WINNT\system32\config\System damage

NTDEV
1

Hi all!
My question is too abstract, but maybe somebody has an idea, what can cause the damage of the WINNT\system32\config\System file.
I am writing drivers for virtual disks on W2K, working only with the SCSI disks, there is no access to the system/boot disk from my drivers. One of the drivers is a disk filter driver, but it attaches itself only to the SCSI disks. It is not attached to the PC hard disk. Sometimes after reboot the W2K cannot be started, the message says that the WINNT\system32\config\System is missing or corrupted and one should use the Windows Setup CD in order to repair it.
Any help will be appreciated.

Regards,
Dany

2

Caching inside the driver is one possibility. It can also happen when the
driver ignores (or doesn’t pass the command down to the lower layer) the
flush cache commands (important ones are at shutdown time). These are the
possible cases assuming the filter driver doesn’t have any problems in
directing all the IOs to proper disks.

-----Original Message-----
From: Dany Polovets [mailto:xxxxx@store-age.com]
Sent: Monday, November 25, 2002 9:27 AM
To: NT Developers Interest List
Subject: [ntdev] WINNT\system32\config\System damage

Hi all!
My question is too abstract, but maybe somebody has an idea, what can cause
the damage of the WINNT\system32\config\System file.
I am writing drivers for virtual disks on W2K, working only with the SCSI
disks, there is no access to the system/boot disk from my drivers. One of
the drivers is a disk filter driver, but it attaches itself only to the SCSI
disks. It is not attached to the PC hard disk. Sometimes after reboot the
W2K cannot be started, the message says that the
WINNT\system32\config\System is missing or corrupted and one should use the
Windows Setup CD in order to repair it.
Any help will be appreciated.

Regards,
Dany

You are currently subscribed to ntdev as: xxxxx@lsil.com
To unsubscribe send a blank email to %%email.unsub%%

3

I would suggest you check to make sure you don’t have a disk defragger
running and with a boot partition greater than 8 GB. There is a problem
with the initial boot code where this file can be moved somehow past the 8
GB barrier and can not be accessed early in the boot process as is required.
I have successfully recovered NT systems by booting the command console and
just copying that file. It winds up in a location within the first 8 GB and
the system boots just fine.

Greg

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Kolli, Neela Syam
Sent: Monday, November 25, 2002 8:49 AM
To: NT Developers Interest List
Subject: [ntdev] RE: WINNT\system32\config\System damage

Caching inside the driver is one possibility. It can also happen when the
driver ignores (or doesn’t pass the command down to the lower layer) the
flush cache commands (important ones are at shutdown time). These are the
possible cases assuming the filter driver doesn’t have any problems in
directing all the IOs to proper disks.

-----Original Message-----
From: Dany Polovets [mailto:xxxxx@store-age.com]
Sent: Monday, November 25, 2002 9:27 AM
To: NT Developers Interest List
Subject: [ntdev] WINNT\system32\config\System damage

Hi all!
My question is too abstract, but maybe somebody has an idea, what can cause
the damage of the WINNT\system32\config\System file.
I am writing drivers for virtual disks on W2K, working only with the SCSI
disks, there is no access to the system/boot disk from my drivers. One of
the drivers is a disk filter driver, but it attaches itself only to the SCSI
disks. It is not attached to the PC hard disk. Sometimes after reboot the
W2K cannot be started, the message says that the
WINNT\system32\config\System is missing or corrupted and one should use the
Windows Setup CD in order to repair it.
Any help will be appreciated.

Regards,
Dany

You are currently subscribed to ntdev as: xxxxx@lsil.com
To unsubscribe send a blank email to %%email.unsub%%

You are currently subscribed to ntdev as: xxxxx@pdq.net
To unsubscribe send a blank email to %%email.unsub%%

4

Do you write to the registry within your driver ? I’m just recovering my W2K
from this because I corrupted the system-hive
by means of regedit. The “WINNT\system32\config\System” is indeed the
system-hive of the registry.

Christiaan

----- Original Message -----
From: “Dany Polovets”
To: “NT Developers Interest List”
Sent: Monday, November 25, 2002 3:27 PM
Subject: [ntdev] WINNT\system32\config\System damage

> Hi all!
> My question is too abstract, but maybe somebody has an idea, what can
cause the damage of the WINNT\system32\config\System file.
> I am writing drivers for virtual disks on W2K, working only with the SCSI
disks, there is no access to the system/boot disk from my drivers. One of
the drivers is a disk filter driver, but it attaches itself only to the SCSI
disks. It is not attached to the PC hard disk. Sometimes after reboot the
W2K cannot be started, the message says that the
WINNT\system32\config\System is missing or corrupted and one should use the
Windows Setup CD in order to repair it.
> Any help will be appreciated.
>
> Regards,
> Dany
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@Compaqnet.be
> To unsubscribe send a blank email to %%email.unsub%%
>

5

No, I am not writing to the registry

-----Original Message-----
From: Christiaan Ghijselinck [mailto:xxxxx@CompaqNet.be]
Sent: Monday, November 25, 2002 5:23 PM
To: NT Developers Interest List
Subject: [ntdev] Re: WINNT\system32\config\System damage

Do you write to the registry within your driver ? I’m just recovering my W2K
from this because I corrupted the system-hive
by means of regedit. The “WINNT\system32\config\System” is indeed the
system-hive of the registry.

Christiaan

----- Original Message -----
From: “Dany Polovets”
To: “NT Developers Interest List”
Sent: Monday, November 25, 2002 3:27 PM
Subject: [ntdev] WINNT\system32\config\System damage

> Hi all!
> My question is too abstract, but maybe somebody has an idea, what can
cause the damage of the WINNT\system32\config\System file.
> I am writing drivers for virtual disks on W2K, working only with the SCSI
disks, there is no access to the system/boot disk from my drivers. One of
the drivers is a disk filter driver, but it attaches itself only to the SCSI
disks. It is not attached to the PC hard disk. Sometimes after reboot the
W2K cannot be started, the message says that the
WINNT\system32\config\System is missing or corrupted and one should use the
Windows Setup CD in order to repair it.
> Any help will be appreciated.
>
> Regards,
> Dany
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@Compaqnet.be
> To unsubscribe send a blank email to %%email.unsub%%
>


You are currently subscribed to ntdev as: xxxxx@store-age.com
To unsubscribe send a blank email to %%email.unsub%%

IMPORTANT: Do not open attachments from unrecognized senders


The contents of this email and any attachments are confidential.
It is intended for the named recipient(s) only.
If you have received this email in error please notify the system manager or the
sender immediately and do not disclose the contents to any one or make copies.




This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.

6

The classic cause of this problem is that the file has grown too large to be
loaded at boot time (it would seem that as the registry is modified, it
grows and grows and little or no garbage collection is done). See KB article
Q269075.

A good cause of this can be lots of plug and play changes (devices coming
and going, new instances being created, INF files with lots of device
parameters, etc).

/simgr

-----Original Message-----
From: Dany Polovets [mailto:xxxxx@store-age.com]
Sent: Monday, November 25, 2002 10:28 AM
To: NT Developers Interest List
Subject: [ntdev] Re: WINNT\system32\config\System damage

No, I am not writing to the registry

-----Original Message-----
From: Christiaan Ghijselinck [mailto:xxxxx@CompaqNet.be]
Sent: Monday, November 25, 2002 5:23 PM
To: NT Developers Interest List
Subject: [ntdev] Re: WINNT\system32\config\System damage

Do you write to the registry within your driver ? I’m just recovering my W2K
from this because I corrupted the system-hive
by means of regedit. The “WINNT\system32\config\System” is indeed the
system-hive of the registry.

Christiaan

----- Original Message -----
From: “Dany Polovets”
To: “NT Developers Interest List”
Sent: Monday, November 25, 2002 3:27 PM
Subject: [ntdev] WINNT\system32\config\System damage

> Hi all!
> My question is too abstract, but maybe somebody has an idea, what can
cause the damage of the WINNT\system32\config\System file.
> I am writing drivers for virtual disks on W2K, working only with the SCSI
disks, there is no access to the system/boot disk from my drivers. One of
the drivers is a disk filter driver, but it attaches itself only to the SCSI
disks. It is not attached to the PC hard disk. Sometimes after reboot the
W2K cannot be started, the message says that the
WINNT\system32\config\System is missing or corrupted and one should use the
Windows Setup CD in order to repair it.
> Any help will be appreciated.
>
> Regards,
> Dany
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@Compaqnet.be
> To unsubscribe send a blank email to %%email.unsub%%
>


You are currently subscribed to ntdev as: xxxxx@store-age.com
To unsubscribe send a blank email to %%email.unsub%%

IMPORTANT: Do not open attachments from unrecognized senders

**************************************************************
The contents of this email and any attachments are confidential.
It is intended for the named recipient(s) only.
If you have received this email in error please notify the system manager or
the
sender immediately and do not disclose the contents to any one or make
copies.

**************************************************************

********************************************************************
This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer
viruses.
********************************************************************


You are currently subscribed to ntdev as: xxxxx@stratus.com
To unsubscribe send a blank email to %%email.unsub%%

7

First, since you are developing a virtual disk driver, it is possible
(likely) that it is a caching problem or something like that which you’re
causing yourself, as another person mentioned.

However, I fought a problem like this for a long time before discovering one
key fact: the registry is paged in and out of memory and is stored in
memory obtained from ExAllocatePool. Further, it is written to disk without
any sanity checking (no surprise). Thus, any run-time corruption will not
be caught until the next time you boot.

I discovered a bug in one of our drivers whereby it had allocated memory via
ExAllocatePool for an array of N elements, but had written to the N+1
element. And what was at the next location in the pool memory? A registry
page. Thus, our naughty driver was occassionally causing registry
corruption.

It was very subtle, and took me months to track down! Yuck!

To track this down, I got a confidential tool from Microsoft and also wrote
some of my own that check the integrity of the registry hives and point out
what the damage is. Knowing the damage, and it’s offset into a page, will
help determine if it’s a problem like that.

However, the best tool for tracking this down is Driver Verifier (Windows
2000+) and/or the Special Pool (Windows NT+). Using that can find the
problem, if it’s reproducible, right away. I now run Special Pool all of
the time on my development / testing machines.

If this isn’t enough to solve it for you, go ahead and email me your
\winnt\system32\config\system* files (ZIP them first), and I’ll take a quick
peek and offer some more specific advice.

Good luck!

Taed Wynnell
Vertical Networks

8

> I discovered a bug in one of our drivers whereby it had allocated
memory via

ExAllocatePool for an array of N elements, but had written to the
N+1
element. And what was at the next location in the pool memory? A
registry

The more dangerous bug is freeing some structure by accident (due to
reference miscounting, for instance) and then updating the freed
memory. You can easily damage the registry by such.

Max

9

Are you talking about allocation from the PagedPool only?
As I read in the “Inside Windows 2000” book, the registry hives in memory are allocated from the
PagedPool.

-----Original Message-----
From: Maxim S. Shatskih [mailto:xxxxx@storagecraft.com]
Sent: Wednesday, November 27, 2002 2:45 AM
To: NT Developers Interest List
Subject: [ntdev] RE: WINNT\system32\config\System damage

I discovered a bug in one of our drivers whereby it had allocated
memory via
ExAllocatePool for an array of N elements, but had written to the
N+1
element. And what was at the next location in the pool memory? A
registry

The more dangerous bug is freeing some structure by accident (due to
reference miscounting, for instance) and then updating the freed
memory. You can easily damage the registry by such.

Max

You are currently subscribed to ntdev as: xxxxx@store-age.com
To unsubscribe send a blank email to %%email.unsub%%

*** IMPORTANT: Do not open attachments from unrecognized senders ***

******************************************************************************************
The contents of this email and any attachments are confidential.
It is intended for the named recipient(s) only.
If you have received this email in error please notify the system manager or the
sender immediately and do not disclose the contents to any one or make copies.

******************************************************************************************

************************************************************************************
This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
************************************************************************************

10

note that these sorts of issues are often caught by the driver verifier
if you’re running on win2k or winxp.

-p

-----Original Message-----
From: Maxim S. Shatskih [mailto:xxxxx@storagecraft.com]
Sent: Tuesday, November 26, 2002 4:45 PM
To: NT Developers Interest List
Subject: [ntdev] RE: WINNT\system32\config\System damage

I discovered a bug in one of our drivers whereby it had allocated
memory via
ExAllocatePool for an array of N elements, but had written to the
N+1
element. And what was at the next location in the pool memory? A
registry

The more dangerous bug is freeing some structure by accident (due to
reference miscounting, for instance) and then updating the freed memory.
You can easily damage the registry by such.

Max

You are currently subscribed to ntdev as: xxxxx@microsoft.com To
unsubscribe send a blank email to %%email.unsub%%

11

[I tried a number of times to send a private reply to “xxxxx@store-age.com”, but it bounced every time. If they can provide me with an address that will not bounce, I can send them the repaired registry hive, which might be useful for doing diffs to see what “fixes” it.]

Well, I couldn’t figure out what exactly the damage was, but the one tool I
have had many cases of this to say:

MaxValueDataLen mismatch in Key Node cell (0x116258) … fixed
MaxNameLen mismatch in Key Node cell (0x11b508) … fixed
MaxValueDataLen mismatch in Key Node cell (0x11b508) … fixed
MaxNameLen mismatch in Key Node cell (0x11b5c8) … fixed

So, that at least points you at some structure members in your registry
code.

I’m sending you the repaired version of the first registry; maybe the
differences may help you as well.

Good luck!

12

Hello,
Our administrator says there was no email from you.
Anyway I think that the problem is in the size of the registry file and I can reproduce it. Maybe it caused the file damage too.

Thank you for your help.

Best regards,
Dany

-----Original Message-----
From: Taed Wynnell [mailto:xxxxx@vertical.com]
Sent: Sunday, December 01, 2002 3:11 AM
To: NT Developers Interest List
Subject: [ntdev] RE: WINNT\system32\config\System damage

[I tried a number of times to send a private reply to “xxxxx@store-age.com”, but it bounced every time. If they can provide me with an address that will not bounce, I can send them the repaired registry hive, which might be useful for doing diffs to see what “fixes” it.]

Well, I couldn’t figure out what exactly the damage was, but the one tool I
have had many cases of this to say:

MaxValueDataLen mismatch in Key Node cell (0x116258) … fixed
MaxNameLen mismatch in Key Node cell (0x11b508) … fixed
MaxValueDataLen mismatch in Key Node cell (0x11b508) … fixed
MaxNameLen mismatch in Key Node cell (0x11b5c8) … fixed

So, that at least points you at some structure members in your registry
code.

I’m sending you the repaired version of the first registry; maybe the
differences may help you as well.

Good luck!

You are currently subscribed to ntdev as: xxxxx@store-age.com
To unsubscribe send a blank email to %%email.unsub%%

*** IMPORTANT: Do not open attachments from unrecognized senders ***

******************************************************************************************
The contents of this email and any attachments are confidential.
It is intended for the named recipient(s) only.
If you have received this email in error please notify the system manager or the
sender immediately and do not disclose the contents to any one or make copies.

******************************************************************************************

************************************************************************************
This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
************************************************************************************

13

Hello Taed,

Is the tool you mentioned having used, available for the “large public” ? If
so, could
you provide us with a link ?
Thanks in advance .

Christiaan

----- Original Message -----
From: “Dany Polovets”
To: “NT Developers Interest List”
Sent: Sunday, December 01, 2002 5:10 PM
Subject: [ntdev] RE: WINNT\system32\config\System damage

> Hello,
> Our administrator says there was no email from you.
> Anyway I think that the problem is in the size of the registry file and I
can reproduce it. Maybe it caused the file damage too.
>
> Thank you for your help.
>
> Best regards,
> Dany
>
>
> -----Original Message-----
> From: Taed Wynnell [mailto:xxxxx@vertical.com]
> Sent: Sunday, December 01, 2002 3:11 AM
> To: NT Developers Interest List
> Subject: [ntdev] RE: WINNT\system32\config\System damage
>
>
> [I tried a number of times to send a private reply to<br>&gt; “xxxxx@store-age.com”, but it bounced every time. If they can provide<br>&gt; me with an address that will not bounce, I can send them the repaired<br>&gt; registry hive, which might be useful for doing diffs to see what “fixes”<br>&gt; it.]
>
> Well, I couldn’t figure out what exactly the damage was, but the one tool
I
> have had many cases of this to say:
>
> MaxValueDataLen mismatch in Key Node cell (0x116258) … fixed
> MaxNameLen mismatch in Key Node cell (0x11b508) … fixed
> MaxValueDataLen mismatch in Key Node cell (0x11b508) … fixed
> MaxNameLen mismatch in Key Node cell (0x11b5c8) … fixed
>
> So, that at least points you at some structure members in your registry
> code.
>
> I’m sending you the repaired version of the first registry; maybe the
> differences may help you as well.
>
> Good luck!
>
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@store-age.com
> To unsubscribe send a blank email to %%email.unsub%%
>
> IMPORTANT: Do not open attachments from unrecognized senders
>
>
**************************************************************
> The contents of this email and any attachments are confidential.
> It is intended for the named recipient(s) only.
> If you have received this email in error please notify the system manager
or the
> sender immediately and do not disclose the contents to any one or make
copies.
>
>
**************************************************************
>
>
********************************************************************
> This footnote confirms that this email message has been scanned by
> PineApp Mail-SeCure for the presence of malicious code, vandals & computer
viruses.
>
********************************************************************
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@Compaqnet.be
> To unsubscribe send a blank email to %%email.unsub%%
>

14

No, the tool I have was given to me by Microsoft under NDA, so I can’t
distribute it or point you to it. I’ve also written my own based on what I
know of the Registry structures, but it didn’t find any problems for the
files in question.

-----Original Message-----
From: Christiaan Ghijselinck [mailto:xxxxx@CompaqNet.be]
Sent: Sunday 01 December 2002 10:11 AM
To: NT Developers Interest List
Cc: xxxxx@vertical.com
Subject: Re: [ntdev] RE: WINNT\system32\config\System damage

Hello Taed,

Is the tool you mentioned having used, available for the “large public” ? If
so, could you provide us with a link ?
Thanks in advance .

Christiaan