Articles

I had a problem where trying to remotely log into a Windows XP machine would show the login process and play the login sound, but then instantly log off (and play the logout sound).

A bit of searching found the apparently culprit: The userinit.exe process was incorrectly referenced:

  1. Connect the infected computer to a network which has at least one healthy computer connected. Power on both of the computers
  2. From the healthy computer, Go to Start > Run, type regedit.exe and press enter. This will launch the registry editor
  3. Go to File > Connect Network Registry, by using this infected computer’s name or IP address
  4. Locate this entry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
  5. At this entry there is a key names userinit, double click on the key and set its value to C:\WINDOWS\System32\userinit.exe,
  6. Exit the registry editor, restart the infected computer.

However, my registry key was already this, and it was still failing after manually setting it.

It turned out the problem was that because I had recently cloned the hard drive, Windows had renamed the new drive from C: to E:. Consequently, while Windows could start (because there was only one boot partition), it couldn’t find the location of the userinit.

I played around in the remote registry until I found out how to rename the new E: to C:

  1. Open the registry remotely (as above)
  2. Browse to HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices
  3. There should be at least two entries; one for C: and one for E:, under \DosDevices\C: and \DosDevices\E:
  4. Rename the two keys around. Restart the machine and try logging in again.