Why can’t I log into my Windows XP SP2 Machine. It logs me in and right back out. Ever see a error box with no error in it?
Written by Karl L. Gechlik | AskTheAdmin.com on September 1, 2007 – 6:29 pm -
I heard the phone ring… It’s the wee hours of the morning. I normally turn off my cell phone but I got home late and it was still in my pants crumbled in the bathroom. I get out of bed walk towards the phone - I grab it and walk towards the balcony. I need to take the call without waking up my pregnant wife.
It was the president of this company I was doing some consulting for. I did a double take - that was his number on the caller id. I had met him once during my initial interview and he just signed the checks after that. He sounded frantic and told me he had a laptop with him in Chicago and he needed to have some software installed so he found a “local techie” to install it for him. They managed to sabotage the laptop so it would only come up to a log in screen. He described what was going on.
You log in get an error box with no writing and a big red X. Your only options are click ok or cancel and either way you get…
Logging Off…
He told me that they want $500 to get it back up and running. They say it needs some kind of part. A hard disk…
I told him to bring it back home - don’t pay them a penny.
He brought it to me 9am and said I need it back by 2pm to catch a 3:30 flight. That would be pushing it for me or you but he has a service that flys him via helicopter from the west side to JFK. Its good to be the king.
I booted it up and as sure as he said it. I log in and it logs me out. I boot to Knoppix and poke around a bit. Nothing out of the ordinary, I search for new files, services and programs - nada.
So I Remembered reading about running the System Restore from a command prompt. Alright lets put some AtA goodness to the test. I tried booting to safe mode - No go.
I Booted to Command prompt only - Bingo Command prompt.
I actually browsed to system32 and then to restore and ran rstrui.exe in that directory. Bam system restore popped up and I rolled her back a few days, It said the system name was changed to some unrecognizable characters. It asked me if I was sure I wanted to undo those changes. I said OKAY! And sure as shit I restarted to their desktop! Success - Then what did I do? 
Yup - I backed up young admin, I backed up. I’m off to give it back working as usual.
_TheTiredAdmiN_
Tags: General
Posted in General |
By El Di Pablo on Sep 1, 2007 | Reply
That system restore from command prompt is the shiznite isn’t it? :-)
By Dan on Sep 1, 2007 | Reply
Niiice work!
I’d still consider it compromised and change the machine admin password and all the users accounts. It all started when he had someone outside your IT group work on it…
By Karl L. Gechlik on Sep 1, 2007 | Reply
Yup that machine will be formatted clean and re-imaged after the holiday. I hate when people bring my machines to “This Guy” or even to the Geek Squad. Its like letting someone grope your woman.
All the passwords were changed and I scanned it inside and out. But you never now these little kids nowadays can be pretty tricky.
By Karl L. Gechlik on Sep 1, 2007 | Reply
oh and Thank You El Di Pablo - it got me out of a jam real quick like!
By Anonymous on Sep 2, 2007 | Reply
LOL, using system restore is NOT like you solved anything on your own. You just used a piece of crap-ware.
Solving things means to find the piece that causes malfunction (a driver, a startup script/app).
By Karl L. Gechlik on Sep 2, 2007 | Reply
Wow Anon you sound like this linux admin we had a few months back that would tell us everything we did was not the best possible method.
Listen up the task required that laptop to be resurected without going into the office to reimage. System restore was the only way to undo the system name change (illegal characters)- which was causing the system not to boot.
The machine can be formated and re-imaged when it gets back from holiday - but remember this was compromised by a 3rd party seeking to de-commission the machine looking for a quick ransom buck.
Using System Restore is a solution - even if its temporary.
Its easy to criticize but you didnt tell us what you would have done instead?
I think everyone would LOVE to hear it.
By Anonymous on Sep 2, 2007 | Reply
System name change? What system? What caused it? And more important how did you come to such conclusion?
By Karl L. Gechlik on Sep 2, 2007 | Reply
Before I let the system restore do its thing - The one thing it was un-doing was the computers name was changed from our default naming convention to a 32 strange characters.
Once this was undone the system booted as normal. No other files were modded or changed. No new services or users added.
Lets hear your two cents… and how about a name to go with it.
“Its easy to criticize but you didnt tell us what you would have done instead?
I think everyone would LOVE to hear it. “
By Anonymous on Sep 2, 2007 | Reply
LOL, you take this too personally…
Anyway, ’sysdm.cpl’ from command line prompt should’ve worked.
As a side note: IMO system restore is the LAST thing I’d try in recovering a system.
Oh, yeah, my name is Arthur, but is just that I hate blogger that much that I choose anonymous most of the times.
By Karl L. Gechlik on Sep 2, 2007 | Reply
That is something I didn’t try -System properties from the command prompt. Thanks for the tip Arthur. But I would not have thought to look for the illegal characters in the system name.
The only reason I discovered it was because I ran System Restore, I aagree it is far from optimal. But in this situation it was a great work around. And I do take what I do seriously - maybe a little too serious sometimes. But that is why we are who we are.
Didn’t mean to come off as snippy though thanks for reading and leaving your real name - Come back and criticize any time :)