bad system config info

secondcat

secondcat

Member
Joined
Jan 15, 2025
Posts
8
my pc is reboot looping with this error. No log files are generated and I suspect something is wrong with the registry hive, in particular the security and sam hive.
I've attached a copy of my registry located in system32\config.
 

Attachments

Hello and welcome to the forum!

Can you give us more details of what happened (and what you did) in the lead-up to this reboot loop? I know of no way to usefully access those registry files of yours, but I'm intrigued to know why you think it's a registry issue? There seems to be more background to this than you're revealing. It doesn't matter if you think you did something dumb, we've all done that, some of us more than once(!), but to help you we need to know the full details of what led up to this.
 
it's somewhat complicated but I'll try my best to explain the situation.

I own a laptop that is 10 years old and I wanted to retrieve some files. However, the laptop is faulty (the fan is faulty) but still functional. To avoid issues, I connected the hdd to my other computer using a USB-to-SATA adapter. I could access the files but for fun I tried to directly boot windows 10 via the adapter but as expected it failed. Subsequently, I connected the HDD directly to the motherboard, and it booted successfully. Windows started installing drivers and other necessary software onto the hard drive. After that, I kind of started messing around and connected the hdd to different computers I own, sometimes using and not using the adapter. Unfortunately, after some time of messing around and windows 10 displays the 'bad system config info' bsod. I tried boot into various computers with the same error. Even when I connected to the original laptop it displays the same error.

I did some research and tried various commands, such as chkdsk, dism etc. I watched a video that told me to run a command to check whether the registry is corrupted and I could see the system displays some sort of error for the security hive.

I then backuped and replaced the potential faulty config files with the config files I own from another windows 10 instance I own and the hard disk booted without the error. However, by changing these files, my user account from the healthy instance has been copied and the original one has disappeared. I could see the user file from the users folder but I assume windows no longer recognizes it as a user profile but rather a folder with data.
 
secondcat said:
Subsequently, I connected the HDD directly to the motherboard, and it booted successfully. Windows started installing drivers and other necessary software onto the hard drive. After that, I kind of started messing around and connected the hdd to different computers I own, sometimes using and not using the adapter. Unfortunately, after some time of messing around and windows 10 displays the 'bad system config info' bsod. I tried boot into various computers with the same error. Even when I connected to the original laptop it displays the same error.
Click to expand...
Therein lies your problem. You cannot take the HDD from one system and boot it on a different system. When Windows is installed it configures itself for the hardware platform it's being installed onto, it also (as you've seen) installs all the necessary drivers for that platform (inc. chipset drivers, which will vary from platform to platform) and any necessary updates, some of which are platform specific. I rather suspect that you have done way more than corrupt the registry, you will likely have several different chipset drivers installed, updates for different platforms, and drivers for devices that only exist on one platform and not the others. In short you have royally screwed-up your Windows installation on that HDD by booting it on many different platforms.

Others on here may be able to offer advice on making that system bootable but in all honesty, and although it's not forum policy to suggest this so early on, I would backup all the user data on that drive and clean install Windows from bootable media, deleting all partitions on the drive during the install. I fear now that anything less is unlikely to give you a truly stable system.
 
hi, now when I used the copied hive from my other system, the computer automatically boots in the repair options screen and would not boot. After replacing with the original corrupted/fixed security file, even cmd would not boot from the recovery options.
 
I agree with @ubuysa that booting from an HDD on different systems and using hive files from other systems is never a good idea, so there are more issues than just a corrupt hive file. So I would also suggest to backup al your personal data and reinstall the system from scratch!
 
well this is devastating but I suppose there is no options left. However, is there an option to let me migrate my data and apps from my user folder to a another windows instance? I don't want my data in apps to be lost.
 
Update: after some tinkering, I finally managed to make the pc boot without boot directly to the automatic repair screen with the fixed security hive. However, a bsod with the error critical process died and in the repair screen, I cannot use cmd and startup repair as it says I lack admin privileges to so do.
 
CRITICAL_PROCESS_DIED is almost always a hardware issue and RAM is generally the commonest cause.

There is no way to migrate installed apps, they will have to be reinstalled, but if you can take an image of that drive you'll be able to access individual files and folders from the image - at least you can with Macrium Reflect, not sure about Acronis. App data that's not in specific app folders is most likely in C:\Users\your_name\AppData\ so taking a specific backup of that as well as all data folders will likely be good enough.
 
Such system bug check occurs when a critical system process or system services terminated unexpectedly, and it seems to be 'services.exe' in this case which is triggering the 0xEF bugcheck, if I am correct!

Rich (BB code): 
PROCESS ffffc30f4c307080
    SessionId: 0  Cid: 0300    Peb: 7154c51000  ParentCid: 028c
    DirBase: 20e6ac002  ObjectTable: ffff9c000386a6c0  HandleCount:  86.
    Image: services.exe
    VadRoot ffffc30f4c2b4c70 Vads 41 Clone 0 Private 327. Modified 3. Locked 0.
    DeviceMap ffff9c0002e7c480
    Token                             ffff9c00073d0970
    ElapsedTime                       00:00:03.057
    UserTime                          00:00:00.000
    KernelTime                        00:00:00.000
    QuotaPoolUsage[PagedPool]         32416
    QuotaPoolUsage[NonPagedPool]      5904
    Working Set Sizes (now,min,max)  (1210, 50, 345) (4840KB, 200KB, 1380KB)
    PeakWorkingSetSize                1167
    VirtualSize                       2101300 Mb
    PeakVirtualSize                   2101300 Mb
    PageFaultCount                    1220
    MemoryPriority                    BACKGROUND
    BasePriority                      8
    CommitCharge                      386

        THREAD ffffc30f4c32c080  Cid 0300.0304  Teb: 0000007154c52000 Win32Thread: 0000000000000000 RUNNING on processor 2
        THREAD ffffc30f4c32b080  Cid 0300.0308  Teb: 0000007154c54000 Win32Thread: 0000000000000000 WAIT: (WrQueue) UserMode Alertable
            ffffc30f4c2c9f00  QueueObject

        THREAD ffffc30f4c32a080  Cid 0300.030c  Teb: 0000007154c56000 Win32Thread: 0000000000000000 WAIT: (WrQueue) UserMode Alertable
            ffffc30f4c2c9f00  QueueObject

        THREAD ffffc30f4c329080  Cid 0300.0310  Teb: 0000007154c58000 Win32Thread: 0000000000000000 WAIT: (WrQueue) UserMode Alertable
            ffffc30f4c2c9f00  QueueObject

        THREAD ffffc30f4c311080  Cid 0300.031c  Teb: 0000007154c5a000 Win32Thread: 0000000000000000 WAIT: (WrQueue) UserMode Alertable
            ffffc30f4c345540  QueueObject
 
secondcat said:
Here is the memery.dmp link:
MEMORY.DMP


I've booted different hard drives to the same computer so I am confident that it is not a hardware issue.
Click to expand...
Please don't do that, as explained it's not wise. Windows is not identical on every drive, each Windows system is platform specific.

@Maxstar is of course right that the critical process that ended was services.exe. If we look at the call stack of the thread that failed (this is a push-down stack of return addresses from the various functions called in the lead-up to the bugcheck, and which you read from the bottom up)...
Code: 
2: kd>=rich k
 # Child-SP          RetAddr               Call Site
00 ffffed8d`139af938 fffff800`4790dee2     nt!KeBugCheckEx
01 ffffed8d`139af940 fffff800`4781ee69     nt!PspCatchCriticalBreak+0x10e
02 ffffed8d`139af9e0 fffff800`476c7390     nt!PspTerminateAllThreads+0x156edd
03 ffffed8d`139afa50 fffff800`476c718c     nt!PspTerminateProcess+0xe0
04 ffffed8d`139afa90 fffff800`474119c8     nt!NtTerminateProcess+0x9c
05 ffffed8d`139afb00 00007ffb`27c6d564     nt!KiSystemServiceCopyEnd+0x28
06 00000071`54b1f998 00007ffb`256b49a0     ntdll!NtTerminateProcess+0x14
07 00000071`54b1f9a0 00007ff6`61e1bd9c     KERNELBASE!TerminateProcess+0x30
08 00000071`54b1f9d0 00007ff6`61e18619     services!SvcctrlMain+0x360
09 00000071`54b1fb80 00007ff6`61e2411c     services!wmain+0x5d
0a 00000071`54b1fbb0 00007ffb`26a67344     services!_wmainCRTStartup+0x74
0b 00000071`54b1fbe0 00007ffb`27c226b1     KERNEL32!BaseThreadInitThunk+0x14
0c 00000071`54b1fc10 00000000`00000000     ntdll!RtlUserThreadStart+0x21
You can see here the thread starting and immediately the services function is called, specifically services!_wmainCRTStartup and then services!wmain+0x5d and services!SvcctrlMain+0x360, before we get the call to KERNELBASE!TerminateProcess to kill the services process - which eventually resulted in the BSOD. The failure then occurred in the services function. I'm not going to pretend that I know what that does, but disassembling some of that code and trying to trace backwards it appears to be parsing strings, so it may well be that the services!SvcctrlMain function is trying to start system services (SVCs), or at least parsing the registry to discover what services need to be started. My bet is that it's failing because of inconsistencies or corruptions in the registry.

I'm not able to delve any deeper than that, but @x BlueRobot or @axe0 may be able to give you more details. I'm still of the opinion that you've shot yourself in the foot by booting this drive on multiple different platforms. Windows just isn't designed to do that.
 
Firstly, I’d like to thank you both of you to assist me. Despite windows might not be repaired at the end, just know your efforts are highly appreciated.

I don’t know if this is related but sometimes I could not use startup repair and cmd as windows said I lack admin privileges to so do. I am certain that it is related to the hives, as with some sets of them I could access cmd and startup repair. However as I’ve replaced it so many times now, I’ve kind of lost track. According to my memory, the set of hives that got me bad system config info allows me to use startup repair and cmd.

I know that even windows does boot it will be extremely unstable, but I’d still like to boot into it to recover files and data that I could not access without booting into it.

Feel free to ask me for any files you need for analysis.
 
secondcat said:
I am certain that it is related to the hives, as with some sets of them I could access cmd and startup repair. However as I’ve replaced it so many times now, I’ve kind of lost track.
Click to expand...
Replacing essential hive files is only possible when you have recent backups of the same system, using hive files from other systems always causes more (irreparable) issues! The SECURITY and SAM (Security Account Manager) hive are critical hives because both of them contains essential data like local security policies, logon data, passwords and other user account information. So you cannot replace them with copies from other systems, and this has to do with the 'admin privileges' issue you are experiencing!

Instead of booting an HDD in another system it is always safer to create an VHDx-image with Sysinternals Disk2vhd to load in a Hyper-V environment for testing purposes etc!

secondcat said:
(...) but I’d still like to boot into it to recover files and data that I could not access without booting into it.
Click to expand...

What you can try is to use an PE environment like Hiren's BootCD to recover all the files.
 
ubuysa said:
I'm not able to delve any deeper than that, but @x BlueRobot or @axe0 may be able to give you more details. I'm still of the opinion that you've shot yourself in the foot by booting this drive on multiple different platforms. Windows just isn't designed to do that.
Click to expand...
Makes sense you can't dive deep into it, a 0xEF is a crash from user-mode so a kernel dump is not sufficient.

Connecting the drive to different computers like that is a sure way to mess it up as a bootable drive for Windows, unfortunately I'm not very familiar with diving into the user-mode stuff to figure out exactly what went wrong, also questionable to what extent that's possible with this dump. Giving it an attempt below.

From what I can tell of this, the code executed prior to process termination was doing some checks, I don't know what checks but depending on whether they passed/failed it would've either delayed terminating the process or performed security checks whilst booting. Based on the callstack, the security check never got to pass so instead. Roughly drafted, these functions seem part of error handling
Code: 
2: kd> ub services!SvcctrlMain+0x360
services!SvcctrlMain+0x340:
00007ff6`61e1bd7c 7411            je      services!SvcctrlMain+0x353 (00007ff6`61e1bd8f)
00007ff6`61e1bd7e 488b4910        mov     rcx,qword ptr [rcx+10h]
00007ff6`61e1bd82 ba32000000      mov     edx,32h
00007ff6`61e1bd87 4d8bc4          mov     r8,r12
00007ff6`61e1bd8a e8d1b90200      call    services!WPP_SF_ (00007ff6`61e47760)
00007ff6`61e1bd8f 33d2            xor     edx,edx
00007ff6`61e1bd91 4883c9ff        or      rcx,0FFFFFFFFFFFFFFFFh
00007ff6`61e1bd95 48ff15ac8e0500  call    qword ptr [services!_imp_TerminateProcess (00007ff6`61e74c48)]

services!SvcctrlMain+0x353:
00007ff6`61e1bd8f 33d2            xor     edx,edx
00007ff6`61e1bd91 4883c9ff        or      rcx,0FFFFFFFFFFFFFFFFh
00007ff6`61e1bd95 48ff15ac8e0500  call    qword ptr [services!_imp_TerminateProcess (00007ff6`61e74c48)]
00007ff6`61e1bd9c 0f1f440000      nop     dword ptr [rax+rax]
00007ff6`61e1bda1 488b4d70        mov     rcx,qword ptr [rbp+70h]
00007ff6`61e1bda5 4833cc          xor     rcx,rsp
00007ff6`61e1bda8 e8b3830000      call    services!_security_check_cookie (00007ff6`61e24160)
00007ff6`61e1bdad 4c8d9c2480010000 lea     r11,[rsp+180h]
00007ff6`61e1bdb5 498b5b30        mov     rbx,qword ptr [r11+30h]
00007ff6`61e1bdb9 498b7338        mov     rsi,qword ptr [r11+38h]
00007ff6`61e1bdbd 498b7b40        mov     rdi,qword ptr [r11+40h]
00007ff6`61e1bdc1 498be3          mov     rsp,r11
00007ff6`61e1bdc4 415f            pop     r15
00007ff6`61e1bdc6 415e            pop     r14
00007ff6`61e1bdc8 415d            pop     r13
00007ff6`61e1bdca 415c            pop     r12
00007ff6`61e1bdcc 5d              pop     rbp
00007ff6`61e1bdcd c3              ret

Before the error handling, the wmain function is for initializing a critical section to avoid race conditions in the resources of the services module. Once done it performs a check on the eax and because that check did not pass here, we enter the function services!SvcctrlMain for error handling. I can't say what's in the eax register to be tested because that's where the limit for the user-mode stuff seems to hit, I presume it's some check with the critical section that failed.
Code: 
2: kd> ub services!wmain+0x5d
services!wmain+0x35:
00007ff6`61e185f1 0f1f440000      nop     dword ptr [rax+rax]
00007ff6`61e185f6 8325f379070000  and     dword ptr [services!g_ServiceStartFuzzingMaxDelay+0x4 (00007ff6`61e8fff0)],0
00007ff6`61e185fd 488d0d8c800700  lea     rcx,[services!ScManagerSdLock+0x10 (00007ff6`61e90690)]
00007ff6`61e18604 48ff154dcc0500  call    qword ptr [services!_imp_RtlInitializeCriticalSection (00007ff6`61e75258)]
00007ff6`61e1860b 0f1f440000      nop     dword ptr [rax+rax]
00007ff6`61e18610 85c0            test    eax,eax
00007ff6`61e18612 7805            js      services!wmain+0x5d (00007ff6`61e18619)
00007ff6`61e18614 e823340000      call    services!SvcctrlMain (00007ff6`61e1ba3c)
 

Has Sysnative Forums helped you? Please consider donating to help us support the site!

Back
Top