.

2.
About Bios, I already flashed my Bios with the same version, last week. About F2 key, it's a good idea to test in a program to see if it's working well or not. Good idea also, to update my keyboard drivers. I will check it...

3.

I disabled UAC according to your site : http://www.winsupersite.com/showcase...sta_ff_uac.aspbut it doesn't work, always the check box is appearing.

Yes, UAC is locked for all accounts !

It's something to do with the registry. By the way, I will send you also CBS.log file by PM. If you need a back up of my registry, let me know.

4.

This is not a BSOD as it occurs only when logging into an account during a few seconds (5-15 sec) and when swapping between 2 accounts. It's like Vista has to hardly take memory ressources to load the Dekstop and all the user settings.

I'd like to thank about your help, I really appreciate it. I will waiting about Niemiro recommendation.

Check your PM

Lorien · Nov 30, 2010

Ashanta said:
1. I don't think so it's something corrupt but instead, I feel something to do with the security and permissions (DEP enabled and others security programs). I remind you that this old admin account, 'Fleur de Vie' was working well before I run the nine steps recommended by a person from another forum (see my previous posts). For now, I've 'Secours' is the newest admin account. When I wasn't enable to enter into Fleur de Vie admin, (open and close session automatically) at that time I created a new admin with the same name Fleur de vie, then I change into 'Secours'. The location belonging were different, one is belonging to PC-WINDOWS, and the other one PC-WINDOWS/Administrateurs if I remember well.

It seems corrupt to me (but I'm not certain by any means and could be wrong). Perhaps it was caused by the 9-steps or something related and perhaps it caused corruption as well as other changes - it's difficult to be sure as there's no real test for that. Security and permission issues (again possibly caused by those 9-steps) can also sometimes be resolved by treating the situation like a corrupted account even if that isn't really the case (resetting them for the new account and thus fixing the problem). The new account you created seems to work fine - so it seems new accounts are OK. This procedure is almost the same as that except you also transfer your files so you lose nothing in the process - so I have every reason to believe it would work. Still, if you prefer not to try this option, that's completely fine and entirely your decision.

Ashanta said:
2. About Bios, I already flashed my Bios with the same version, last week. About F2 key, it's a good idea to test in a program to see if it's working well or not. Good idea also, to update my keyboard drivers. I will check it...

I'm sorry if I missed that you flashed the BIOS - I did try to read everything thoroughly but that could have slipped past me. I don't guarantee the key or keyboard options will work, but since the inability to access the BIOS has limited causes and nothing to do with the 9-steps or anything you did after that as far as I could tell (and I don't think it's an infection as we have no evidence of that at this point even if I don't see where we've actually tested it), then this was one of the few possibilities I could imagine. I hope it's just drivers - that would be a convenient and simple fix as I'm not quite sure what else to try to fix the unrelated BIOS access problem.

Ashanta said:
3. I disabled UAC according to your site : http://www.winsupersite.com/showcase...sta_ff_uac.asp but it doesn't work, always the check box is appearing.

Yes, UAC is locked for all accounts !

It's something to do with the registry. By the way, I will send you also CBS.log file by PM. If you need a back up of my registry, let me know.

Group Policy essentially is a simplified way of modifying many registry values. I was simply pointing out those entries that are related so we can make sure that Group Policy isn't constantly revising the registry and undoing efforts to change things there. If you prefer not to check, that's fine - chances are that wasn't the source of the problem anyway (just an option I thought might be worth checking).

If necessary, I'll get the registry from Richard - but thanks anyway.

Ashanta said:
4. This is not a BSOD as it occurs only when logging into an account during a few seconds (5-15 sec) and when swapping between 2 accounts. It's like Vista has to hardly take memory ressources to load the Dekstop and all the user settings.

I realize it is not a BSOD problem (and even said that), but that procedure provides us with much information (dozens of files) about your system and may help us discover what that black box actually is. Just because it is used for BSOD situations does not mean that is the only time it can be valuable or only applies in such cases. I think it may be helpful here. Still, if you don't want to do it, that's your choice. At the moment, I'm not sure how else to identify it or stop it (or even if this will work - but with so much information from this process, I was hoping it would).

Forget Process Monitor - considering when it appears, I do not believe the program will be able to capture it anyway as it seems to happen before the program would be enabled.

Ashanta said:
I'd like to thank about your help, I really appreciate it. I will waiting about Niemiro recommendation.

Check your PM

I checked. Thank you. I'm sure Richard will be by when he has a chance and something to recommend. I hope you'll reconsider some of the suggestions you've decided not to try as they may help, but I can only recommend - you need to decide which to try and which to reject. We'll keep looking for some others that maybe you'll find acceptable.

Good luck!

Ashanta · Nov 30, 2010

It seems corrupt to me (but I'm not certain by any means and could be wrong). Perhaps it was caused by the 9-steps or something related and perhaps it caused corruption as well as other changes - it's difficult to be sure as there's no real test for that. Security and permission issues (again possibly caused by those 9-steps) can also sometimes be resolved by treating the situation like a corrupted account even if that isn't really the case (resetting them for the new account and thus fixing the problem). The new account you created seems to work fine - so it seems new accounts are OK. This procedure is almost the same as that except you also transfer your files so you lose nothing in the process - so I have every reason to believe it would work. Still, if you prefer not to try this option, that's completely fine and entirely your decision.

No problem, I can reconsiderate your advise. I've a question: What's happening to all my programs that were installed under this old admin account ? Are you help me to securize this new admin account, (services, gpedit,...and unneeded processes) ?

Group Policy essentially is a simplified way of modifying many registry values. I was simply pointing out those entries that are related so we can make sure that Group Policy isn't constantly revising the registry and undoing efforts to change things there. If you prefer not to check, that's fine - chances are that wasn't the source of the problem anyway (just an option I thought might be worth checking).

I did exactely what you suggested me to do according to the link you posted here to disable UAC, I checked one by one.

If necessary, I'll get the registry from Richard - but thanks anyway.

The backup I gave to Richard at that moment is old. Since I fixed a few troubles, maybe I need to give you a new one.

What about my CBS.log file ? Did you have a look ?

I realize it is not a BSOD problem (and even said that), but that procedure provides us with much information (dozens of files) about your system and may help us discover what that black box actually is. Just because it is used for BSOD situations does not mean that is the only time it can be valuable or only applies in such cases. I think it may be helpful here. Still, if you don't want to do it, that's your choice. At the moment, I'm not sure how else to identify it or stop it (or even if this will work - but with so much information from this process, I was hoping it would).

I understand better Lorien. Let me know more time to understand all what you recommended to me, thanks

Forget Process Monitor - considering when it appears, I do not believe the program will be able to capture it anyway as it seems to happen before the program would be enabled.

OK.

Ashanta said:
I'd like to thank about your help, I really appreciate it. I will waiting about Niemiro recommendation.

Check your PM

I checked. Thank you. I'm sure Richard will be by when he has a chance and something to recommend. I hope you'll reconsider some of the suggestions you've decided not to try as they may help, but I can only recommend - you need to decide which to try and which to reject. We'll keep looking for some others that maybe you'll find acceptable.

Good luck![/QUOTE]

niemiro · Nov 30, 2010

Right, here is the relevant section of the log:

Code:

POQ 57 ends.
2010-11-28 19:45:32, Info                  CSI    00000144 [SR] Verify complete
2010-11-28 19:45:32, Info                  CSI    00000145 [SR] Repairing 4 components
2010-11-28 19:45:32, Info                  CSI    00000146 [SR] Beginning Verify and Repair transaction
2010-11-28 19:45:32, Info                  CSI    00000147 Hashes for file member \SystemRoot\WinSxS\x86_microsoft-windows-ntvdm-system_31bf3856ad364e35_6.0.6000.16386_none_1e1753ed2313c813\ver.dll do not match actual file [l:14{7}]"ver.dll" :
  Found: {l:32 b:CRD+1MzwCiyk0tTi8HlgmlBVUEswIVH2a2dR3FrhAqz=} Expected: {l:32 b:bQPPHjF0gUm200cl4pPF7k87193r5SYoX+e6QaHR9bT=}
2010-11-28 19:45:32, Info                  CSI    00000148 [SR] Cannot repair member file [l:14{7}]"ver.dll" of Microsoft-Windows-NTVDM-System, Version = 6.0.6000.16386, pA = PROCESSOR_ARCHITECTURE_INTEL (0), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch
2010-11-28 19:45:32, Info                  CSI    00000149 [SR] Repaired file \SystemRoot\WinSxS\Manifests\\[ml:24{12},l:14{7}]"ver.dll" by copying from backup
2010-11-28 19:45:32, Info                  CSI    0000014a Hashes for file member \??\C:\Windows\system\ver.dll do not match actual file [l:14{7}]"ver.dll" :
  Found: {l:32 b:CRD+1MzwCiyk0tTi8HlgmlBVUEswIVH2a2dR3FrhAqz=} Expected: {l:32 b:bQPPHjF0gUm200cl4pPF7k87193r5SYoX+e6QaHR9bT=}
2010-11-28 19:45:32, Info                  CSI    0000014b [SR] Repairing corrupted file [ml:520{260},l:42{21}]"\??\C:\Windows\system"\[l:14{7}]"ver.dll" from store
2010-11-28 19:45:32, Info                  CSI    0000014c Hashes for file member \??\C:\Windows\System32\fr-FR\user32.dll.mui do not match actual file [l:28{14}]"user32.dll.mui" :
  Found: {l:32 b:yxsq3mC/kaXOgpo1OSW6sLqI9KP6P6kEc6TaW9BacTJ=} Expected: {l:32 b:IFnzqdq3y6gEsAR2ZAA8LpuIpCmz9C2P3EBGQDlCU7p=}
2010-11-28 19:45:32, Info                  CSI    0000014d [SR] Repairing corrupted file [ml:520{260},l:58{29}]"\??\C:\Windows\System32\fr-FR"\[l:28{14}]"user32.dll.mui" from store
2010-11-28 19:45:33, Info                  CSI    0000014e Hashes for file member \??\C:\Windows\System32\drivers\tcpip.sys do not match actual file [l:18{9}]"tcpip.sys" :
  Found: {l:32 b:FHXKaSKvuGZi4zGZWyWqGKZr6zV3Dnjn0JSRlwwcFbY=} Expected: {l:32 b:JS8YDZAEMNJZ9tn3gEmUh2rZPMG6oM4Hf7UYzEPKyjD=}
2010-11-28 19:45:33, Info                  CSI    0000014f [SR] Repairing corrupted file [ml:520{260},l:62{31}]"\??\C:\Windows\System32\drivers"\[l:18{9}]"tcpip.sys" from store
2010-11-28 19:45:33, Info                  CSI    00000150 [SR] Repairing corrupted file [ml:520{260},l:82{41}]"\??\C:\Windows\System32\LogFiles\Firewall"\[l:20{10}]"mpssvc.dat" from store
2010-11-28 19:45:33, Info                  CSI    00000151 Repair results created:
POQ 58 starts:
     0: Create File: File = [l:230{115}]"\SystemRoot\WinSxS\x86_microsoft-windows-ntvdm-system_31bf3856ad364e35_6.0.6000.16386_none_1e1753ed2313c813\ver.dll", Attributes = 00000080
    1: Move File: Source = [l:158{79}]"\SystemRoot\WinSxS\Temp\PendingRenames\df70e76f2c8fcb01de190000e808040a.ver.dll", Destination = [l:230{115}]"\SystemRoot\WinSxS\x86_microsoft-windows-ntvdm-system_31bf3856ad364e35_6.0.6000.16386_none_1e1753ed2313c813\ver.dll"
    2: Move File: Source = [l:192{96}]"\SystemRoot\WinSxS\Temp\PendingRenames\bf57f36f2c8fcb01df190000e808040a._0000000000000000.cdf-ms", Destination = [l:104{52}]"\SystemRoot\WinSxS\FileMaps\_0000000000000000.cdf-ms"
    3: Move File: Source = [l:162{81}]"\SystemRoot\WinSxS\Temp\PendingRenames\bf57f36f2c8fcb01e0190000e808040a.$$.cdf-ms", Destination = [l:74{37}]"\SystemRoot\WinSxS\FileMaps\$$.cdf-ms"
    4: Move File: Source = [l:210{105}]"\SystemRoot\WinSxS\Temp\PendingRenames\bf57f36f2c8fcb01e1190000e808040a.$$_system_4c3aa2308f9f8f41.cdf-ms", Destination = [l:122{61}]"\SystemRoot\WinSxS\FileMaps\$$_system_4c3aa2308f9f8f41.cdf-ms"
    5: Hard Link File: Source = [l:230{115}]"\SystemRoot\WinSxS\x86_microsoft-windows-ntvdm-system_31bf3856ad364e35_6.0.6000.16386_none_1e1753ed2313c813\ver.dll", Destination = [l:58{29}]"\??\C:\Windows\system\ver.dll"
    6: Move File: Source = [l:214{107}]"\SystemRoot\WinSxS\Temp\PendingRenames\ff9f01702c8fcb01e2190000e808040a.$$_system32_21f9a9c4a2f8b514.cdf-ms", Destination = [l:126{63}]"\SystemRoot\WinSxS\FileMaps\$$_system32_21f9a9c4a2f8b514.cdf-ms"
    7: Move File: Source = [l:226{113}]"\SystemRoot\WinSxS\Temp\PendingRenames\7f250b702c8fcb01e3190000e808040a.$$_system32_fr-fr_448347788202c03b.cdf-ms", Destination = [l:138{69}]"\SystemRoot\WinSxS\FileMaps\$$_system32_fr-fr_448347788202c03b.cdf-ms"
    8: Hard Link File: Source = [l:254{127}]"\SystemRoot\WinSxS\x86_microsoft-windows-user32.resources_31bf3856ad364e35_6.0.6000.16386_fr-fr_de4a08b1212b3140\user32.dll.mui", Destination = 
2010-11-28 19:45:33, Info                  CSI    [l:88{44}]"\??\C:\Windows\System32\fr-FR\user32.dll.mui"
    9: Move File: Source = [l:230{115}]"\SystemRoot\WinSxS\Temp\PendingRenames\df9120702c8fcb01e4190000e808040a.$$_system32_drivers_dc1b782427b5ee1b.cdf-ms", Destination = [l:142{71}]"\SystemRoot\WinSxS\FileMaps\$$_system32_drivers_dc1b782427b5ee1b.cdf-ms"
    10: Hard Link File: Source = [l:220{110}]"\SystemRoot\WinSxS\x86_microsoft-windows-tcpip_31bf3856ad364e35_6.0.6000.16567_none_5f6577ce925d75a7\tcpip.sys", Destination = [l:82{41}]"\??\C:\Windows\System32\drivers\tcpip.sys"
    11: Move File: Source = [l:250{125}]"\SystemRoot\WinSxS\Temp\PendingRenames\7f3b31702c8fcb01e5190000e808040a.$$_system32_logfiles_firewall_488be49cc4415d55.cdf-ms", Destination = [l:162{81}]"\SystemRoot\WinSxS\FileMaps\$$_system32_logfiles_firewall_488be49cc4415d55.cdf-ms"
    12: Hard Link File: Source = [l:226{113}]"\SystemRoot\WinSxS\x86_networking-mpssvc-svc-dir_31bf3856ad364e35_6.0.6000.16531_none_69dcb6a77f86c3ef\mpssvc.dat", Destination = [l:104{52}]"\??\C:\Windows\System32\LogFiles\Firewall\mpssvc.dat"

POQ 58 ends.
2010-11-28 19:45:33, Info                  CSI    00000152 [SR] Repair complete
2010-11-28 19:45:33, Info                  CSI    00000153 [SR] Committing transaction
2010-11-28 19:45:33, Info                  CSI    00000154 [SR] Cannot commit interactively, there are boot critical components being repaired
2010-11-28 19:45:33, Info                  CSI    00000155 [SR] Repairing 4 components
2010-11-28 19:45:33, Info                  CSI    00000156 [SR] Beginning Verify and Repair transaction
2010-11-28 19:45:33, Info                  CSI    00000157 Hashes for file member \SystemRoot\WinSxS\x86_microsoft-windows-ntvdm-system_31bf3856ad364e35_6.0.6000.16386_none_1e1753ed2313c813\ver.dll do not match actual file [l:14{7}]"ver.dll" :
  Found: {l:32 b:CRD+1MzwCiyk0tTi8HlgmlBVUEswIVH2a2dR3FrhAqz=} Expected: {l:32 b:bQPPHjF0gUm200cl4pPF7k87193r5SYoX+e6QaHR9bT=}
2010-11-28 19:45:33, Info                  CSI    00000158 [SR] Cannot repair member file [l:14{7}]"ver.dll" of Microsoft-Windows-NTVDM-System, Version = 6.0.6000.16386, pA = PROCESSOR_ARCHITECTURE_INTEL (0), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch
2010-11-28 19:45:33, Info                  CSI    00000159 [SR] Repaired file \SystemRoot\WinSxS\Manifests\\[ml:24{12},l:14{7}]"ver.dll" by copying from backup
2010-11-28 19:45:33, Info                  CSI    0000015a Hashes for file member \??\C:\Windows\system\ver.dll do not match actual file [l:14{7}]"ver.dll" :
  Found: {l:32 b:CRD+1MzwCiyk0tTi8HlgmlBVUEswIVH2a2dR3FrhAqz=} Expected: {l:32 b:bQPPHjF0gUm200cl4pPF7k87193r5SYoX+e6QaHR9bT=}
2010-11-28 19:45:33, Info                  CSI    0000015b [SR] Repairing corrupted file [ml:520{260},l:42{21}]"\??\C:\Windows\system"\[l:14{7}]"ver.dll" from store
2010-11-28 19:45:33, Info                  CSI    0000015c Hashes for file member \??\C:\Windows\System32\fr-FR\user32.dll.mui do not match actual file [l:28{14}]"user32.dll.mui" :
  Found: {l:32 b:yxsq3mC/kaXOgpo1OSW6sLqI9KP6P6kEc6TaW9BacTJ=} Expected: {l:32 b:IFnzqdq3y6gEsAR2ZAA8LpuIpCmz9C2P3EBGQDlCU7p=}
2010-11-28 19:45:33, Info                  CSI    0000015d [SR] Repairing corrupted file [ml:520{260},l:58{29}]"\??\C:\Windows\System32\fr-FR"\[l:28{14}]"user32.dll.mui" from store
2010-11-28 19:45:33, Info                  CSI    0000015e Hashes for file member \??\C:\Windows\System32\drivers\tcpip.sys do not match actual file [l:18{9}]"tcpip.sys" :
  Found: {l:32 b:FHXKaSKvuGZi4zGZWyWqGKZr6zV3Dnjn0JSRlwwcFbY=} Expected: {l:32 b:JS8YDZAEMNJZ9tn3gEmUh2rZPMG6oM4Hf7UYzEPKyjD=}
2010-11-28 19:45:33, Info                  CSI    0000015f [SR] Repairing corrupted file [ml:520{260},l:62{31}]"\??\C:\Windows\System32\drivers"\[l:18{9}]"tcpip.sys" from store
2010-11-28 19:45:33, Info                  CSI    00000160 [SR] Repairing corrupted file [ml:520{260},l:82{41}]"\??\C:\Windows\System32\LogFiles\Firewall"\[l:20{10}]"mpssvc.dat" from store
2010-11-28 19:45:33, Info                  CSI    00000161 Repair results created:
POQ 59 starts:
     0: Create File: File = [l:230{115}]"\SystemRoot\WinSxS\x86_microsoft-windows-ntvdm-system_31bf3856ad364e35_6.0.6000.16386_none_1e1753ed2313c813\ver.dll", Attributes = 00000080
    1: Move File: Source = [l:158{79}]"\SystemRoot\WinSxS\Temp\PendingRenames\bf833f702c8fcb01e6190000e808040a.ver.dll", Destination = [l:230{115}]"\SystemRoot\WinSxS\x86_microsoft-windows-ntvdm-system_31bf3856ad364e35_6.0.6000.16386_none_1e1753ed2313c813\ver.dll"
    2: Move File: Source = [l:192{96}]"\SystemRoot\WinSxS\Temp\PendingRenames\3f0949702c8fcb01e7190000e808040a._0000000000000000.cdf-ms", Destination = [l:104{52}]"\SystemRoot\WinSxS\FileMaps\_0000000000000000.cdf-ms"
    3: Move File: Source = [l:162{81}]"\SystemRoot\WinSxS\Temp\PendingRenames\3f0949702c8fcb01e8190000e808040a.$$.cdf-ms", Destination = [l:74{37}]"\SystemRoot\WinSxS\FileMaps\$$.cdf-ms"
    4: Move File: Source = [l:210{105}]"\SystemRoot\WinSxS\Temp\PendingRenames\3f0949702c8fcb01e9190000e808040a.$$_system_4c3aa2308f9f8f41.cdf-ms", Destination = [l:122{61}]"\SystemRoot\WinSxS\FileMaps\$$_system_4c3aa2308f9f8f41.cdf-ms"
    5: Hard Link File: Source = [l:230{115}]"\SystemRoot\WinSxS\x86_microsoft-windows-ntvdm-system_31bf3856ad364e35_6.0.6000.16386_none_1e1753ed2313c813\ver.dll", Destination = [l:58{29}]"\??\C:\Windows\system\ver.dll"
    6: Move File: Source = [l:214{107}]"\SystemRoot\WinSxS\Temp\PendingRenames\7f5157702c8fcb01ea190000e808040a.$$_system32_21f9a9c4a2f8b514.cdf-ms", Destination = [l:126{63}]"\SystemRoot\WinSxS\FileMaps\$$_system32_21f9a9c4a2f8b514.cdf-ms"
    7: Move File: Source = [l:226{113}]"\SystemRoot\WinSxS\Temp\PendingRenames\5f3863702c8fcb01eb190000e808040a.$$_system32_fr-fr_448347788202c03b.cdf-ms", Destination = [l:138{69}]"\SystemRoot\WinSxS\FileMaps\$$_system32_fr-fr_448347788202c03b.cdf-ms"
    8: Hard Link File: Source = [l:254{127}]"\SystemRoot\WinSxS\x86_microsoft-windows-user32.resources_31bf3856ad364e35_6.0.6000.16386_fr-fr_de4a08b1212b3140\user32.dll.mui", Destination = 
2010-11-28 19:45:33, Info                  CSI    [l:88{44}]"\??\C:\Windows\System32\fr-FR\user32.dll.mui"
    9: Move File: Source = [l:230{115}]"\SystemRoot\WinSxS\Temp\PendingRenames\bfa478702c8fcb01ec190000e808040a.$$_system32_drivers_dc1b782427b5ee1b.cdf-ms", Destination = [l:142{71}]"\SystemRoot\WinSxS\FileMaps\$$_system32_drivers_dc1b782427b5ee1b.cdf-ms"
    10: Hard Link File: Source = [l:220{110}]"\SystemRoot\WinSxS\x86_microsoft-windows-tcpip_31bf3856ad364e35_6.0.6000.16567_none_5f6577ce925d75a7\tcpip.sys", Destination = [l:82{41}]"\??\C:\Windows\System32\drivers\tcpip.sys"
    11: Move File: Source = [l:250{125}]"\SystemRoot\WinSxS\Temp\PendingRenames\ffec86702c8fcb01ed190000e808040a.$$_system32_logfiles_firewall_488be49cc4415d55.cdf-ms", Destination = [l:162{81}]"\SystemRoot\WinSxS\FileMaps\$$_system32_logfiles_firewall_488be49cc4415d55.cdf-ms"
    12: Hard Link File: Source = [l:226{113}]"\SystemRoot\WinSxS\x86_networking-mpssvc-svc-dir_31bf3856ad364e35_6.0.6000.16531_none_69dcb6a77f86c3ef\mpssvc.dat", Destination = [l:104{52}]"\??\C:\Windows\System32\LogFiles\Firewall\mpssvc.dat"

POQ 59 ends.
2010-11-28 19:45:33, Info                  CSI    00000162 [SR] Repair complete
2010-11-28 19:45:33, Info                  CSI    00000163 Creating NT transaction (seq 1), objectname [6]"(null)"
2010-11-28 19:45:33, Info                  CSI    00000164 Created NT transaction (seq 1) result 0x00000000, handle @0xa30
2010-11-28 19:45:33, Error                 CSI    00000165 (F) c0190005 [Error,Facility=FACILITY_TRANSACTION,Code=5] #2093931# from Windows::Rtl::SystemImplementation::DirectFileSystemProvider::SysCreateFile(flags = 0, handle = {provider=NULL, handle=0}, da = (FILE_GENERIC_WRITE), oa = @0x8eeb14->OBJECT_ATTRIBUTES {s:24; rd:NULL; on:[30]"\SystemRoot\WinSxS\pending.xml"; a:(OBJ_CASE_INSENSITIVE)}, iosb = @0x8eeb2c, as = (null), fa = (FILE_ATTRIBUTE_NORMAL), sa = (FILE_SHARE_READ|FILE_SHARE_DELETE), cd = FILE_OPEN_IF, co = (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT|0x00004000), eab = NULL, eal = 0, disp = Invalid)

2010-11-28 19:45:33, Error                 CSI    00000166@2010/11/28:18:45:33.972 (F) d:\vistartm\base\wcp\sil\merged\ntu\ntsystem.cpp(1461): Error c0190005 [Error,Facility=FACILITY_TRANSACTION,Code=5] originated in function Windows::Rtl::SystemImplementation::DirectFileSystemProvider::SysCreateFile expression: (null)
[gle=0x80004005]
2010-11-28 19:45:34, Error                 CSI    00000167 (F) c0190005 [Error,Facility=FACILITY_TRANSACTION,Code=5] #2093930# from Windows::Rtl::SystemImplementation::CDirectory::CreateNewFile(...)

Looking at corrupt files, we have:

ver.dll x lots
user32.dll.mui
tcpip.sys
mpssvc.dat

The thing that worries me most is ver.dll. Lots do not become corrupt all in one go, and the same file. Something has got confused in the WinSxS and COMPONENTS hive/manifests. This is really, really bad.

I will just be back, in a few minutes. Thanks!

Ashanta · Nov 30, 2010

Yes, Niemiro, ver.dll appeared a few times, that's the point.

I will waiting for you

Lorien · Nov 30, 2010

It seems corrupt to me (but I'm not certain by any means and could be wrong). Perhaps it was caused by the 9-steps or something related and perhaps it caused corruption as well as other changes - it's difficult to be sure as there's no real test for that. Security and permission issues (again possibly caused by those 9-steps) can also sometimes be resolved by treating the situation like a corrupted account even if that isn't really the case (resetting them for the new account and thus fixing the problem). The new account you created seems to work fine - so it seems new accounts are OK. This procedure is almost the same as that except you also transfer your files so you lose nothing in the process - so I have every reason to believe it would work. Still, if you prefer not to try this option, that's completely fine and entirely your decision.

No problem, I can reconsiderate your advise. I've a question: What's happening to all my programs that were installed under this old admin account ? Are you help me to securize this new admin account, (services, gpedit,...and unneeded processes) ?

The process transfers everything from the old account to the new account - so programs installed by the old account will work just fine under the new one. I'm not certain what you mean by securize - the new account should be setup as an administrator account so it should have all the proper permissions and rights (plus any that were specific to that original account). As an admin account, it will be able to access and modify gpedit.msc. Services should be no different. It will have the same startup programs and processes and services as the original account - we can change some of those things if you didn't like how they were working before and found some to be unnecessary (that's no problem at all and I even suggest it's a great idea). When you complete this part, I'll be happy to show you how to best do the rest (and even help if you'll send me some screenshots or files when the time comes).

Group Policy essentially is a simplified way of modifying many registry values. I was simply pointing out those entries that are related so we can make sure that Group Policy isn't constantly revising the registry and undoing efforts to change things there. If you prefer not to check, that's fine - chances are that wasn't the source of the problem anyway (just an option I thought might be worth checking).

I did exactely what you suggested me to do according to the link you posted here to disable UAC, I checked one by one.

Thank you. I really didn't have much hope about this - but if it was the cause nothing we did in the registry would have "stuck" until we fixed things here. Now we can eliminate this as a concern.

If necessary, I'll get the registry from Richard - but thanks anyway.

The backup I gave to Richard at that moment is old. Since I fixed a few troubles, maybe I need to give you a new one.

What about my CBS.log file ? Did you have a look ?

If you can provide an updated version, I'll be happy to get it. But I don't want to get out of Sync with Richard where we have two different versions so I'd rather use whatever he is using. If his is out of date, please send both of us a new one (or the link) that is identical so we don't get confused by differences that aren't real.

Unfortunately, I've not yet examined the CBS.LOG file. It takes time to do it and do it properly and not miss something and identify all of the real problems and exclude those that don't matter or were repaired - I haven't had enough time to do it right yet - but I will.

I realize it is not a BSOD problem (and even said that), but that procedure provides us with much information (dozens of files) about your system and may help us discover what that black box actually is. Just because it is used for BSOD situations does not mean that is the only time it can be valuable or only applies in such cases. I think it may be helpful here. Still, if you don't want to do it, that's your choice. At the moment, I'm not sure how else to identify it or stop it (or even if this will work - but with so much information from this process, I was hoping it would).

I understand better Lorien. Let me know more time to understand all what you recommended to me, thanks

Thanks. This process is simply one that collects information and then has you send it to us. It makes no changes and does nothing to your system. For the most part, it copies relevant files containing information about what your system has done or experienced or its current status in great detail. It's essentially copy/paste and then putting it all together in one zip file. The other part can't be done that way, but also provides much valuable information and is separate for that reason only. It also makes no changes to the system - it simply reports about how the system is functioning and similar information not provided by the other files.

Forget Process Monitor - considering when it appears, I do not believe the program will be able to capture it anyway as it seems to happen before the program would be enabled.

OK.

If we all work together, I believe we can eventually solve these problems one way or another - though I'm not sure yet which way will work best and I can't completely guarantee we'll be able to deal with all of them at this point yet, but we will try as hard as we can. I am a bit discouraged by Richard's recent post - but it's not yet time to give up (despite how bad that news is).

niemiro · Nov 30, 2010

Hmmm We are not really winning this war. We shall keep on trying, but we now have:

File system corruptions
File system permissions issues
Registry corruptions, including, but not limited to the COMPONENTS hive
Registry permissions issues
Various different issues that we cannot really pin to anything yet

Right, I am not actually too worried about the SFC error at the moment. Your case is special, and fixing it would only be for the sake of fixing it.

Code:

2010-11-28 19:45:33, Error                 CSI    00000165 (F) c0190005 [Error,Facility=FACILITY_TRANSACTION,Code=5] #2093931# from Windows::Rtl::SystemImplementation::DirectFileSystemProvider::SysCreateFile(flags = 0, handle = {provider=NULL, handle=0}, da = (FILE_GENERIC_WRITE), oa = @0x8eeb14->OBJECT_ATTRIBUTES {s:24; rd:NULL; on:[30]"\SystemRoot\WinSxS\pending.xml"; a:(OBJ_CASE_INSENSITIVE)}, iosb = @0x8eeb2c, as = (null), fa = (FILE_ATTRIBUTE_NORMAL), sa = (FILE_SHARE_READ|FILE_SHARE_DELETE), cd = FILE_OPEN_IF, co = (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT|0x00004000), eab = NULL, eal = 0, disp = Invalid)

Does the C:\Windows\WinSxS\pending.xml file exist. This could indicate a permissions issue, but WinSxS is SO picky, you have to be really careful.

Ashanta · Nov 30, 2010

niemiro said:
Hmmm We are not really winning this war. We shall keep on trying, but we now have:

File system corruptions
File system permissions issues
Registry corruptions, including, but not limited to the COMPONENTS hive
Registry permissions issues
Various different issues that we cannot really pin to anything yet

Right, I am not actually too worried about the SFC error at the moment. Your case is special, and fixing it would only be for the sake of fixing it.

Code:

2010-11-28 19:45:33, Error CSI 00000165 (F) c0190005 [Error,Facility=FACILITY_TRANSACTION,Code=5] #2093931# from Windows::Rtl::SystemImplementation::DirectFileSystemProvider::SysCreateFile(flags = 0, handle = {provider=NULL, handle=0}, da = (FILE_GENERIC_WRITE), oa = @0x8eeb14->OBJECT_ATTRIBUTES {s:24; rd:NULL; on:[30]"\SystemRoot\WinSxS\pending.xml"; a:(OBJ_CASE_INSENSITIVE)}, iosb = @0x8eeb2c, as = (null), fa = (FILE_ATTRIBUTE_NORMAL), sa = (FILE_SHARE_READ|FILE_SHARE_DELETE), cd = FILE_OPEN_IF, co = (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT|0x00004000), eab = NULL, eal = 0, disp = Invalid)

Does the C:\Windows\WinSxS\pending.xml file exist. This could indicate a permissions issue, but WinSxS is SO picky, you have to be really careful.

I don't have such file.

Look a this screenshot (see on the attached file)

Here you are a new backup of my registry with Regbak

http://www.myupload.dk/showfile/68613002c71.7z/

User and Admin account big troubles !

My Computer

My Computer

Network Enthusiast

My Computer

My Computer

Network Enthusiast

My Computer

Banned

My Computer

Network Enthusiast

My Computer

Banned

My Computer

My Computer

My Computer

My Computer

Account Suspended

My Computer

My Computer

Account Suspended

My Computer

My Computer

Banned

My Computer

My Computer

Account Suspended

My Computer

Banned

My Computer

Attachments

My Computer