Lsass.exe

[rikkkki]

I'm even more suspicious of the file now that it is not in the system32 directory.

[cak46]

Back again!  HaHa

My stupid.  It's a logon process of sorts. Its called by a process thread and then shuts down after it is done, so you won't find it as a continuously running process.  The file should be there somewhere and if it isn't, maybe the calling thread is causing the lsass object not found error?  Just a thought!  Good luck in your quest for the file!

[rikkkki]

Back again!

[cak46]

If you remember, a bit ago we set your machine to be a bit verbose on boot so we could possibly get better information from your logs.  Let me see if I can find the post.....

Here it is: 

If you selected bootlogging after hitting F8, then there should be a new log entry in the bootlog.txt for that boot.

Try this to increase the amount of info put into your event logs and possibly the bootlog.txt file:

Obtained from: http://www.windowsnetworking.com/kbase/WindowsTips/Windows2000/RegistryTips/Eventlog/W2KXP.NETenableverboseeventmessages.html

Use reistry editor and change/add this DWORD value:

go to HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciessystem

See if this DWORD already exists and if not, add it by right mouse clicking on the system(folder shaped in left window) then select New DWORD then name it VerboseStatus    Next, double click on the new verbosestatus entry and set it to 1

If it already existed, change the value to 1

Now, go ahead and check for this under the same key (system):

An additional value called "DisableStatusMessages" forces status messages to be disabled, make sure this value does not exist or is set to "0". (DisableStatusMessages REG_DWORD 0x00000000 (0))

More instructions:

http://www.techspot.com/vb/topic12413.html

If you are uncomfortable with registry editing, use the alternate way in the first link to turn on verbose logging.  Alway remember, backup the registry prior to editing it!  Smile

Edit:  For various reasons........  Smile

************************

Just do the reverse of the above instructions and it should clear that up.  You may want to wait until we get the error cleared up though.....  No advapi.dll file?  Maybe we found the object that can't be found, eh?  Now the question is, what do we do about it?  One of two things, I figure.  Figure out which program is calling the advapi.dll file or find a copy of the legit. advapi and put it in the windowssystem32 directory and see what happens.  Have you heard from MS  yet?  I'm swamped here tonite with take home work so will not be available much.  Maybe set this aside till tomorrow?  Might give ms a chance to respond, if you can let them know about the missing file as well.  They have to have some type of answer or they are, as everyone suspects, useless.  Sorry, been a killer day..........

[rikkkki]

Understood. For sure. About the "extra" info on boot. I never would have thought about the verbose thing. I thought that was supposed to just give more info on errors. So now I understand DUH,,,,,,  I'll leave it alone for now, actually it's not at all that bad once I understand it 

I'll check my kitchen puter for the advapi.exe file and see what's up and post something only if it's pertinent.

I'll check for any posts a couple of times tonight and just before I crash, OK? Have a good one

[cak46]

Understood. For sure. About the "extra" info on boot. I never would have thought about the verbose thing. I thought that was supposed to just give more info on errors. So now I understand DUH,,,,,, I'll leave it alone for now, actually it's not at all that bad once I understand it

I'll check my kitchen puter for the advapi.exe file and see what's up and post something only if it's pertinent.

I'll check for any posts a couple of times tonight and just before I crash, OK? Have a good one

Most likely those are the status messages.  I would suspect your boot up is a bit slower with verbosity on as well.  Good idea on checking your other machine for the file!  Let me know how it goes.  Back to work for a bit more...........

[rikkkki]

Most likely those are the status messages.

[MYRIAGON]

69 RAT..

Do you have a program that tells you what is set to startup when the puter starts? and if so can you shut them off ? choose which ones to shut off ?

Just wondering because I have run in to a problem before when my anti-virus had removed an infected file but it was still trying to start it when windows started, and I would get a file not found error, so all I had to do was shut it off in the starup and that took care of it.

I use regcleaner just for that purpose,  just put a check next to what you don't want to start and remove it, but it does back it up just in case you removed something you need.

I'll attach that program if you want it, if not no prob.

[rikkkki]

HI MYRIAGON. Well actually I have at least 3 ditties that I can disable startups from./Msconfig/The Ultimate Troubleshooter(TUT) and PC Rescue. The last one actually lets you know of any bad reg keys or links, etc. I have more, but I can't remember what. Since this thing started, I have downloaded a "few" extra scanning devices for a total of 10  :!: Oh wait a minute, I think SpyBot has a startup list too.

[MYRIAGON]

Well it was a thought anyway ....have you checked to see if that advapi is listed there or not? if it is shut it off and see what happens.

Have a good one......I'm back quiet 

[rikkkki]

Well it was a thought anyway ....have you checked to see if that advapi is listed there or not? if it is shut it off and see what happens.

Have a good one......I'm back quiet

[MYRIAGON]

Yeah it shouldn't be there from what I have read.

Process File: advapi.exe

[rikkkki]

Well, it wouldn't hurt to take a look at the keys and see what's going on if anything. I'll see what I can do

[rikkkki]

I have 4 items on startup, anti virus, mouse ,firewall, etc.

[MYRIAGON]

well I was hoping you would find something 

Guess I spent my nickel...Talk to ya later

[rikkkki]

well I was hoping you would find something

[rikkkki]

Back again!

[cak46]

Sorry I've been away.  Works become a real hassle because I need to get a piece of proprietary software revamped in oder to interface it with another piece of software by august 1st.  What a job........  Glad I'm not programming it myself! 

I've rethought the advapi issue and realized I was way too punchy to be advising on it.  The entries in your sec. log are correct and are most likely calling the advapi32.dll during boot to log on as a service.    I'm going to have to look up some stuff.........

Just tripped over this while looking for some other info.  Look at sli at pyro.nets post.  BTW:  Try looking in c:windowssystem32 for these files first.  If they are there then extract the files to a different temporary directory than he suggests since I assume you have updated your op sys.  and compare the dates of the files. If they aren't there then we have found the missing object.  If they are there and the dates are the same then go ahead and give this a try.  Also, extract the missing ones if that's what you find when you look them up in the system32 directory.

http://www.winxpforums.com/ftopic19583.html

[cak46]

Sorry about the double.......  I've found a potential winner, but I've never used the program the dude mentions.  Here is the link:  http://www.freetechsforum.com/forum/index.php?act=ST&f=4&t=647

About a third of the way down and a guy by the name of cbuck.  Interesting proposition.

EDIT: 

You'll need to install XP support tools, here is how:  http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/en-us/Default.asp?url=/resources/documentation/Windows/XP/all/reskit/en-us/prmb_tol_namp.asp

Here is the first tool to use.  It lists dependencies for a given service.

http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/en-us/Default.asp?url=/resources/documentation/Windows/XP/all/reskit/en-us/prmb_tol_cnxc.asp

Here is the SC program detail. 

http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/en-us/Default.asp?url=/resources/documentation/Windows/XP/all/reskit/en-us/prmb_tol_cnxc.asp

I can't help you with this because I do not have an install disk for xp and have not run these programs.  They look straitforward from the descriptiions and cbucks post.  What do you think?  If you give me a day or two, I should be able to better help with this process.  Let me know.  In essence, what you will be doing is looking at the dependencies for lsass.exe and starting the ones that are not running and viewing information on services running and/or stopped.  Can't hurt to look can it???? :)

[rikkkki]

I'm not sure what or how to do the sc config. But, ALL of my sc query items are running as we speak. 

[cak46]

I'm not sure what or how to do the sc config. But, ALL of my sc query items are running as we speak.

Just pm'd you info on the dependency program.  I believe that this is where you will find if there are some services that may not be running.  Take the list from Depends then run sc query and compare the two.  SC config you're gonna have to look up in MS's infamous help and support in XP....  I'll gawk around the net a bit and see what I can come up with as well..........

[rikkkki]

Just pm'd you info on the dependency program.

[rikkkki]

Well I think I need some of those coupons now  :haha: I open the Depends and the screen is blank and in the help file there is no clue on how to run the ---- thing. Nothing in the toolbar either. How do I kick start it anyway?

[cak46]

Well I think I need some of those coupons now :haha: I open the Depends and the screen is blank and in the help file there is no clue on how to run the ---- thing. Nothing in the toolbar either. How do I kick start it anyway?

:haha:

I believe you type in the name of the program you want to view the dependencies for.

Drwaing a conclusion from this info from this link.  http://www.mazecomputer.com/sxs/help/builddep.htm  Will look further....

Using Dependency Viewer

Microsoft Windows SDK (free download from Microsoft) includes a module dependency viewer called depends.exe. This is an indispensable tool for finding missing DLL dependencies required by somebody else's code. When you are the developer of the code being packaged, you know what DLLs and COM objects are required. Not necessarily so with third party software. Use Dependency Viewer.

The moment you open a DLL or an executable in Dependency Viewer, it recursively scans import tables and locates all imported DLLs and exported and imported entry points. The first thing you should do is ignore all missing delay-load imports and, in most cases, all error messages pertaining to Windows DLLs.

Look for yellow marks at all non-system DLLs. These are all required to load the DLLs.

If there are no more missing DLLs in the UI, there may be DLLs loaded dynamically at runtime - proceed to round two.

Dependency Viewer - Round Two

You may need to actually run the program or load the DLL inside depends.exe to allow the program check run-time load requests. If you need to find missing DLLs for an executable - run that program with appropriate parameters. If you are investigating a DLL (for a shared or private assembly, for example) run REGSVR32.EXE <your DLL path>.

The log window displays in red failing DLL loads and entry point lookup calls - study the list. Every failing LoadLibrary* loading a DLL with no path can be fixed - just add the DLL to run-time dependencies or the manifest, whichever is appropriate. Any DLLs loaded with an explicit path must be in that explicitly named directory - no manifest will help here.

***********************

Here it is..... now to read a bit................http://dependencywalker.com/

[cak46]

Got it.  Was able to download it.  http://dependencywalker.com/  Go to file, then browse to where lsass.exe is then select it.