Black Screen of Death (KSOD) for Windows Vista

Here is something I ran into lately, it was one of those annoying black screen of death errors also known as a KSOD (presumably called such since BSOD was taken already).

The issue:
The computer only showed a black screen with a mouse cursor shown on the screen. This occurs in safe mode and other modes.

The troubleshooting:
Here are the things that I tried but they didn’t work for me in this case. If you haven’t tried one of these you may want to try it before trying out my solution:

  • Verified that the RpcSs service was started with NT Authority\NetworkService. This should be located at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcSs
  • Verified that the winlogon shell was set to explorer.exe
  • Backed up and replaced winlogon.exe with a known good suitable replacement.
  • Cleared the event log files (*.evt)
  • Backed up and restored hives from the RegBack directory.
  • Attempted to boot into Low Resolution Mode
  • Disabled Driver Signing Enforcement
  • Did an SFC /scannow
  • Tried waiting it out to see if something comes up

So what did I do to fix this?

The solution:
I copied the following to a blank notepad file and named it fix_perm.bat:

icacls Windows /t /c /grant "NT SERVICE\TrustedInstaller":(F)
icacls Windows /t /c /grant SYSTEM:(M)
icacls Windows /t /c /grant SYSTEM:(F)
icacls Windows /t /c /grant Administrators:(M)
icacls Windows /t /c /grant Administrators:(F)
icacls Windows /t /c /grant Users:(RX)
icacls Windows /t /c /grant Users:(GR,GE)
icacls Windows /t /c /grant "CREATOR OWNER":(F)

icacls "Program Files" /t /c /grant "NT SERVICE\TrustedInstaller":(F)
icacls "Program Files" /t /c /grant SYSTEM:(M)
icacls "Program Files" /t /c /grant SYSTEM:(F)
icacls "Program Files" /t /c /grant Administrators:(M)
icacls "Program Files" /t /c /grant Administrators:(F)
icacls "Program Files" /t /c /grant Users:(RX)
icacls "Program Files" /t /c /grant Users:(GR,GE)
icacls "Program Files" /t /c /grant "CREATOR OWNER":(F)

icacls "Program Files (x86)" /t /c /grant "NT SERVICE\TrustedInstaller":(F)
icacls "Program Files (x86)" /t /c /grant SYSTEM:(M)
icacls "Program Files (x86)" /t /c /grant SYSTEM:(F)
icacls "Program Files (x86)" /t /c /grant Administrators:(M)
icacls "Program Files (x86)" /t /c /grant Administrators:(F)
icacls "Program Files (x86)" /t /c /grant Users:(RX)
icacls "Program Files (x86)" /t /c /grant Users:(GR,GE)
icacls "Program Files (x86)" /t /c /grant "CREATOR OWNER":(F)

icacls Users /t /c /grant SYSTEM:(F)
icacls Users /t /c /grant Administrators:(F)
icacls Users /t /c /grant Users:(RX)
icacls Users /t /c /grant Users:(GR,GE)
icacls Users /t /c /grant Everyone:(RX)
icacls Users /t /c /grant Everyone:(GR,GE)

I then saved the file to a flashdrive and put it into the sick computer and booted it with a Windows Vista cd. When the cd booted up I entered the recovery console and located the drive letter associated the flashdrive (remember that drive letter we are going to need it). Then I located the drive associated with their Windows installation and entered that drive and executed the batch file on the flashdrive like so:
C:
F:\fix_perm.bat

You should of course replace the drive letters with the correct ones for your setup. After this runs you should be able to get into Windows proper.
Unfortunately, we are not done yet, in my case when the computer had a checkdisk ran on it, it reset the permissions itself and made the computer show a KSOD again. So after getting back into Windows run Tweaking.com – Windows Repair tool. Choose the reset file permissions and allow that to run. Once that is finished to be on the safe side I would run a checkdisk just to make sure that the computer will not revert again.

Internet Explorer crashes with exception code: c0000005 module: msvcrt.dll

The Problem:

Internet Explorer 9 and 10 on a Windows 7 (64-bit) setup both crash with the following output:

Problem signature:
Problem Event Name: APPCRASH
Application Name: iexplore.exe
Application Version: 9.0.8112.16490
Application Timestamp: 51955cca
Fault Module Name: msvcrt.dll
Fault Module Version: 7.0.7601.17744
Fault Module Timestamp: 4eeaf722
Exception Code: c0000005
Exception Offset: 00009cc6
OS Version: 6.1.7601.2.1.0.768.3
Locale ID: 1033
Additional Information 1: 0a9e
Additional Information 2: 0a9e372d3b4ad19135b953a78882e789
Additional Information 3: 0a9e
Additional Information 4: 0a9e372d3b4ad19135b953a78882e789

Read our privacy statement online:
http://go.microsoft.com/fwlink/?linkid=104288&clcid=0x0409

If the online privacy statement is not available, please read our privacy statement offline:
C:\Windows\system32\en-US\erofflps.txt

The solution:

Go to Internet Options.
Choose the Advanced tab.
Check the box that says Use software rendering instead of GPU rendering*
Internet Options Advanced

Update:

If the above solution works, you man need to install different drivers. The computer I had that was experiencing this issue was a Dell Inspiron 1545. The drivers on dell’s website didn’t seem to resolve the problem. The drivers that did work for me were found here.

Microsoft Security Essentials Update Error: 0x80070643

The Problem:

A customer brought in a Window XP computer that had the “ZeroAccess” rootkit on it. It must have removed Microsoft Security Essentials (MSE) and replaced its directory with symbolic links (junctions) that pointed to the system32/config Directory. When I attempted to put MSE back on the client’s machine it failed with error code 0x80070643.

The Troubleshooting:

I could not remove the symbolic links even in knoppix. This was because ZeroAccess was still not removed. After I removed it I was easily able to remove the symbolic links.

The Solution:

After doing some research I found that the the Microsoft fix it at http://support.microsoft.com/mats/Program_Install_and_Uninstall worked well at completly uninstalling the program. I told the fix it program to uninstall the “Microsoft Security Client” after that the program installed with no additional problems.

Arch Linux: Fixing Backlight Issues on a Gateway NV78 Laptop with systemd.

The Issue:

When setting up Arch Linux (or any Linux distro. for that matter) I find that the screen is very dark so much so that I cannot even set up the system with out an external monitor. The following fix may be able to clear up Intel i915 related brightness issues on other machines but I have only tested it with my Gateway NV78.

The Solution:

Go ahead and set up Arch with the help of an external monitor and when you get it pretty well set up create this file:

/usr/local/bin/brightnessfix
#!/bin/bash
setpci -s 00:02.0 F4.B=40
exit 0

Now make the new script executable by running this command:

sudo chmod +x /usr/local/bin/brightnessfix

You should at this point be able to type sudo brightnessfix into your terminal and have your brightness restored. To make it run on start up create this systemd service:

/usr/lib/systmd/system/brightnessfix.service
[Unit]
Description = "Fix for screen brightness issue"
ConditionPathExists=/usr/local/bin/brightnessfix
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/local/bin/brightnessfix
[Install]
WantedBy=multi-user.target

Activate it by typing this command:

sudo systemctl enable brightnessfix.service

Now we should be at the point were the screen lights up after the computer boots. We are not done yet, edit your kernel line to add the following two options:
quiet acpi_osi=Linux acpi_backlight=vendor
This is what mine looked like before and after the change:

/etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT = "quiet"
GRUB_CMDLINE_LINUX_DEFAULT = "quiet acpi_osi=Linux acpi_backlight=vendor"

Now we are going to push the change to our active grub config with this command:

sudo grub-mkconfig -o /boot/grub/grub.cfg

Okay, I think we are done. Now you should be able to use the brightness keys even if the computer’s backlight is completly off! Also it should come out of sleep or when you open the lid from it being closed with the correct brightness.

Wait! My system doesn’t use systemd. How can I apply a comparable start up script to turn on my backlight?
Instead of creating a “brightnessfix” file in your path just put setpci -s 00:02.0 F4.B=40 into your /etc/rc.local file and it will run after system boot. Don’t forget to add the extra options to grub and you should be good to go.

Windows XP: Removing Syskey Startup Password

The issue:

Computer shows only a black screen with the following text: Windows XP Startup Password – This computer is configured to require a password in order to start up. Please enter the Startup Password Below. This occurred after a client got on a phone call with someone claiming to be from “Windows”. The phone call started going bad for the would-be-scammer and he decided incapacitate the computer.

Windows XP prompting the user to input a syskey password.

Windows XP prompting the user to input a syskey password.

The Troubleshooting:

After a quick search I realized the program is called “Syskey“.

The solution:

If you have a restore point from before this was set, copy the registry hives from the restore point into your active registry’s folder (Normally C:\Windows\System32\config\). If you don’t know how to do this from a non-booting copy of Windows XP just follow these directions to learn how to do just that with the use of a Knoppix live CD. Don’t forget to backup your old hives and to run a system restore after the process is complete.

How did this happen in the first place?

Here is the process to lock your computer using Syskey.

Process for setting up Syskey on Windows XP.

Process for setting up Syskey on Windows XP.

  1. First bring up the “Run” dialog box by clicking Start -> Run… or by pressing [Windows Key] + R
  2. Type syskey in the “Open:” field.
  3. Click OK
  4. On the new window: choose Update.
  5. On the Startup Key” window: choose the Password Startup radio button.
  6. Type in the Password you wish to set.
  7. Type in the password again to Confirm it.
  8. Click OK on the “Startup Key” window.
  9. Click OK on the Success window.

Windows XP: Repairing Registry Hives from a System Restore Point

This article is the first of what I hope will be many in a series I am calling “Base Level”. These articles will detail some of the base level skills you should already have if you work in a PC repair technician position. If you don’t know one of the items here don’t be embarrassed. I personally didn’t know any thing when I started and was hoping this would help someone in a similar position. If you aren’t familiar with these things learn to do them without having to refer to this site. The are things that you will do regularly.

Why would I need to know this?

This is a very easy way to fix your registry but you are pulling a registry from the past and pairing it with current files. This can be some what sorted out by doing a system restore immediately after but it still may cause issues. That said this is a very useful skill when it comes to something that is messed up in the registry that causes the computer to not respond. Here is one common example:

Windows XP displaying a boot error relating to a corrupt registry hive.

Windows XP displaying a boot error relating to a corrupt registry hive.

What am I going to need for this?

Head over to knopper.net and get the latest version of the Knoppix and burn that to a CD. Make a nice CD case for it and keep it around. This is a useful tool in your arsenal.

Ok, I am ready. What do I need to do?

Place your Knoppix CD into the your optical drive. When the boot: prompt pops up type knoppix and press enter.

Knoppix ready to boot.

Knoppix ready to boot.

When Knoppix gets fully loaded click on the PCManFM icon in the bottom tool bar on the left.

Location of the file browser (PCManFM) in Knoppix.

Location of the file browser (PCManFM) in Knoppix.

Locate the partition where your windows install is and and click on it. Note: It probably will not be marked as “WINDOWS_XP”.

pcmanfm_partiton_click

Click on the System Volume Information folder to open it.

pcmanfm_system_volume_information

Next, click on the directory marked _restore proceed by some random hex values and hyphens in brackets.

pcmanfm_system_volume_information_2

This next part may be easier if you put PCManFM into Detailed List View by clicking on View -> Detailed List View.

pcmanfm_set_detail_mode

Now that it is set in Detailed List View you can clearly see when each restore point folder corresponds to what date. These dates are a good indicator of when each restore point was made. This should give you a good idea of which one you should pick. In the example below I opted to go back a couple of days. When you have chose the restore point that would like to use click on the folder associated with it. Then open the snapshot folder inside it.

pcmanfm_xp_restore_points

 

Now you need to copy the following files to your clipboard:

  • _REGISTRY_MACHINE_SAM
  • _REGISTRY_MACHINE_SECURITY
  • _REGISTRY_MACHINE_SOFTWARE
  • _REGISTRY_MACHINE_SYSTEM
  • _REGISTRY_USER_.DEFAULT

pcmanfm_xp_backup_registry_hives

Now click back on the partiton where your Windows install is and navigate to ./WINDOWS/System32/config and create a backup folder for the old registry hive files. Make sure to include today’s date in the folder name!

pcmanfm_create_folder_registry_backup_xp

Now drag and drop the following files in the config directory into that newly created folder, like so:

pcmanfm_drag_drop_registry_backup_xp

Go ahead now and paste the files from the restore point directory into the config directory. And rename them to match the ones you backed up. Like this:

  • _REGISTRY_MACHINE_SAM -> SAM
  • _REGISTRY_MACHINE_SECURITY -> SECURITY
  • _REGISTRY_MACHINE_SOFTWARE -> SOFTWARE
  • _REGISTRY_MACHINE_SYSTEM -> SYSTEM
  • _REGISTRY_USER_.DEFAULT -> DEFAULT

pcmanfm_rename_registry_hive_default_xp

Okay, Nearly finished! Now just reboot the machine by clicking the start menu like item in the bottom left and choosing Logout then Reboot from the menu that pops up.

Knoppix_reboot

Last but not least you need to run a system restore now that you can get back into the system. This helps insure that your registry and Window’s system files are on the same page. Fire up system restore.

windows_xp_start_menu_system_restore

Now choose a date from system restore when the system was operating as you intended it to. It doesn’t have to be the same date as the day we picked earlier but it can be.

windows_xp_system_restore_date_select

After the system restore completes you are done!

Wait, couldn’t I have used X and have gotten the same results?

As the first screencap in this article hinted at you can accomplish this same task with a Windows XP disk, but you can resolve this by booting into anything that will let you read and write to the files on the partition that the corrupted Windows install is located on. Examples of this are your Windows XP installation media, a installed recovery environment, or a Linux bootable live CD. We used a Knoppix live CD because it is very compatible and has a GUI so it wont alienate anyone starting out. If you are starting out I wouldn’t recommend using the windows installation media because you may end up needing to slipstream drivers and without tab completion some of the directories can be a pain to type up. In the event you are in the mood for it, the Microsoft Blessed™ way to accomplish this is laid out in Knowledge Base article 307545. They have you do some extra steps just to put you back into a GUI quickly and then you have to mess with file permissions (because you are back inside your Windows system) to get to the files you need.

Update Error: 0x80070426 on Windows Vista.

The Issue:

0x80070426 showed up when I tried to pull down Windows update KB928419. Later I noticed the CryptSvc service’s description was missing, but the service seemed to start and stop normally. The description I received instead of the normal one was:

<failed to Read Description. Error Code: 15100>

CryptSvc showing an error message instead of a proper description.

CryptSvc showing an error message instead of a proper description.

The Troubleshooting:

I ran the system file checker on the computer by opening up the command prompt and typing sfc /scannow. After that was fully completed it let me know it had failed to repair some items. So I opened up the log located at C:\Windows\Logs\CBS\CBS.log and did a search on the log for any line that said “Could not” (because those are particularly juicy). And this was the result:

2013-01-28 14:05:08, Info                  CSI    000000b5 [SR] Could not reproject corrupted file [ml:520{260},l:58{29}]"\??\C:\Windows\System32\en-US"\[l:32{16}]"cryptsvc.dll.mui"; source file in store is also corrupted

The solution:

I replaced the file named in the log (C:\Windows\System32\en-US\cryptsvc.dll.mui) with one from a working vista machine. The good file I replaced it with had an md5 hash of deebc869807089a9b0bfb8332278ce7b and a file size of 4.00KB. This ended up fixing my problem!

I hope this helps someone!