Windows XP Recovery

Friends of our asked if they could bring over their computer. They said their laptop was going to the welcome screen, but the logon icons would not come up.
This sounded odd - but it did not sound like a corrupted hard drive, because it did go through the boot-up process.

Well, I tried it. It went through the boot-up, go to the blue welcome screen with the line, and no logon icons. I tried a few keystrokes - Enter; Esc; Ctrl-C; Ctrl-Break; Ctrl-Alt-Delete. Nothing.
I tried rebooting. I tried Alt-Tab at the welcome screen. I was able to Alt-Tab through 2 windows - one was logon - but it didn't help. As soon as I typed anything else, like Enter, then it would stop doing anything useful. Even Alt-Tab wouldn't do anything anymore. But the mouse was still active. So I knew the OS hadn't fully crashed.

I tried a few more things. I did the old F8 trick. I selected safe-mode - but after showing the safe logon - with the words 'safe mode' in all 4 corners - it just went to the blank logon screen.

F8 - boot to command prompt - blank logon screen.
F8 - boot to network safe mode - blank logon screen.
F8 - boot with debug - more messages - but blank logon screen.
F8 - restore to last known good configuration - a message about restoring - but blank logon screen.
I knew they had data - like digital pictures they had not backed up, so I knew it was important to try to get to the data before considering a rebuild of the OS if needed.

The friends did mention they had installed software just before the problem started. They also said they've had problems with blue screens [of death] (BSOD) running The Sims. So it did sounds like a wacky configuration problem.

So I knew I needed to do more work. I hoped I could get it on my network - or at least back-up data via a PCMCIA drive.

I could not get it online. So it was time to try to operating system disk. I knew I had to be extra careful, because XP likes to resinstall the operating system - not help you get back your data.

I pressed a mouse key to boot from the CD. I selected R - repair. This boots to the recovery console.

First time I tried my PCMCIA drive, it did not come up - on reboot it was there. SO I figured I could get to the data.

But as I tried to navigate on the hard drive, I was blocked. IT seems the recovery console did not want me to get to the data. I remember this from when I added recovery console to my laptop's boot selection. There is some special way to open the files up, but I did not remember.

So I googled it. I found a reference to recovering XP. I knew XP liked to keep a lot of backups of configuration information in the "System Volume Information" [hidden] directory on the hard drive.
Looking at the directions on the page: 307545 - How to Recover from a Corrupted Registry that Prevents Windows XP from Starting I was able to know which 5 files I needed to backup and recover from an earlier recovery point than the last. (If the last was good, the F8 use last configuration would have worked).

So I looked at the directories, and picked one a couple up from the bottom - maybe a week ago.
I had already done the backup of the 5 files.
Then I went through and copied the 5 files from the recovery directory back to windows.



I logged on. There was a warning message about not being able to find a file. I was pretty sure the app that wanted the file was one that AIM installs, and is considered spyware.
I immediately copied the files to my desktop.

I had finally upgraded the network for my desktop earlier in the day for just such reason. I had found a cheap 10/100 switch and a cheap 10/100 card for the unit - just waiting to be installed. So I swapped out the 10mb hub, and the 10mb ISA card. It took a few tries to get w2k to play nice with the network card. After a few reboots where it kept saying 'new hardware', I deleted all the old network card hardware. Let it search the floppy of the drivers, and it told me that it liked NT4 drivers better than w2k - so I let it take it. In a few seconds it was done. I waited for the reboot. No reboot asked for. Then I figured it would want it when I closed the network config window. Nope, didn't ask to reboot. I figured it forgot to ask to reboot. But then I checked - it looked like the network was configured. I opened up IE - and it was online! No reboot. After being asked to reboot 5 times before! Weird - but I was happy.

So I was able to copy about 2G of data in about 10-15 minutes instead of the much longer time it would have taken at 10mb (especially on the hub, which would have meant even slower for the packet collisions).

I copied the data. Then I decided it was time to do a little hunting.
New version of AdAware, Spybot Search & Destroy and BHODemon.

There were some nasties in the system. A couple of BHOs to go with a bunch of other references.

Kill them all. I'm becoming a PC exterminator.

I'm glad I can help out my friends!

1 comment:

Anonymous said...

Hey I have a client with exact same problem tonight, we used the windows support kb going all the way back to a default registry configuration, but no icons came back. i wonder if using a more recent reg backup would work better like you did here.