Hello, I have 3 Windows 2008 Enterprise Servers installed on VM Fusion, and 2 Physical Win 7 Pro boxes. I have been running this same test environment for months. Just recently I Created a Brand New Domain controller and started making a pretty detailed GPO (see below) to lock the systems down, which included registry entries and permission changes. As of recently, (the last week) I have been having an issue where the system (any of them) starts acting screwy, not obeying commands etc, so I will reboot. When I reboot the system boots to a black screen. This is the exact symptom. They will flash the BIOS splash screen, then the windows boot animation will appear and complete. then a black screen with only the cursor will appear. If I try safe mode I get the same, no matter what I do I get the same. On the physical machines I have to system restore in order to get back up. On the VMs I snapshot frequently so I have to roll back. I thought it may have to do with the VM Fusion so I loaded on ESXi Server and experienced the same issue. The VM log files are useless, Windows logs do not even start at this point. Startup repair does nothing. So I am working on my Domain controller as this is the most critical piece of the puzzle. This is installed on Fusion. I rolled it back to a known good point and began working on it, snapshotting as often as possible and then rebooting. I have It now where I am directly before a Black screen. I tried ICACLS to fix permissions, I took ownership of the entire C:, I removed all recent updates, I have removed all applications from the system except directory service and DNS, I have completely disabled the GPOs and GPUPDATE /FORCE, I have tried everything I can think. Does anyone know where I can go to get more info so I can start troubleshooting further. I have no logs left to search. I mounted the filesystem and examined the windows logs and there is no entries after the shutdown. I have looked at c:\windows\system32\security\winlogon.txt log file it has no info. I am out of ideas I see this same issue alot of other places few of which actually got resolved, it seems to be a symptom for multiple different problems. CAN SOMEONE AT MICROSOFT HELP, as this is a known issue that alot of people are having. Is there a log that starts after the boot animation? Thanks in advance PMP_ADMIN Keywords: BkSOD, KSOD Black Screen of Death, Black, Screen, Black Screen on boot, Boot failure windows, server, professional, vista, 2008, R2, x64 64 bit, x86, 32 bit, Virtual, Physical Here is a copy of the GPO Security Settings Account Policies/Password Policy Policy Setting Enforce password history 24 passwords remembered Maximum password age 42 days Minimum password age 1 days Minimum password length 14 characters Password must meet complexity requirements Enabled Store passwords using reversible encryption Disabled Account Policies/Account Lockout Policy Policy Setting Account lockout duration 0 minutes Account lockout threshold 3 invalid logon attempts Reset account lockout counter after 60 minutes Account Policies/Kerberos Policy Policy Setting Enforce user logon restrictions Enabled Maximum lifetime for service ticket 600 minutes Maximum lifetime for user ticket 10 hours Maximum lifetime for user ticket renewal 7 days Maximum tolerance for computer clock synchronization 5 minutes Local Policies/Audit Policy Policy Setting Audit account logon events Success, Failure Audit logon events Success, Failure Audit object access No auditing Audit policy change Success, Failure Audit privilege use Failure Audit process tracking No auditing Audit system events No auditing Local Policies/User Rights Assignment Policy Setting Access Credential Manager as a trusted caller Access this computer from the network NT AUTHORITY\Authenticated Users, BUILTIN\Administrators Act as part of the operating system Add workstations to domain BUILTIN\Administrators Adjust memory quotas for a process NT AUTHORITY\NETWORK SERVICE, NT AUTHORITY\LOCAL SERVICE, BUILTIN\Administrators Allow log on locally Domain Admins, BUILTIN\Administrators Allow log on through Terminal Services BUILTIN\Administrators Back up files and directories BUILTIN\Administrators Bypass traverse checking NT AUTHORITY\NETWORK SERVICE, NT AUTHORITY\LOCAL SERVICE, NT AUTHORITY\Authenticated Users, BUILTIN\Administrators Change the system time NT AUTHORITY\LOCAL SERVICE, BUILTIN\Administrators Change the time zone NT AUTHORITY\LOCAL SERVICE, BUILTIN\Administrators Create a pagefile BUILTIN\Administrators Create a token object Create global objects NT AUTHORITY\SERVICE, NT AUTHORITY\NETWORK SERVICE, NT AUTHORITY\LOCAL SERVICE, BUILTIN\Administrators Create permanent shared objects Create symbolic links BUILTIN\Administrators Debug programs Deny access to this computer from the network BUILTIN\Guests Deny log on as a batch job BUILTIN\Guests Deny log on as a service Deny log on locally BUILTIN\Guests Deny log on through Terminal Services BUILTIN\Guests Enable computer and user accounts to be trusted for delegation BUILTIN\Administrators Force shutdown from a remote system BUILTIN\Administrators Generate security audits NT AUTHORITY\NETWORK SERVICE, NT AUTHORITY\LOCAL SERVICE Impersonate a client after authentication NT AUTHORITY\SERVICE, NT AUTHORITY\NETWORK SERVICE, NT AUTHORITY\LOCAL SERVICE, BUILTIN\Administrators Increase a process working set NT AUTHORITY\LOCAL SERVICE, BUILTIN\Administrators Increase scheduling priority BUILTIN\Administrators Load and unload device drivers BUILTIN\Administrators Lock pages in memory Log on as a batch job BUILTIN\Administrators Manage auditing and security log PMP\Auditor Group Modify an object label BUILTIN\Administrators Modify firmware environment values BUILTIN\Administrators Perform volume maintenance tasks BUILTIN\Administrators Profile single process BUILTIN\Administrators Profile system performance BUILTIN\Administrators Remove computer from docking station BUILTIN\Administrators Replace a process level token NT AUTHORITY\NETWORK SERVICE, NT AUTHORITY\LOCAL SERVICE Restore files and directories BUILTIN\Administrators Shut down the system BUILTIN\Administrators Synchronize directory service data Take ownership of files or other objects BUILTIN\Administrators Local Policies/Security Options Accounts Policy Setting Accounts: Administrator account status Enabled Accounts: Guest account status Disabled Accounts: Limit local account use of blank passwords to console logon only Enabled Accounts: Rename administrator account "DELETED" Accounts: Rename guest account "DELETED" Audit Policy Setting Audit: Audit the access of global system objects Disabled Audit: Audit the use of Backup and Restore privilege Disabled Audit: Shut down system immediately if unable to log security audits Disabled Devices Policy Setting Devices: Allow undock without having to log on Disabled Devices: Allowed to format and eject removable media Administrators Devices: Prevent users from installing printer drivers Enabled Devices: Restrict CD-ROM access to locally logged-on user only Disabled Domain Member Policy Setting Domain member: Digitally encrypt or sign secure channel data (always) Enabled Domain member: Digitally encrypt secure channel data (when possible) Enabled Domain member: Digitally sign secure channel data (when possible) Enabled Domain member: Disable machine account password changes Disabled Domain member: Maximum machine account password age 30 days Domain member: Require strong (Windows 2000 or later) session key Enabled DELETED Interactive logon: Number of previous logons to cache (in case domain controller is not available) 1 logons Interactive logon: Prompt user to change password before expiration 14 days Interactive logon: Require Domain Controller authentication to unlock workstation Disabled Interactive logon: Require smart card Disabled Interactive logon: Smart card removal behavior Lock Workstation Microsoft Network Client Policy Setting Microsoft network client: Digitally sign communications (always) Enabled Microsoft network client: Digitally sign communications (if server agrees) Enabled Microsoft network client: Send unencrypted password to third-party SMB servers Disabled Microsoft Network Server Policy Setting Microsoft network server: Amount of idle time required before suspending session 15 minutes Microsoft network server: Digitally sign communications (always) Enabled Microsoft network server: Digitally sign communications (if client agrees) Enabled Microsoft network server: Disconnect clients when logon hours expire Enabled Network Access Policy Setting Network access: Allow anonymous SID/Name translation Disabled Network access: Do not allow anonymous enumeration of SAM accounts Enabled Network access: Do not allow anonymous enumeration of SAM accounts and shares Enabled Network access: Do not allow storage of credentials or .NET Passports for network authentication Enabled Network access: Let Everyone permissions apply to anonymous users Disabled DELETED Network Security Policy Setting Network security: Do not store LAN Manager hash value on next password change Enabled Network security: Force logoff when logon hours expire Disabled Network security: LAN Manager authentication level Send NTLMv2 response only. Refuse LM & NTLM Network security: LDAP client signing requirements Negotiate signing Network security: Minimum session security for NTLM SSP based (including secure RPC) clients Enabled Require NTLMv2 session security Enabled Require 128-bit encryption Enabled Network security: Minimum session security for NTLM SSP based (including secure RPC) servers Enabled Require NTLMv2 session security Enabled Require 128-bit encryption Enabled Recovery Console Policy Setting Recovery console: Allow automatic administrative logon Disabled Recovery console: Allow floppy copy and access to all drives and all folders Disabled Shutdown Policy Setting Shutdown: Allow system to be shut down without having to log on Disabled Shutdown: Clear virtual memory pagefile Disabled System Cryptography Policy Setting System cryptography: Force strong key protection for user keys stored on the computer User must enter a password each time they use a key System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing Disabled System Objects Policy Setting System objects: Require case insensitivity for non-Windows subsystems Enabled System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links) Enabled System Settings Policy Setting System settings: Optional subsystems System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies Enabled User Account Control Policy Setting User Account Control: Admin Approval Mode for the Built-in Administrator account Enabled User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode Prompt for credentials User Account Control: Behavior of the elevation prompt for standard users Automatically deny elevation requests User Account Control: Detect application installations and prompt for elevation Enabled User Account Control: Only elevate executables that are signed and validated Disabled User Account Control: Run all administrators in Admin Approval Mode Enabled User Account Control: Switch to the secure desktop when prompting for elevation Enabled User Account Control: Virtualize file and registry write failures to per-user locations Enabled Other Policy Setting Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings Enabled MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing) Highest protection, source routing is completely disabled MSS: (NtfsDisable8dot3NameCreation) Enable the computer to stop generating 8.3 style filenames (recommended) Enabled MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended) Enabled User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop Disabled User Account Control: Only elevate UIAccess applications that are installed in secure locations Enabled Event Log Policy Setting Maximum application log size 16384 kilobytes Maximum security log size 1000064 kilobytes Maximum system log size 16384 kilobytes Prevent local guests group from accessing application log Enabled Prevent local guests group from accessing security log Enabled Prevent local guests group from accessing system log Enabled Retention method for application log As needed Retention method for security log Manually Retention method for system log As needed Restricted Groups Group Members Member of BUILTIN\Remote Desktop Users Administrators DELETED There is also some registry entries and permission changes not listed as they took up alot of space but essentially I entered the following Registry entries: 80 McAfee scanning and detection options set through the GPO in the form of registry changes, disable IPv6 (customer request all systems were on local network with no internet access) editing permissions: Winlogon registry key - removed users read access HKLM/Software and SYSTEM enabled auditing for failed attempts to write c: enabled auditing for all users failed attempt to write application, system and security logs- removed regular users all together, removed admins write access and added a new user group with full access, (whole point is to have the admins accountable to another OU like management but they can still view for troubleshooting and system performance reasons)

Sorry for "ping-pong"effect, but this problem resolution should start on the VM side. This article may help you to repair VM http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1023888 and here is info on the BSOD in VM environment http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1024460 If it is on the MS side, please give more iniformation on the error codes and description that may help to resolve the reason for this behavior. Regards Milos

Thanks for the info on a BLUE SCREEN ERROR, but as my title and subject clearly states this is a BLACK SCREEN with no error, only a cursor. If it were a blue screen then I would have some info and a MEMORY.DMP file, also sometimes a minidump file in the c:\windows directory. Also how can this be a VM issue when it has occurred on fresh builds on physical machines? Anyway, I was able to enable boot logging, and found the file at c:\windows\ntbtlog.txt, upon examination I found entries like Did not load driver \SystemRoot\C:\Program Files\Blah Blah Blah.sys and.... Did not load driver \??\C:\Windows\system32\Blah Blah Blah.sys , I could not find a file like boot.ini was in xp and older, so I assumed the settings were in the registry, On the Server 2008 machine I loaded the Win 2008 SVR x64 disk and went to repair, launced command prompt, regedit, click HKEY/ Local Machine, click file load hive c:\windows\system32\config\system and software, name them mySystem and mySoftware then searched for the actual file name that was giving the error (Blah Blah Blah.sys) I found that alot of these had a correct path in the registry( in the case of \SystemRoot\C:\Program Files\Blah Blah Blah.sys it was listed in the registry as C:\Program Files\Blah Blah Blah.sys, the system automatically added the \SystemRoot\ so I just added quotations "C:\Program Files\Blah Blah Blah.sys" but in the example \??\C:\Windows\system32\Blah Blah Blah.sys, it was acutally listed as such in the registry. I removed the \??\ . I kept hitting find next to eliminate all of the erroneous entries, then i booted, still Black Screened. So I did it again found more errors, fixed them rebooted.. same.. bootlogged again for the third time and still getting the same errors and still black screen. Does anyone have any tips for troubleshooting WINDOWS STARTUP that I may have not listed

All of the listed entries in the ntbtlog have been addressed and I still do not have an answer, I found that just because a driver wasn't loaded didn't mean it was an erroneous entry, the most likely cause was the driver was not needed. In an attempt to fix the system (the most important virtual Server) so that it can boot I have rolled back the machine, and removed all additional software including AV and Anti-Spyware (thinking it was an incomparability), taken ownership of the entire c drive and all sub folders, directories and files (previously owned by Trusted installer) and set permissions for System: full access, local service: full access service: full access, everyone: full access administrators: full access (thinking it was due to permissions) applied the same permissions to the registry, (side note, before and after I take ownership I cannot assign creator owner permissions, currently it has no permissions, accept or deny)

I feel like I am just talking to myself as this forum has had literally no interaction. anyway I think I have the root of the cause pinned down, just no fix. I have desperately tried everything I can think of to figure out the cause of this black screen and decided to try HiJackThis just to see, I first ran it on the Server 2008 VM, and I got the following output Running processes: C:\Users\ME\Desktop\Trend Micro\HiJackThis\HiJackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://iesetup.dll/SoftAdmin.htm R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = F2 - REG:system.ini: Shell= F2 - REG:system.ini: UserInit= O1 - Hosts: ::1 localhost O10 - Unknown file in Winsock LSP: c:\program files\vmware\vmware tools\vsock sdk\bin\win32\vsocklib.dll O10 - Unknown file in Winsock LSP: c:\program files\vmware\vmware tools\vsock sdk\bin\win32\vsocklib.dll O15 - ESC Trusted Zone: http://runonce.msn.com (HKLM) O15 - ESC Trusted Zone: http://*.windowsupdate.com (HKLM) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = MYdomain O17 - HKLM\System\CCS\Services\Tcpip\..\{5010909C-DD77-403D-B4EC-A2868CCF822A}: NameServer = My DNS Servers O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = MYdomain O17 - HKLM\System\CS1\Services\Tcpip\..\{5010909C-DD77-403D-B4EC-A2868CCF822A}: NameServer = My DNS Servers O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing) O23 - Service: @%systemroot%\system32\dfssvc.exe,-101 (Dfs) - Unknown owner - C:\Windows\system32\dfssvc.exe (file missing) O23 - Service: @dfsrress.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSRs.exe (file missing) O23 - Service: @%systemroot%\system32\dns.exe,-49157 (DNS) - Unknown owner - C:\Windows\system32\dns.exe (file missing) O23 - Service: @%SystemRoot%\System32\ismserv.exe,-1 (IsmServ) - Unknown owner - C:\Windows\System32\ismserv.exe (file missing) O23 - Service: @%SystemRoot%\System32\kdcsvc.dll,-1 (kdc) - Unknown owner - C:\Windows\System32\lsass.exe (file missing) O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: McAfee McShield (McShield) - Unknown owner - C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\McShield.exe (file missing) O23 - Service: McAfee Task Manager (McTaskManager) - Unknown owner - C:\Program Files (x86)\McAfee\VirusScan Enterprise\VsTskMgr.exe (file missing) O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - Unknown owner - C:\Windows\system32\mfevtps.exe (file missing) O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing) O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: @%SystemRoot%\System32\ntdsmsg.dll,-1 (NTDS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing) O23 - Service: File Replication (NtFrs) - Unknown owner - C:\Windows\system32\ntfrs.exe (file missing) O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing) O23 - Service: @gpapi.dll,-114 (RSoPProv) - Unknown owner - C:\Windows\system32\RSoPProv.exe (file missing) O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing) O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing) O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing) O23 - Service: TP AutoConnect Service (TPAutoConnSvc) - ThinPrint AG - C:\Program Files\VMware\VMware Tools\TPAutoConnSvc.exe O23 - Service: TP VC Gateway Service (TPVCGateway) - ThinPrint AG - C:\Program Files\VMware\VMware Tools\TPVCGateway.exe O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing) O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing) O23 - Service: VMware Tools Service (VMTools) - VMware, Inc. - C:\Program Files\VMware\VMware Tools\vmtoolsd.exe O23 - Service: VMware Upgrade Helper (VMUpgradeHelper) - VMware, Inc. - C:\Program Files\VMware\VMware Tools\VMUpgradeHelper.exe O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing) O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing) -- End of file - 5775 bytes Out of this I would like to turn your attention to F2 - REG:system.ini: Shell= F2 - REG:system.ini: UserInit= as shell is what is not loading and Userinit is the program that is run before the shell this makes sense that I have nothing but a black screen. So I run it on a known good configuration and these items do not appear. So I google this and find that the system.ini file is mapped (via inimapping registry entry) to the HKLM/Software/Microsoft/WindowsNT/CurrentVersion/Winlogin directory, but when I look there the correct information is entered (Shell=Explorer.exe and Userinit=C:/windows/system32/userinit.exe,) these entries are also contained in the WOW64 registr path as well but with no path just file name. I then ran HijackThis on another machine known to black screen and I got the same empty entries. So I am sure I am on the correct path. Anyone know where HijackThis is pulling this from? I checked their(and many other Forums)and they all just say it pulls from the above registry entries. Also the auto-correct feature does not fix the issue. So at least I have now found one consistent thing within the black screen.

I was able to figure out that if I restored the users read permissions on HKLM/Software/WOW6432node/Microsoft/Windows NT/CurrentVersion/Winlogin then the HijackThis output mirrors that of a system that boots properly, so again I have hit a wall.... I am out of Ideas. I guess I need a better understanding of the Vista / Server 2008 boot process, and this is proving difficult to find (a good resource with the entire process listed such as a flowchart) does anyone have or know of a good resource so I can hit this problem from a different angle? So far this is my understanding POST, BIOS, MBR, BOOTMGR, BCD, WINLOAD, USERINIT, EXPLORER, please correct me if I am wrong, at what point is the boot animation shown? ( green bars that move from left to right ) at what point does the black screen with the cursor change over to the hourglass, because that is what is not happening So far I dont know what is happening and I dont know why its happening. I have no leads, I have no symptoms, all I have is a "snapshot" or a backup point in time that I can try fixes, because it is guaranteed to black screen on the next reboot. Again this is a VM so hardware is out of the question. This same issue is happening on physical machines so VM ware is out of the picture. On my test physical machine I installed no windows updates or third party software so that is no longer in the equation, the only thing that changed from a base load was the system was joined to the domain. with the above GPO applied.

Are you able to launch Task Manager by pressing Ctrl+Alt+Del at the black screen? Did you install any new software to these machines? From reading through the posts, there is a good likelyhood that the issue is caused by a common software or the GPOs you have applied. Can you create a new System, make sure it boots up correct for few times, then join it to your domain and apply the above policies you mentioned and see if the new system reproduces the error condition? Taking a snapshot before joining to domain would be advisable. started making a pretty detailed GPO (see below) to lock the systems down, which included registry entries and permission changes - What are these registry and permission changes? There is a high probablity that these changes might have caused the issue. What is the SP level? Additionally here are some known hotfixes for black screen issues: 976427 Computers that are running Windows 7 or Windows Server 2008 R2 stop responding at a black screen if a screen saver is enabled http://support.microsoft.com/default.aspx?scid=kb;EN-US;976427 975484 Your computer may freeze or restart to a black screen that has a "0xc0000034" error message after you install Service Pack 1 on Windows 7 or Windows 2008 R2 http://support.microsoft.com/default.aspx?scid=kb;EN-US;975484 2410477 A computer that is running Windows 7 or Windows Server 2008 R2 stops responding when you put the computer in sleep mode (S3) or resume the computer from the S3 mode http://support.microsoft.com/default.aspx?scid=kb;EN-US;2410477 981275 A UEFI-enabled computer may "hang" at a black screen in the startup process for Windows 7 or Windows 2008 R2 954429 A multiprocessor computer that is running Windows Server 2003, Windows Vista, or Windows Server 2008 stops responding on a black screen after you resume the computer from hibernation Sumesh P - Microsoft Online Community Support

Hello, Its nice to have some interaction in this forum! The server is SP2. The Win 7 machines are SP1. I did install a few third party applications such as AV etc on the original machine. Yes I did make a test machine with NO win updates, and NO third party apps, I joined the Domain and it did the same thing. CTRL ALT DEL does nothing, CTRL ALT ESC either. It is definitely hanging on the process before explorer is loaded, like the system does not have permissions to run explorer. Once it black screens there is no recovering that I have found. I tried start-up recovery on a WIN7 Prof machine with no luck. Thank you for the resources, unfortunately I have already gone through those, most of them are referring to resuming after hibernation or screen saver but this is on boot. No machines are allowed to hibernate. And I have never had an issue resuming from screensaver. Or they refer to a stop message in which I am not receiving. The system runs fine until I reboot then it hangs.

Ok, with that it is pretty clear that the issue is most likely caused by one of the settings in the GPO. Disable the GPO and does the PC behave like this when joined to domain? You can use process monitor and enable boot logging to find out if there are permissions issues during boot time. Download process monitor and set 'Enable Boot Logging' from the options menu. Shutdown and then access the file c:\windows\procmon.pmb Sometimes when the file becomes large, it is split into multiple files ending with procmon.pm1, .pm2 etc Share or analyze the log to look for access denied errorsSumesh P - Microsoft Online Community Support

is this the same as the boot logging that is enabled in the Advanced startup options making a log file in called ntbootlog.txt in the %system% folder? As I do have that output already. Since the machine I currently need to recover is the domain controller I will run DC promo on it and Demote it and see if it boots correctly.

No it is not. The suggested route is to use the process of elimination with the GPOs being applied. Sumesh P - Microsoft Online Community Support

Wow that process monitor is an awesome tool! I disabled all of the GPOs and ran DCPROMO, Deleted the domain and rebooted, with the same results- Black screen on boot, So I rolled the virtual machine back and installed process monitor, enabled boot logging and rebooted, Now I get a blue screen error Bad Pool Caller, I also tried booting in Safe mode with the same results. I have saved the log file and I am trying to open it on another PC now

it seems as if the file is becoming corrupted at the blue screen, and cannot be opened. there is no memory.DMP file either. I have also told the system to create a mini dump file at this time instead and I cannot find that under c:\windows or c:\ windows\system32.

Disabling the GPOs after the security changes are made doesnt revert them back, so it is not of much use in troubleshooting. Since process monitor is not working for you either, I suggest you consider opening a paid support ticket if you like more assistance and in-depth troubleshooting. Sumesh P - Microsoft Online Community Support

A couple of questions related to the GPO: Did you create new GPO or edit the Default Domain Policy when you originally created? Also when you say you disabled GPO and promoted DC out of domain does this mean you removed Active Directory totally by removing the domain? Have you reproduced this in another domain by chance?

created new GPOs - a locked down version for each of the different types of machines in my AD. Yes - since the DC is a virtual I snapshotted all of the machines- shutdown all but the DC- then DCPROMO to destroy the domain to see if this allowed for the system to boot properly, but it made no change. So I see my last post was reported as abusive- I guess the world is not ready for the truth. BTW this post has had 667 views as of now, and there are a hundred other posts about this issue without an answer - so its obvious I am not the only one having this issue

Hi, got similar problem like you - after power failure (even UPS didn't help) one VM with Windows 2008 R2 x64 and domain services got blank screen with cursor (on VMware ESXi ). ctrl+shift+esc, safe mode, debug mode, ad restore services, repair mode - nothing helps. Found some links on internet: http://www.topitproviders.net/index.php/2011/07/20/windows-server-2008-boots-to-black-screen-with-mouse-cursor/ http://social.technet.microsoft.com/Forums/en-GB/winserversetup/thread/506aad18-576f-412b-96eb-12426a2cee17 http://projectdream.org/wordpress/2009/03/03/windows-server-2008-and-the-black-screen-of-waiting/ http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1011709 Nothing helps. Tried registry trick, even loading registry hive from d:\windows\system32\config\SYSTEM, in repair mode renamed vmware tools folder. My big guess is that it's vmware tools-related or windows updates-related issue. Maybe you will be more lucky with provided links.

Hi, finally got it working: 1. Start repair mode. 2. Go to command promt: d: (or disk, where your windows is located). cd \Windows\System32\config mkdir oldreg move DEFAULT oldreg\ move SAM oldreg\ move SECURITY oldreg\ move SYSTEM oldreg\ move SOFTWARE oldreg\ copy RegBack\DEFAULT .\ copy RegBack\SAM .\ copy RegBack\SECURITY .\ copy RegBack\SYSTEM .\ copy RegBack\SOFTWARE .\ 3. Reboot server to normal mode. If it does not help, you can try to rename EventLog files (possibly corrupted): move \Windows\System32\winevt\Logs \Windows\System32\winevt\Logs-old mkdir \Windows\System32\winevt\Logs Regards, Eimantas

Had the same issue, but still unaware of root cause. Has someone managed to identify?

Of course now this issue has come up again now... Thank you, Eimantas as your post was a very good thought. Unfortunately niether of these seemed to resolve the issue. Sorry, Anatolii no this issue has never been resolved. another mystery of the universe I guess.

I had the issue before on my 64bit Servers and Win7 pcs, and the only thing that worked then was to rebuild or reinstall, but after a while the issue disappeared. So today a had problems with account lockouts, and decided to enable a policy that ran a startup script to RUN the KILL KIDO removal tool. Turns out that this was the cause of my Black Screen. Since I didn't have a snapshot of my Virtual Machine, I started up the VM with last known good configuration and scheduled CHKDSK /R /F, disabled the above GPO (after reading the post above about GPOs ) which I most recently enabled and the VM started up normally. So just to be sure this was the actual cause, I restarted the VM one more time and It still booted normally. Then I re-enabled the GPO and restarted the VM and the Black screen was back. So I tried my previous fix and problem was resolved. I repeated this scenario at least 5 times and had the same results, so I'm certain now that my issue had to do with the GPO (or more precisely the startup script). Hope this helps.