Immediate Logout after Login into Windows XP


That nasty worm have changed userinit value in Registry...

"
"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon"
Value: Userinit
Data: %system32%\wsaupdater.exe
"


%system32% represents the path to the System32 folder. For example, if the path is C:\Windows\System32, then the data would be: "C:\Windows\System32\wsaupdater.exe"

Instead of "wsaupdater.exe", the data should contain "userinit.exe,".
Using the example above, the data would be "C:\Windows\System32\userinit.exe,"
(!Note! the comma following the file path information.)

Using the XP's recovery console, copy userinit.exe to wsaupdater.exe to allow log on capability to be restored, and correct the registry data manually.

In the following instructions, C:\Windows\System32 shall be used as the System32 location. Change the path accordingly to accommodate for your installation directory.

Insert the Windows XP startup disk into the floppy disk drive, or insert the Windows XP CD-ROM into the CD-ROM drive, and then restart the computer.
Click to select any options that are required to start the computer from the CD-ROM drive if you are prompted to do so.

When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
If you have a dual-boot or multiple-boot computer, select the installation that you want to access from the Recovery Console.
When you are prompted to do so, type the Administrator password.

If the administrator password is blank (which is likely the case if Windows XP was preinstalled by your computer manufacturer), just press ENTER.

You should now be in the Windows installation folder ("C:\Windows").
At the Recovery Console command prompt, type the following lines, pressing ENTER after you type each line:

"
cd system32
copy userinit.exe wsaupdater.exe
exit
"


At this time, remove the startup floppy or CD-ROM from your system, and boot into Windows XP. Log on to the system using an account with administrator-level privileges, and edit the registry using this information. It is recommeded that a registry backup be created prior to continuing.

Click start, then run. Enter

regedit

and click OK. Using RegEdit, expand

HKEY_LOCAL_MACHINE
+Software
+Microsoft
+Windows NT
+CurrentVersion
+Winlogon

Locate Userinit in the value column, right-click this item, and choose modify. Replace
"wsaupdater.exe" with "userinit.exe," (do not use quotes, and ensure the trailing comma is present as shown) and click OK.
Exit RegEdit.

Restart your computer, and log on to the system using an account with administrator-level privileges.

Go to My Computer, then to the System32 folder (usually C:, then Windows, then System32). If Explorer prompts that removing files from these areas is not recommended, click to continue. Locate and remove wsaupdater.exe, and delete this file.

No comments: