Friday, January 25, 2008

Default Logins and Passwords for Networked Devices

:-)

Thursday, January 03, 2008

Windows XP Auto Logs Off

I have seen this issue a few times now. Windows XP will load just like normal and then show up on the logon / welcome screen. When you click your user name or type in your user name you see your desktop for a split second and then are sent back to the logon / welcome screen. This occurs if a certain registry value is not pointing to the correct system file. At registry key:

HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon

the string "Userinit" should be set to a value of "C:\WINDOWS\system32\userinit.exe,". Do not forget the coma on the end. Also the path is case sensitive and "WINDOWS" should be replaced with your Windows directory. On most Gateway computers the Windows directory is "WINNT".

Ok, so now we know how to fix the problem, but how do I change the value if i can't get into Windows? Well, you have a few options. Option 1 is the one I like best, which is to use a BartPE CD equiped with Regedit For BartPE open the registry and change the value back to normal. Option 2 is to try and guess what the value of the registry key is and then boot into Recovery Console and rename "userinit.exe" to the bogus value. The registry key most likely points to "wsaupdater.exe". Option 3 will only work if you are in a corporate enviroment and your computer was setup for remote registry changes before it crashed. In that case you can log onto the crashed
computer and change the value while it is sitting at the log on screen.

So now that we have fixed the problem what caused the problem? While if you click the link below you will be sent to a Lavasoft forum which has previously discussed this issue. This is the source of most of the info I have here. Apparently some spyware named "BlazeFind" will change the key value to "wsaupdater.exe" for some unknown reason. Undoubtably for some malicious reason. When a spyware or anti-virus program removes BlazeFind it leaves that registry entry pointing to nothing and stops you from logging in.

8/28/04 - I now believe that this problem is caused when Adaware removes a certain spyware and does not correct the registry entry that is mentioned above. I have also found out that Hijackthis will catch this "logon hijack" if ran on an infected system, either when infected or before rebooting after adaware removes the infection.

http://www.lavasoftsupport.com/index.php?showtopic=29752


9/22/04- more info and steps here:
http://www.lavasofthelp.com/articles/v6/04/06/0901.html
Who links to me?