Page 1 of 2 12 LastLast
Results 1 to 15 of 23
  1. #1
    3 Star Lounger
    Join Date
    Jan 2010
    Location
    Michigan
    Posts
    384
    Thanks
    1
    Thanked 4 Times in 4 Posts

    Bizarre happenings at startup

    I just had a bunch of bizarre stuff happen and I hope someone can shed some light on what exactly is going on. This happened last night.

    I booted my W-7 Home laptop and got a strange black screen.. It basically said something had happened and it gave me the choice to boot to Windows normally or some kind of boot/repair (Recommended). Anyway, I chose the normal boot. It did, and everything was fine but I had no internet access. The indicator (lower right of screen) said there were no wireless connections available. This was weird because there is usually mine and 4 others (secured from the neighbirs). The symbol had a red mark on it. Meanwhile, my other laptops (all XP machines) connected fine but did not work fine. I would go to an URL and it was not available. It might then work fine for a few minutes and again another site would not be available.


    I then took my W-7 laptop to McDonalds since they had wireless. I booted up and again got that black screen with the choices to boot into Windows normally or use some kind of Repair. I chose the Repair. It also asked if it could use System Restore. I indicated yes. But then it did some stuff and appeared to hang. I chose CANCEL but it said Cannot Cancel. I let it go for 15 minutes and then had to do a cold shutdown (held power button down).


    I then rebooted. It seemed to boot normally and found all the available connections. Norton booted up saying something about a Live Update Problem.


    I went home and this time it booted up fine. I got the Norton Error Message. I told it to fix the Live Update Error. It indicated there might still be a problem, but it was not a problem with my computer. The computer then indicated that updates were available. I believe I had alread installed those updates when they came out on Tuesday. So, maybe it did do a System Restore.


    Anyway, those are the sketchy details. All is working fine, but I am very confused. I’m not sure how to proceed to figure out what was going on. Do I have a computer hardware problem? Unlikely since my other laptops were acting in a strange way also. Might it be a driver or wireless card problem. I just don't know what happened?



    Mel

  2. #2
    Lounge VIP
    Join Date
    Apr 2011
    Location
    Scotland
    Posts
    1,168
    Thanks
    44
    Thanked 134 Times in 115 Posts
    Do you have Internet Connection Sharing enabled? If not, then the XP machines misbehaving at the same time should not be linked to the issue on the laptop, If you do have it enabled, then given the report about Norton throwing an error, they may be connected.

    The black screen at boot is a boot options screen. It appears if either the machine was not shutdown cleanly or has suffered a boot failure. The menu options allow you to boot from Safe Mode, last known good configuration or to start Windows normally. There is a secondary screen which is shown if a boot failure occurs - this allows you to chose system repair.

    The system repair normally looks for OS or boot loader corruptions.

    My guess, based on the descriptions given is that Norton had a problem with the Live Update, during which it disabled the wireless adapter (Norton provides the firewall and if Norton stops working the firewall can easily disable the wireless adapter). This fits the symptoms of wireless adapter not working before running the system repair which implemented a system Restore, rolling back a failed Norton live update.

    The missing piece of the jigsaw is why the XP machines should act up at the same time, being able to access some sites and not others etc. That sounds like a DNS issue, which is normally related to the router or ISP. Internet Connection Sharing aside, I can't think of any real reason why the locked out wireless adapter on the win7 machine might be linked to the XP machines. I suppose they could be symptoms of the same issue - are the XP machines also running Norton? Could they have been running the live update at the same time and the unreliable connection have been a symptom of Norton re-configuring itself? Speculative, but difficult to know from afar.
    In God we trust; all others must bring data.

    - William Edwards Deming. 1900 - 1993

  3. #3
    3 Star Lounger
    Join Date
    Jan 2010
    Location
    Michigan
    Posts
    384
    Thanks
    1
    Thanked 4 Times in 4 Posts
    Tinto:

    Norton is only on my W7 machine. Maybe it was a coincidence; I don't know.

    I did check Events Viewer. It had a critical error, Event ID-41, Kernel-PowerThe system has rebooted without cleanly shutting down first. This error could be caused if the system stopped responding, crashed, or lost power unexpectedly.

    I know the previous time I used it, I was in a hurry and quickly x-ed out my running programs and closed the cover (which shuts it down). I usually just click the shut it down choice. So, maybe something happened with that?

    Mel

  4. #4
    Lounge VIP
    Join Date
    Apr 2011
    Location
    Scotland
    Posts
    1,168
    Thanks
    44
    Thanked 134 Times in 115 Posts
    The boot option screen offering a system repair was in response to the unclean shutdown event. A entry such as that would have been logged when you cold shutdown by holing the power button down, but maybe it occurred earlier too. Perhaps there is something in the event logs immediately before the shutdown?

    If the XP machines are not running Norton and not using ICS, then I can't see a connection between the two issues - even though I don't like coincidences.
    In God we trust; all others must bring data.

    - William Edwards Deming. 1900 - 1993

  5. #5
    3 Star Lounger
    Join Date
    Jan 2010
    Location
    Michigan
    Posts
    384
    Thanks
    1
    Thanked 4 Times in 4 Posts
    Well, I hope someone can figure this out. It happened again. My wife tried to start the computer and we got the same bad screen. Again, this time, I chose to START WINDOWS NORMALLY, and it started and appears to be working. She had used it last and says she shut it down normally. Nothing appeared to be amiss.

    I ran the Administrative Tools Memtest as outlined in Windows Secrets and it came out fine (standard test). I checked the viewer events and once again got that same kernel error indicating there was a problem with the shutdown and reboot. Here are the details:

    No code has to be inserted here.


    No code has to be inserted here.

    No code has to be inserted here.

    No code has to be inserted here.

    No code has to be inserted here.

    No code has to be inserted here.

    No code has to be inserted here.

    No code has to be inserted here.

    No code has to be inserted here.

    No code has to be inserted here.

    No code has to be inserted here.

    No code has to be inserted here.

    No code has to be inserted here.

    No code has to be inserted here.

    No code has to be inserted here.


    No code has to be inserted here.


    No code has to be inserted here.

    No code has to be inserted here.

    No code has to be inserted here.

    No code has to be inserted here.

    No code has to be inserted here.

    No code has to be inserted here.

    No code has to be inserted here.

  6. #6
    Lounge VIP
    Join Date
    Apr 2011
    Location
    Scotland
    Posts
    1,168
    Thanks
    44
    Thanked 134 Times in 115 Posts
    The event log extract is recording that the machine did not shutdown cleanly. That's also why the boot options screen is appearing - both are symptoms of the problem rather than the cause. Even if the machine appears to have shutdown cleanly, the event log says otherwise and you have seen that an unknown issue required a hard shutdown in the past.

    What you need to try to find is an event immediately before the unexpected shutdown. This could be in the System log or Applications log. A normal shutdown event is logged correctly. If this is not present in the log, the machine experienced an unexpected shutdown. Even if it did not shutdown correctly according to the logs, there may not be a visible error, but the timings should allow you to see what was running when the machine crashed.

    You mention updates: it is possible, but unlikely, that a recent Windows update caused the issue. If you think it may be related to an update you could run a system restore to a time before the updates went in. This might also resolve a software corruption.

    Another thing to try if you think there has been a corruption is a system file check: Open an adminstrative command prompt and execute a sfc /scannow command. This may be able to repair a problem with the OS that might be causing the issue.

    If system restore or sfc check fails to resolve the issue, then you could look at a select or clean boot and walk your way through until you identify a failing process.
    In God we trust; all others must bring data.

    - William Edwards Deming. 1900 - 1993

  7. #7
    3 Star Lounger
    Join Date
    Jan 2010
    Location
    Michigan
    Posts
    384
    Thanks
    1
    Thanked 4 Times in 4 Posts
    Tinto:

    Thanks. I'm about to investigate further.
    But a question: if I again get that failed internet situation with the red cross over my icon,

    If it happens again, what can I do to try and get internet connection.



    Should I go into control panel, networking properties and navigate to the
    card/adapter and uninstall and then install it?



    Mel

  8. #8
    3 Star Lounger
    Join Date
    Jan 2010
    Location
    Michigan
    Posts
    384
    Thanks
    1
    Thanked 4 Times in 4 Posts

    Perhaps an AHA moment??

    OK. I did check and each time before the critical error, in fact on the previous computer shutdown, there was the following WARNING. In further checking, this WARNING has only occurred a few times.

    Can someone help decipher this? Is ISASS.EXE the culprit? Or....?





    WARNING – USER PROFILE SERVICE—EVENT ID 1530


    Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.


    DETAIL -

    20 user registry handles leaked from \Registry\User\S-1-5-21-2527946468-2287944044-1333985061-1001:

    Process 604 (\Device\HarddiskVolume2\Windows\System32\lsass.ex e) has opened key \REGISTRY\USER\S-1-5-21-2527946468-2287944044-1333985061-1001

    Process 604 (\Device\HarddiskVolume2\Windows\System32\lsass.ex e) has opened key \REGISTRY\USER\S-1-5-21-2527946468-2287944044-1333985061-1001

    Process 2248 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-2527946468-2287944044-1333985061-1001

    Process 2248 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-2527946468-2287944044-1333985061-1001

    Process 2248 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-2527946468-2287944044-1333985061-1001

    Process 2248 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-2527946468-2287944044-1333985061-1001

    Process 2248 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-2527946468-2287944044-1333985061-1001\Software\Policies\Microsoft\SystemCertificate s

    Process 2248 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-2527946468-2287944044-1333985061-1001\Software\Policies\Microsoft\SystemCertificate s

    Process 2248 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-2527946468-2287944044-1333985061-1001\Software\Policies\Microsoft\SystemCertificate s

    Process 2248 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-2527946468-2287944044-1333985061-1001\Software\Policies\Microsoft\SystemCertificate s

    Process 2248 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-2527946468-2287944044-1333985061-1001\Software\Microsoft\SystemCertificates\Trusted People

    Process 604 (\Device\HarddiskVolume2\Windows\System32\lsass.ex e) has opened key \REGISTRY\USER\S-1-5-21-2527946468-2287944044-1333985061-1001\Software\Microsoft\SystemCertificates\My

    Process 2248 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-2527946468-2287944044-1333985061-1001\Software\Microsoft\SystemCertificates\My

    Process 604 (\Device\HarddiskVolume2\Windows\System32\lsass.ex e) has opened key \REGISTRY\USER\S-1-5-21-2527946468-2287944044-1333985061-1001\Software\Microsoft\SystemCertificates\CA

    Process 2248 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-2527946468-2287944044-1333985061-1001\Software\Microsoft\SystemCertificates\CA

    Process 2248 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-2527946468-2287944044-1333985061-1001\Software\Microsoft\SystemCertificates\SmartCa rdRoot

    Process 2248 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-2527946468-2287944044-1333985061-1001\Software\Microsoft\SystemCertificates\trust

    Process 604 (\Device\HarddiskVolume2\Windows\System32\lsass.ex e) has opened key \REGISTRY\USER\S-1-5-21-2527946468-2287944044-1333985061-1001\Software\Microsoft\SystemCertificates\Disallo wed

    Process 2248 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-2527946468-2287944044-1333985061-1001\Software\Microsoft\SystemCertificates\Disallo wed

    Process 2248 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-2527946468-2287944044-1333985061-1001\Software\Microsoft\SystemCertificates\Root


     

    Last edited by compiler; 2012-08-18 at 13:31.

  9. #9
    3 Star Lounger
    Join Date
    Jan 2010
    Location
    Michigan
    Posts
    384
    Thanks
    1
    Thanked 4 Times in 4 Posts
    Update:

    Ran AV then ran SFC/verifyonly. No problems uncovered. Will do Malwarebytes next. Then wait for some wisdom from this group

    Mel

  10. #10
    Lounge VIP
    Join Date
    Apr 2011
    Location
    Scotland
    Posts
    1,168
    Thanks
    44
    Thanked 134 Times in 115 Posts
    Event ID 1530 is an OS response to an application that has not fully unloaded from a User Profile. This could indicate a faulting application, or it could be a corruption in the user profile.

    For sure I would run a full AV scan, just to make sure that Norton has not been compromised by malware, but given you have observed other problems, it could be a corruption.

    See what Malwarebytes brings up, but also consider rolling back any changes by using system restore from safe mode (safe mode should prevent any nasties being active). Return to Safe mode to complete the system restore.

    Before you do that though, if you are in a safe internet environment behind a reasonable router firewall (i.e. not at Macdonalds!), temporarily uninstall Norton and see if the issue goes away - it could be a misbehaving Norton app that is locking out the wireless adapter and failing to release from your profile. If removal of Norton does help, you can always install a free AV solution to ensure you are safe until you decide the next steps.

    If all else fails, consider a non-destructive Windows re-installation.
    In God we trust; all others must bring data.

    - William Edwards Deming. 1900 - 1993

  11. #11
    3 Star Lounger
    Join Date
    Jan 2010
    Location
    Michigan
    Posts
    384
    Thanks
    1
    Thanked 4 Times in 4 Posts

    But...

    When the problem occured this morning, I was able to just choose the start Windows normally (this time). Everything was fine. So, the wireless adapter might not be getting frozen each time.

    If it happens again (wireless adapter problem) is there something I can do to get it back (would uninstall/install via Control Panel be a possibility)?

    I am hesitant to uninstall Norton. I assume there would not be a licensing issue getting it back (I paid for 1 license on one PC, this one). Also, I boot up about 6 times a day. If the problem gets more consistent, then it makes sense to unload Norton and see what happens. Incidentally, I used to hate Norton. It caused problems, big footprints, etc. I've used AVG and Avira. But I heard good things about Norton Internet Security. I got it a year ago and I've been pleased with it, so I would like to keep it. But, if it is causing the current issue, then Bye Bye and back to a free version. I assume I have to uninstall Norton via the Control Panel?
    Mel

  12. #12
    Lounge VIP
    Join Date
    Apr 2011
    Location
    Scotland
    Posts
    1,168
    Thanks
    44
    Thanked 134 Times in 115 Posts
    Quote Originally Posted by compiler View Post

    If it happens again (wireless adapter problem) is there something I can do to get it back (would uninstall/install via Control Panel be a possibility)?
    That question can't be answered with the data you have so far. Right now, you still only have symptomatic information, and have not identified root cause.

    The stage of debug that you are at right now does however allow you to built hypothesis about what the issue may be and then design experiments to test those hypotheses. That's where the suggestion to remove Norton comes from. The Norton Firewall may have been compromised during the failed Live Update (that you mentioned earlier) and that may be causing an issue for the wireless adapter - but this is only a theory and needs testing. The more recent Norton products have a decent uninstaller built in and gives you the option for complete removal or to leave settings and account details. Ultimately, it you decided to remove it (for testing purposes) completely, you could still re-install and activate from your online Norton account.

    However, Norton is only one possibility. The profile corruption may be another. To test that, you could build a new account to see if the issue presents itself when working from a new and clean account.

    Also, there may be an OS corruption, though that looks less likely if sfc /scannow returned clean. Nonetheless it still needs to be borne in mind along with other data points.

    The bottom line is that there is little diagnostic data at present, so the net is cast wide in terms of possible root causes. Only by testing each one of those possibilities, or by gathering more diagnostic data can you home in on root cause.

    Sometimes however, we have to admit that getting to root cause becomes almost impossible and the system restore is the first port of call in those cases. If that fails then you still have the non-destructive re-install option available.
    In God we trust; all others must bring data.

    - William Edwards Deming. 1900 - 1993

  13. #13
    Silver Lounger
    Join Date
    Apr 2010
    Location
    Montréal
    Posts
    1,800
    Thanks
    33
    Thanked 53 Times in 52 Posts
    Hello, Mell. You wrote :

    I assume I have to uninstall Norton via the Control Panel?

    I do remember that this is not really the way, you are left with loads of Norton stuff. One has to go to the Norton siter and find an "Uninstall Norton" link. this is said to be a fine way to clean Norton in toto. Then go to MSE.

    Be good. Jean.

  14. #14
    3 Star Lounger
    Join Date
    Jan 2010
    Location
    Michigan
    Posts
    384
    Thanks
    1
    Thanked 4 Times in 4 Posts
    Thanks folks. Frankly, I am just as suspicious of the latest Windows Updates, since it happened soon after that. I have had Norton for a year with zero problems. I can do a system restore or maybe just uninstall the latest updates. Of course, that is not great either, for security reasons. Frankly, I don't know what to try. I might just wait and see if it hapens again. I guess if it happens every few days (or weeks) but I can just click on rebooting the normal way, I might do that.

    I'm still hoping someone has other ideas.

    Oh, regarding the Warning I posted (ID 1530; User Profile Services), I see that it is fairly common in my Events Viewer. I've had that happen dozens of times in the past year. However, in most cases, it would be 2-5 registry leaks. In the 2 cases just before the critical error, there were 20registry leaks.

    Still wish I had a clue!

    Mel

  15. #15
    3 Star Lounger
    Join Date
    Jan 2010
    Location
    Michigan
    Posts
    384
    Thanks
    1
    Thanked 4 Times in 4 Posts
    I am trying the following. I noticed in the warning with 20 registry keys leaked.
    \WLIDSVC.EXE is responsible for most of them.

    So, I just disabled that service. It is for Windows Live, which I do not use.

    Again, limited knowledge, shooting in the dark

    Mel

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •