Friday, 5 June 2009

KSOD - My lil fix.

Okay, so here are "more detailed" instructions on how I fixed the Black Screen Of Death (KSOD) problem.

Like I said, the error in our case came about because a Group Policy Object I made included security permissions for several services, among them the services:

  • Remote Procedure Call (RPC)
    And
  • Remote Procedure Call (RPC) Locator.
The default settings presented included the Administrator Group and the SYSTEM & INTERACTIVE accounts.
The account "NT AUTHORITY\NetworkService" was not included meaning that when the account later would try to read a setting (or do anything else) regarding the RpcSs service, it would fail and the resulting error made the Operating system reboot as defined in the recovery settings.

To solve this I PXE booted the computer into Windows PE available on our WDS Server and started RegEdit.
I incorrectly stated earlier that I didn't apply the change to the Hive but a review showed me that I had.
See this guide on how to load the %windir%/system32/config/SYSTEM hive and finding the HKEY_LOCAL_MACHINE\SYSTEM\Select\Current KEY.

This Key tells you what ControlSet Vista is currently using ("Current"), by Default and which ControlSet is "Last Known Good".
In my case the key for Current was 1, meaning HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RpcSs and the permissions applied to that container (or individual keys stored there) needed to be changed.

By right clicking on HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RpcSs and selecting "Permissions" I could grant NetworkService the READ right and before rebooting I made sure it was also applied with the help of inheritance.


Note: The first test was to grant the Account Full controll, which also worked but seems to be overkill.

  • Click on add
  • Click Advanced
  • Change Location to your Computer (if required)
  • Hit the find button and select the Network Service account.
  • Grant the account READ rights.
You might want to make sure the Enum and Parameters containers inherit the permissions as well.

After a Reboot, the Operating System should be able to boot as normal and the login window should show up after a short delay.

I hope this can help to shed some light on this problem for some of you, if it doesn't then feel free to drop me a line after checking out the other options presented below.
Last Revised:
17:47 - June 5th 2009

4 comments:

  1. how come when i access permissions for rpcSs in the Group or users name: i have 4 people that are, CREATOR OWNER top, second is SYSTEM, 3rd is Administors (LsaSetupDomain/Administrators) 4th is Users (LsaSetupDomain\Users). and in ur lil diagram there is no creator owner...who is this creator owner????cause when i click advance and try to deny creator owner permission, it automatically recreates itself and the first creator owner is denied but the second one is fully functional...please reply...

    ReplyDelete
  2. Creator Owner isn't an account really, what it means is that anyone who has access to that location and can create a file is made "owner" and "Creator" of that file.
    The user or group assigned to "Owner Creator" has full rights to a file (or registry KEY\Container) where they have that assignment.

    These permissions are really NTFS based, you'll find it on any file you create for example.

    It's has many uses but in this case I'm guessing that it says Administrators as owner in Advanced.

    The image in the first part shows the default settings that are applied with a GPO when you change the security settings as well as the "Automatic" "Manual" and "Stop" settings of a service.
    It is not meant to show how the settings are supposed to be but rather it shows how the Group Policy editor applies the wrong permissions if they aren't changed.

    It's probably worth saying that the permissions seem to be different in a computer that is a member of a Domain VS a Workgroup computer.
    My home computer has full rights assigned to the Everyone group which is not the case on the desktop at work.

    ReplyDelete
  3. All the settings appear to be correct and all permissions are on able to read. Still when I boot up it goes to the windows splash screen but then right to the black screen. Any more ideas? I really don't want to have to reinstall windows. Thanks for your time and help.

    ReplyDelete
  4. I guess you might try increasing it to full rights.
    I can tell you what is happening though, when you see the splash screen it will try to start the services, almost all services have the setting that says that if it fails to start it should simply try to start it once more.
    However after X amount of failed attempts (usually 3) the computer finds that it is then supposed to not restart the service but rather restart the computer.
    I would think that this is also a setting to be found in the registry (which would probably be your best shot at altering that setting) though I'm not sure where.
    I will look into the problem some more as I've found that there is still a minor problem lingering after I found a solution to the last one. (The themes service is still not working properly in my case)
    -Alex

    ReplyDelete