Friday, 5 June 2009

KSOD - My lil fix.

Okay, so here are "more detailed" instructions on how I fixed the Black Screen Of Death (KSOD) problem.

Like I said, the error in our case came about because a Group Policy Object I made included security permissions for several services, among them the services:

  • Remote Procedure Call (RPC)
  • Remote Procedure Call (RPC) Locator.
The default settings presented included the Administrator Group and the SYSTEM & INTERACTIVE accounts.
The account "NT AUTHORITY\NetworkService" was not included meaning that when the account later would try to read a setting (or do anything else) regarding the RpcSs service, it would fail and the resulting error made the Operating system reboot as defined in the recovery settings.

To solve this I PXE booted the computer into Windows PE available on our WDS Server and started RegEdit.
I incorrectly stated earlier that I didn't apply the change to the Hive but a review showed me that I had.
See this guide on how to load the %windir%/system32/config/SYSTEM hive and finding the HKEY_LOCAL_MACHINE\SYSTEM\Select\Current KEY.

This Key tells you what ControlSet Vista is currently using ("Current"), by Default and which ControlSet is "Last Known Good".
In my case the key for Current was 1, meaning HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RpcSs and the permissions applied to that container (or individual keys stored there) needed to be changed.

By right clicking on HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RpcSs and selecting "Permissions" I could grant NetworkService the READ right and before rebooting I made sure it was also applied with the help of inheritance.

Note: The first test was to grant the Account Full controll, which also worked but seems to be overkill.

  • Click on add
  • Click Advanced
  • Change Location to your Computer (if required)
  • Hit the find button and select the Network Service account.
  • Grant the account READ rights.
You might want to make sure the Enum and Parameters containers inherit the permissions as well.

After a Reboot, the Operating System should be able to boot as normal and the login window should show up after a short delay.

I hope this can help to shed some light on this problem for some of you, if it doesn't then feel free to drop me a line after checking out the other options presented below.
Last Revised:
17:47 - June 5th 2009

Black Screen Of Death (KSOD) - Mystery solved?

Black Screen Of Death (KSOD)
Mystery solved?

While applying some new Group Policies I managed to stumble into the mystery known as the "Black Screen Of Death" or KSOD.

In order to get SCCM to work I had to make sure certain services were up and running and in an attempt to prevent the user from accidently stopping the services I also applied security settings to the System Services settings in Computer configuration.

Before long, computers that had applied the new GPO and rebooted (due to updates) started showing up and no, they didn't walk to my office on their own =P
The error went undetected by Vista, it booted up but never managed to show the login and simply rebooted after showing the BIOS logo and before it showed the Microsoft Banner.
Only a Black screen and the cursor ....

Although 8\10 machines were saved using either "Last Known Good Configuration" or Restore points (older then 1 month), it didn't solve every case.
In a stubborn moment I decided to not simply re-install Vista when all attempts to restore failed, the main reason for this was because the solutions I found didn't apply to my problem but I was quite certain that the solution was not far away from what they had suggested.

I decided to do it the hard way and check that all of the settings were correct in the registryitself which of course involved looking at each setting as well as the security rights assigned to the key and containers.
I quickly saw that NetworkService was assigned as it was supposed to be in all of the registry
Controlsets and in the SYSTEM hive but in the RpcSs' security permissions, the NetworkService had no rights!

The reason for this was actually quite simple, the default security settings in the GPO did not include said user. (See picture below to see what users were applied by default)
I must admit that the discovery was uplifting and some what embarrassing at the same time.

With no rights assigned it had to be the reason for the KSODs we had seen, I Pixie (PXE) booted a Vista machine into PE and added the read rights straight to the controlset that was assigned as the Current one, held my breath and rebooted.

Of course, there might be other reasons in play but this is the solution that worked for me so it will probably work for some of you out there.

Default Assignment of Permissions to a Service.

This is how the GPO will assign permissions
by default, as you can see the required user
"Network Service" is not present and unless
it or a group it is a member of is assigned the
proper permissions, the system will crash.