XP ntoskrnl.exe not found and Registry woes…

Well, for the first time in a LONG time, I have had the awesome opportunity to try to ‘fix’ a Windows computer. Day in and day out, I work on Macs and Linux, and touch a windows machine here or there. But real break/fix on a consumer Window’s laptop? Im a newbie.

Earlier this week, Debs handed me her laptop (its a 1-2 year old lower end Toshiba she got for Christmas from her mom), and said ‘Its broke’. No fault of her own, this laptop has had its quirks anyways. While we have all her music on her iPod (and I could get it off), she wants to get off some of her pictures, etc. Once I get the laptop running again, I plan to poss. wipe it and reinstall Windows (and possibly dual boot it with linux), to give her a fresh start. So back to the current task…

Somehow, it could no longer find the ‘ntoskrnl.exe’ file…uh oh. Using my XP Home Retail disk…I booted her laptop with the Windows Recovery Console, and using ‘copy’ moved the ntoskrnl.exe file she had out of the way, and then copied another copy from the backups Windows makes (cd C:\windows\system32; copy ..\driver cache\i386\ntoskrnl.exe). Reboot.

Now its telling me that start because Windows can not find ‘\Windows\system32\config\system’. Well, thats great…it happens to be part of the system registry. I decided in the meantime to do a ‘chkdsk -r’ that ran overnight…to make sure everything was ok.

This morning, I pick back up on the issue. It looks like windows keeps a copy of the registry it installs with in the c:\windows\repair\ directory. By booting into the recovery console again, you can copy the old registry away (in c:\windows\system32\config\, there is system, security, sam, default, and software). I would move these all to a temp directory somewhere. Then, you can copy the 5 files from c:\windows\repair into your c:\windows\system32\config\ folder, and reboot.

Rebooting got me into windows. I started windows in safe mode, and then started following some of the directions in this MS Knowledge Base article. Basically, working with these steps, one can recover a copy of their registry that was made durring a System Restore, copy that into the location where the registry files go, reboot, get a working system they can log into again, and then restore FULLY to a previous restore point, and should be good to go.

Following those directions, I moved over some of the more recent registry files (but not the ones of that date), and rebooted. Windows is starting! But before Windows fully starts and asks me to log in, a message pops up that Isass.exe (the process that manages some of the authentication for Windows) is getting invalid parameters. Great…I guess ill use the recovery console to go back to even older System Restore files, and copy them over.

After a reboot into the Recovery console, I try to login. Her admin account actually had one of our standard passwords, but its not letting me login! It looks that the reason Isass.exe could not log in is that the registry I copied over was a ‘bad’ one, and part of the authentication stuff is what was corrupt! So now I can no longer use the Recovery console, because I can not log in to it!

So, now im stuck. I tried using a Ubuntu 6.06 install CD, but it can not WRITE to NTFS volumes. This afternoon I plan on downloading the newest Knopix Live CD (which does have support for writing to NTFS volumes) and seeing how that goes.

Update: Downloaded Knoppix 5.0.1 and burnt it to a CD when I got home. Booted from the CD, which worked perfectly. It even mounted her Windows disk as a read only disk in /mnt/hda1. I switched to root (sudo -s), unmounted that device (umount /mnt/hda1), made a new folder for the mount (mkdir /mnt/windows), and then mounted the windows partition in RW mode (mount /dev/hda1 /mnt/windows -t ntfs -o rw). Next I made sure I could write to the volume.

Following the directions in the KB entry above, I copied the NEXT oldest registry files (which were dated sept 29th on her laptop) to the c:\windows\system32\config directory. After a reboot, Windows booted right up and let her log in. The only other problem I had was that it said my copy had been activated to many times, where I then had to call Microsoft and go through their process to activate this copy again.

After I was able to get in, I started a backup of her laptop to our server, just copying her user directory over. I plan to wipe the laptop clean, do a disk check (I think this may be whats causing some of her laptops slowness and this event), and then reinstall Windows and all the updates, etc.