3 x Windows Server 2008 Enterprise VMs and 2 Windows 7 Professional Physical machines, all black screen on reboot
Hello,
I have 3 Windows 2008 Enterprise Servers installed on VM Fusion, and 2 Physical Win 7 Pro boxes. I have been running this same test environment for months. Just recently I Created a Brand New Domain controller and started making a pretty
detailed GPO (see below) to lock the systems down, which included registry entries and permission changes. As of recently, (the last week) I have been having an issue where the system (any of them) starts acting screwy, not obeying commands etc, so I will
reboot. When I reboot the system boots to a black screen. This is the exact symptom. They will flash the BIOS splash screen, then the windows boot animation will appear and complete. then a black screen with only the cursor will appear. If I try safe mode
I get the same, no matter what I do I get the same. On the physical machines I have to system restore in order to get back up. On the VMs I snapshot frequently so I have to roll back. I thought it may have to do with the VM Fusion so I loaded on ESXi Server
and experienced the same issue. The VM log files are useless, Windows logs do not even start at this point. Startup repair does nothing.
So I am working on my Domain controller as this is the most critical piece of the puzzle. This is installed on Fusion. I rolled it back to a known good point and began working on it, snapshotting as often as possible and then rebooting. I have It now where
I am directly before a Black screen. I tried ICACLS to fix permissions, I took ownership of the entire C:, I removed all recent updates, I have removed all applications from the system except directory service and DNS, I have completely disabled the GPOs and
GPUPDATE /FORCE, I have tried everything I can think. Does anyone know where I can go to get more info so I can start troubleshooting further. I have no logs left to search. I mounted the filesystem and examined the windows logs and there is no entries after
the shutdown. I have looked at c:\windows\system32\security\winlogon.txt log file it has no info. I am out of ideas
I see this same issue alot of other places few of which actually got resolved, it seems to be a symptom for multiple different problems. CAN SOMEONE AT MICROSOFT HELP, as this is a known issue that alot of people are having. Is there a log that starts after
the boot animation?
Thanks in advance
PMP_ADMIN
Keywords: BkSOD, KSOD Black Screen of Death, Black, Screen, Black Screen on boot, Boot failure windows, server, professional, vista, 2008, R2, x64 64 bit, x86, 32 bit, Virtual, Physical
Here is a copy of the GPO
Security Settings
Account Policies/Password Policy
Policy Setting
Enforce password history 24 passwords remembered
Maximum password age 42 days
Minimum password age 1 days
Minimum password length 14 characters
Password must meet complexity requirements Enabled
Store passwords using reversible encryption Disabled
Account Policies/Account Lockout Policy
Policy Setting
Account lockout duration 0 minutes
Account lockout threshold 3 invalid logon attempts
Reset account lockout counter after 60 minutes
Account Policies/Kerberos Policy
Policy Setting
Enforce user logon restrictions Enabled
Maximum lifetime for service ticket 600 minutes
Maximum lifetime for user ticket 10 hours
Maximum lifetime for user ticket renewal 7 days
Maximum tolerance for computer clock synchronization 5 minutes
Local Policies/Audit Policy
Policy Setting
Audit account logon events Success, Failure
Audit logon events Success, Failure
Audit object access No auditing
Audit policy change Success, Failure
Audit privilege use Failure
Audit process tracking No auditing
Audit system events No auditing
Local Policies/User Rights Assignment
Policy Setting
Access Credential Manager as a trusted caller
Access this computer from the network NT AUTHORITY\Authenticated Users, BUILTIN\Administrators
Act as part of the operating system
Add workstations to domain BUILTIN\Administrators
Adjust memory quotas for a process NT AUTHORITY\NETWORK SERVICE, NT AUTHORITY\LOCAL SERVICE, BUILTIN\Administrators
Allow log on locally Domain Admins, BUILTIN\Administrators
Allow log on through Terminal Services BUILTIN\Administrators
Back up files and directories BUILTIN\Administrators
Bypass traverse checking NT AUTHORITY\NETWORK SERVICE, NT AUTHORITY\LOCAL SERVICE, NT AUTHORITY\Authenticated Users, BUILTIN\Administrators
Change the system time NT AUTHORITY\LOCAL SERVICE, BUILTIN\Administrators
Change the time zone NT AUTHORITY\LOCAL SERVICE, BUILTIN\Administrators
Create a pagefile BUILTIN\Administrators
Create a token object
Create global objects NT AUTHORITY\SERVICE, NT AUTHORITY\NETWORK SERVICE, NT AUTHORITY\LOCAL SERVICE, BUILTIN\Administrators
Create permanent shared objects
Create symbolic links BUILTIN\Administrators
Debug programs
Deny access to this computer from the network BUILTIN\Guests
Deny log on as a batch job BUILTIN\Guests
Deny log on as a service
Deny log on locally BUILTIN\Guests
Deny log on through Terminal Services BUILTIN\Guests
Enable computer and user accounts to be trusted for delegation BUILTIN\Administrators
Force shutdown from a remote system BUILTIN\Administrators
Generate security audits NT AUTHORITY\NETWORK SERVICE, NT AUTHORITY\LOCAL SERVICE
Impersonate a client after authentication NT AUTHORITY\SERVICE, NT AUTHORITY\NETWORK SERVICE, NT AUTHORITY\LOCAL SERVICE, BUILTIN\Administrators
Increase a process working set NT AUTHORITY\LOCAL SERVICE, BUILTIN\Administrators
Increase scheduling priority BUILTIN\Administrators
Load and unload device drivers BUILTIN\Administrators
Lock pages in memory
Log on as a batch job BUILTIN\Administrators
Manage auditing and security log PMP\Auditor Group
Modify an object label BUILTIN\Administrators
Modify firmware environment values BUILTIN\Administrators
Perform volume maintenance tasks BUILTIN\Administrators
Profile single process BUILTIN\Administrators
Profile system performance BUILTIN\Administrators
Remove computer from docking station BUILTIN\Administrators
Replace a process level token NT AUTHORITY\NETWORK SERVICE, NT AUTHORITY\LOCAL SERVICE
Restore files and directories BUILTIN\Administrators
Shut down the system BUILTIN\Administrators
Synchronize directory service data
Take ownership of files or other objects BUILTIN\Administrators
Local Policies/Security Options
Accounts
Policy Setting
Accounts: Administrator account status Enabled
Accounts: Guest account status Disabled
Accounts: Limit local account use of blank passwords to console logon only Enabled
Accounts: Rename administrator account "DELETED"
Accounts: Rename guest account "DELETED"
Audit
Policy Setting
Audit: Audit the access of global system objects Disabled
Audit: Audit the use of Backup and Restore privilege Disabled
Audit: Shut down system immediately if unable to log security audits Disabled
Devices
Policy Setting
Devices: Allow undock without having to log on Disabled
Devices: Allowed to format and eject removable media Administrators
Devices: Prevent users from installing printer drivers Enabled
Devices: Restrict CD-ROM access to locally logged-on user only Disabled
Domain Member
Policy Setting
Domain member: Digitally encrypt or sign secure channel data (always) Enabled
Domain member: Digitally encrypt secure channel data (when possible) Enabled
Domain member: Digitally sign secure channel data (when possible) Enabled
Domain member: Disable machine account password changes Disabled
Domain member: Maximum machine account password age 30 days
Domain member: Require strong (Windows 2000 or later) session key Enabled
DELETED
Interactive logon: Number of previous logons to cache (in case domain controller is not available) 1 logons
Interactive logon: Prompt user to change password before expiration 14 days
Interactive logon: Require Domain Controller authentication to unlock workstation Disabled
Interactive logon: Require smart card Disabled
Interactive logon: Smart card removal behavior Lock Workstation
Microsoft Network Client
Policy Setting
Microsoft network client: Digitally sign communications (always) Enabled
Microsoft network client: Digitally sign communications (if server agrees) Enabled
Microsoft network client: Send unencrypted password to third-party SMB servers Disabled
Microsoft Network Server
Policy Setting
Microsoft network server: Amount of idle time required before suspending session 15 minutes
Microsoft network server: Digitally sign communications (always) Enabled
Microsoft network server: Digitally sign communications (if client agrees) Enabled
Microsoft network server: Disconnect clients when logon hours expire Enabled
Network Access
Policy Setting
Network access: Allow anonymous SID/Name translation Disabled
Network access: Do not allow anonymous enumeration of SAM accounts Enabled
Network access: Do not allow anonymous enumeration of SAM accounts and shares Enabled
Network access: Do not allow storage of credentials or .NET Passports for network authentication Enabled
Network access: Let Everyone permissions apply to anonymous users Disabled
DELETED
Network Security
Policy Setting
Network security: Do not store LAN Manager hash value on next password change Enabled
Network security: Force logoff when logon hours expire Disabled
Network security: LAN Manager authentication level Send NTLMv2 response only. Refuse LM & NTLM
Network security: LDAP client signing requirements Negotiate signing
Network security: Minimum session security for NTLM SSP based (including secure RPC) clients Enabled
Require NTLMv2 session security Enabled
Require 128-bit encryption Enabled
Network security: Minimum session security for NTLM SSP based (including secure RPC) servers Enabled
Require NTLMv2 session security Enabled
Require 128-bit encryption Enabled
Recovery Console
Policy Setting
Recovery console: Allow automatic administrative logon Disabled
Recovery console: Allow floppy copy and access to all drives and all folders Disabled
Shutdown
Policy Setting
Shutdown: Allow system to be shut down without having to log on Disabled
Shutdown: Clear virtual memory pagefile Disabled
System Cryptography
Policy Setting
System cryptography: Force strong key protection for user keys stored on the computer User must enter a password each time they use a key
System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing Disabled
System Objects
Policy Setting
System objects: Require case insensitivity for non-Windows subsystems Enabled
System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links) Enabled
System Settings
Policy Setting
System settings: Optional subsystems
System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies Enabled
User Account Control
Policy Setting
User Account Control: Admin Approval Mode for the Built-in Administrator account Enabled
User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode Prompt for credentials
User Account Control: Behavior of the elevation prompt for standard users Automatically deny elevation requests
User Account Control: Detect application installations and prompt for elevation Enabled
User Account Control: Only elevate executables that are signed and validated Disabled
User Account Control: Run all administrators in Admin Approval Mode Enabled
User Account Control: Switch to the secure desktop when prompting for elevation Enabled
User Account Control: Virtualize file and registry write failures to per-user locations Enabled
Other
Policy Setting
Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings Enabled
MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing) Highest protection, source routing is completely disabled
MSS: (NtfsDisable8dot3NameCreation) Enable the computer to stop generating 8.3 style filenames (recommended) Enabled
MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended) Enabled
User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop Disabled
User Account Control: Only elevate UIAccess applications that are installed in secure locations Enabled
Event Log
Policy Setting
Maximum application log size 16384 kilobytes
Maximum security log size 1000064 kilobytes
Maximum system log size 16384 kilobytes
Prevent local guests group from accessing application log Enabled
Prevent local guests group from accessing security log Enabled
Prevent local guests group from accessing system log Enabled
Retention method for application log As needed
Retention method for security log Manually
Retention method for system log As needed
Restricted Groups
Group Members Member of
BUILTIN\Remote Desktop Users Administrators
DELETED
There is also some registry entries and permission changes not listed as they took up alot of space but essentially I entered the following
Registry entries:
80 McAfee scanning and detection options set through the GPO in the form of registry changes,
disable IPv6 (customer request all systems were on local network with no internet access)
editing permissions:
Winlogon registry key - removed users read access
HKLM/Software and SYSTEM enabled auditing for failed attempts to write
c: enabled auditing for all users failed attempt to write
application, system and security logs- removed regular users all together, removed admins write access and added a new user group with full access, (whole point is to have the admins accountable to another OU like management but they can still view for troubleshooting
and system performance reasons)
October 20th, 2011 2:58pm
Sorry for "ping-pong"effect, but this problem resolution should start on the VM side. This article may help you to repair VM
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1023888
and here is info on the BSOD in VM environment
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1024460
If it is on the MS side, please give more iniformation on the error codes and description that may help to resolve the reason for this behavior.
Regards
Milos
Free Windows Admin Tool Kit Click here and download it now
October 21st, 2011 2:30am
Thanks for the info on a BLUE SCREEN ERROR, but as my title and subject clearly states this is a
BLACK SCREEN with no error, only a cursor. If it were a blue screen then I would have some info and a MEMORY.DMP file, also sometimes a minidump file in the c:\windows directory. Also how can this be a VM issue when it has occurred on
fresh builds on physical machines?
Anyway, I was able to enable boot logging, and found the file at c:\windows\ntbtlog.txt, upon examination I found entries like
Did not load driver \SystemRoot\C:\Program Files\Blah Blah Blah.sys and....
Did not load driver \??\C:\Windows\system32\Blah Blah Blah.sys ,
I could not find a file like boot.ini was in xp and older, so I assumed the settings were in the registry, On the Server 2008 machine I loaded the Win 2008 SVR x64 disk and went to repair, launced command prompt, regedit, click HKEY/ Local Machine, click
file load hive c:\windows\system32\config\system and software, name them mySystem and mySoftware then searched for the actual file name that was giving the error (Blah Blah Blah.sys) I found that alot of these had a correct path in the registry( in the case
of \SystemRoot\C:\Program Files\Blah Blah Blah.sys it was listed in the registry as C:\Program Files\Blah Blah Blah.sys, the system automatically added the \SystemRoot\ so I just added quotations "C:\Program Files\Blah Blah Blah.sys"
but in the example \??\C:\Windows\system32\Blah Blah Blah.sys, it was acutally listed as such in the registry. I removed the \??\ .
I kept hitting find next to eliminate all of the erroneous entries, then i booted, still Black Screened. So I did it again found more errors, fixed them rebooted.. same.. bootlogged again for the third time and still getting the same errors and
still black screen. Does anyone have any tips for troubleshooting WINDOWS STARTUP that I may have not listed
October 21st, 2011 7:53am
All of the listed entries in the ntbtlog have been addressed and I still do not have an answer, I found that just because a driver wasn't loaded didn't mean it was an erroneous entry, the most likely cause was the driver was
not needed. In an attempt to fix the system (the most important virtual Server) so that it can boot I have rolled back the machine, and removed all additional software including AV and Anti-Spyware (thinking it was an incomparability), taken ownership
of the entire c drive and all sub folders, directories and files (previously owned by Trusted installer) and set permissions for System: full access, local service: full access service: full access, everyone: full access administrators: full access (thinking
it was due to permissions) applied the same permissions to the registry, (side note, before and after I take ownership I cannot assign creator owner permissions, currently it has no permissions, accept or deny)
Free Windows Admin Tool Kit Click here and download it now
October 26th, 2011 9:00am
I feel like I am just talking to myself as this forum has had literally no interaction.
anyway I think I have the root of the cause pinned down, just no fix. I have desperately tried everything I can think of to figure out the cause of this black screen and decided to try HiJackThis just to see, I first ran it on the Server 2008 VM, and I got
the following output
Running processes:
C:\Users\ME\Desktop\Trend Micro\HiJackThis\HiJackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://iesetup.dll/SoftAdmin.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=
F2 - REG:system.ini: UserInit=
O1 - Hosts: ::1 localhost
O10 - Unknown file in Winsock LSP: c:\program files\vmware\vmware tools\vsock sdk\bin\win32\vsocklib.dll
O10 - Unknown file in Winsock LSP: c:\program files\vmware\vmware tools\vsock sdk\bin\win32\vsocklib.dll
O15 - ESC Trusted Zone: http://runonce.msn.com (HKLM)
O15 - ESC Trusted Zone: http://*.windowsupdate.com (HKLM)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = MYdomain
O17 - HKLM\System\CCS\Services\Tcpip\..\{5010909C-DD77-403D-B4EC-A2868CCF822A}: NameServer = My DNS Servers
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = MYdomain
O17 - HKLM\System\CS1\Services\Tcpip\..\{5010909C-DD77-403D-B4EC-A2868CCF822A}: NameServer = My DNS Servers
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: @%systemroot%\system32\dfssvc.exe,-101 (Dfs) - Unknown owner - C:\Windows\system32\dfssvc.exe (file missing)
O23 - Service: @dfsrress.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSRs.exe (file missing)
O23 - Service: @%systemroot%\system32\dns.exe,-49157 (DNS) - Unknown owner - C:\Windows\system32\dns.exe (file missing)
O23 - Service: @%SystemRoot%\System32\ismserv.exe,-1 (IsmServ) - Unknown owner - C:\Windows\System32\ismserv.exe (file missing)
O23 - Service: @%SystemRoot%\System32\kdcsvc.dll,-1 (kdc) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: McAfee McShield (McShield) - Unknown owner - C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\McShield.exe (file missing)
O23 - Service: McAfee Task Manager (McTaskManager) - Unknown owner - C:\Program Files (x86)\McAfee\VirusScan Enterprise\VsTskMgr.exe (file missing)
O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - Unknown owner - C:\Windows\system32\mfevtps.exe (file missing)
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\System32\ntdsmsg.dll,-1 (NTDS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: File Replication (NtFrs) - Unknown owner - C:\Windows\system32\ntfrs.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @gpapi.dll,-114 (RSoPProv) - Unknown owner - C:\Windows\system32\RSoPProv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: TP AutoConnect Service (TPAutoConnSvc) - ThinPrint AG - C:\Program Files\VMware\VMware Tools\TPAutoConnSvc.exe
O23 - Service: TP VC Gateway Service (TPVCGateway) - ThinPrint AG - C:\Program Files\VMware\VMware Tools\TPVCGateway.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: VMware Tools Service (VMTools) - VMware, Inc. - C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
O23 - Service: VMware Upgrade Helper (VMUpgradeHelper) - VMware, Inc. - C:\Program Files\VMware\VMware Tools\VMUpgradeHelper.exe
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
--
End of file - 5775 bytes
Out of this I would like to turn your attention to
F2 - REG:system.ini: Shell=
F2 - REG:system.ini: UserInit=
as shell is what is not loading and Userinit is the program that is run before the shell this makes sense that I have nothing but a black screen. So I run it on a known good configuration and these items do not appear. So I google this and find that the
system.ini file is mapped (via inimapping registry entry) to the HKLM/Software/Microsoft/WindowsNT/CurrentVersion/Winlogin directory, but when I look there the correct information is entered (Shell=Explorer.exe and Userinit=C:/windows/system32/userinit.exe,)
these entries are also contained in the WOW64 registr path as well but with no path just file name.
I then ran HijackThis on another machine known to black screen and I got the same empty entries. So I am sure I am on the correct path. Anyone know where HijackThis is pulling this from? I checked their(and many other Forums)and they all just say it pulls
from the above registry entries. Also the auto-correct feature does not fix the issue. So at least I have now found one consistent thing within the black screen.
October 27th, 2011 10:03am
I was able to figure out that if I restored the users read permissions on HKLM/Software/WOW6432node/Microsoft/Windows NT/CurrentVersion/Winlogin then the HijackThis output mirrors that of a system that boots properly, so again I have hit a wall.... I am
out of Ideas. I guess I need a better understanding of the Vista / Server 2008 boot process, and this is proving difficult to find (a good resource with the entire process listed such as a flowchart) does anyone have or know of a good resource so I can hit
this problem from a different angle?
So far this is my understanding
POST, BIOS, MBR, BOOTMGR, BCD, WINLOAD, USERINIT, EXPLORER, please correct me if I am wrong,
at what point is the boot animation shown? ( green bars that move from left to right )
at what point does the black screen with the cursor change over to the hourglass, because that is what is not happening
So far I dont know what is happening and I dont know why its happening. I have no leads, I have no symptoms, all I have is a "snapshot" or a backup point in time that I can try fixes, because it is guaranteed to black screen on the next reboot.
Again this is a VM so hardware is out of the question. This same issue is happening on physical machines so VM ware is out of the picture. On my test physical machine I installed no windows updates or third party software so that is no longer in
the equation, the only thing that changed from a base load was the system was joined to the domain. with the above GPO applied.
Free Windows Admin Tool Kit Click here and download it now
October 28th, 2011 8:26am
Are you able to launch Task Manager by pressing Ctrl+Alt+Del at the black screen?
Did you install any new software to these machines?
From reading through the posts, there is a good likelyhood that the issue is caused by a common software or the GPOs you have applied.
Can you create a new System, make sure it boots up correct for few times, then join it to your domain and apply the above policies you mentioned and see if the new system reproduces the error condition? Taking a snapshot before joining to domain would be
advisable.
started making a pretty detailed GPO (see below) to lock the systems down, which included registry entries and permission changes -
What are these registry and permission changes? There is a high probablity that these changes might have caused the issue.
What is the SP level?
Additionally here are some known hotfixes for black screen issues:
976427 Computers that are running Windows 7 or Windows Server 2008 R2 stop responding at a black screen if a screen saver is enabled
http://support.microsoft.com/default.aspx?scid=kb;EN-US;976427
975484 Your computer may freeze or restart to a black screen that has a "0xc0000034" error message after you install Service Pack 1 on Windows 7 or Windows 2008 R2
http://support.microsoft.com/default.aspx?scid=kb;EN-US;975484
2410477 A computer that is running Windows 7 or Windows Server 2008 R2 stops responding when you put the computer in sleep mode (S3) or resume the computer from the S3 mode
http://support.microsoft.com/default.aspx?scid=kb;EN-US;2410477
981275 A UEFI-enabled computer may "hang" at a black screen in the startup process for Windows 7 or Windows 2008 R2
954429
A multiprocessor computer that is running Windows Server 2003, Windows Vista, or Windows Server 2008 stops responding on a black screen after you resume the computer from hibernation
Sumesh P - Microsoft Online Community Support
November 2nd, 2011 6:13am
Hello,
Its nice to have some interaction in this forum! The server is SP2. The Win 7 machines are SP1.
I did install a few third party applications such as AV etc on the original machine.
Yes I did make a test machine with NO win updates, and NO third party apps, I joined the Domain and it did the same thing. CTRL ALT DEL does nothing, CTRL ALT ESC either. It is definitely hanging on the process before explorer is loaded, like the system
does not have permissions to run explorer.
Once it black screens there is no recovering that I have found. I tried start-up recovery on a WIN7 Prof machine with no luck.
Thank you for the resources, unfortunately I have already gone through those, most of them are referring to resuming after hibernation or screen saver but this is on boot. No machines are allowed to hibernate. And I have never had an issue resuming from
screensaver. Or they refer to a stop message in which I am not receiving. The system runs fine until I reboot then it hangs.
Free Windows Admin Tool Kit Click here and download it now
November 3rd, 2011 8:47am
Ok, with that it is pretty clear that the issue is most likely caused by one of the settings in the GPO.
Disable the GPO and does the PC behave like this when joined to domain?
You can use process monitor and enable boot logging to find out if there are permissions issues during boot time.
Download process monitor and set 'Enable Boot Logging' from the options menu.
Shutdown and then access the file c:\windows\procmon.pmb
Sometimes when the file becomes large, it is split into multiple files ending with procmon.pm1, .pm2 etc
Share or analyze the log to look for access denied errorsSumesh P - Microsoft Online Community Support
November 4th, 2011 6:23am
is this the same as the boot logging that is enabled in the Advanced startup options making a log file in called ntbootlog.txt in the %system% folder? As I do have that output already. Since the machine I currently need to recover is the domain
controller I will run DC promo on it and Demote it and see if it boots correctly.
Free Windows Admin Tool Kit Click here and download it now
November 7th, 2011 6:34am
No it is not.
The suggested route is to use the process of elimination with the GPOs being applied.
Sumesh P - Microsoft Online Community Support
November 7th, 2011 6:38am
Wow that process monitor is an awesome tool!
I disabled all of the GPOs and ran DCPROMO, Deleted the domain and rebooted, with the same results- Black screen on boot,
So I rolled the virtual machine back and installed process monitor, enabled boot logging and rebooted, Now I get a blue screen error Bad Pool Caller, I also tried booting in Safe mode with the same results.
I have saved the log file and I am trying to open it on another PC now
Free Windows Admin Tool Kit Click here and download it now
November 7th, 2011 7:40am
it seems as if the file is becoming corrupted at the blue screen, and cannot be opened. there is no memory.DMP file either. I have also told the system to create a mini dump file at this time instead and I cannot find that under c:\windows or c:\ windows\system32.
November 7th, 2011 9:00am
Disabling the GPOs after the security changes are made doesnt revert them back, so it is not of much use in troubleshooting.
Since process monitor is not working for you either, I suggest you consider opening a paid support ticket if you like more assistance and in-depth troubleshooting.
Sumesh P - Microsoft Online Community Support
Free Windows Admin Tool Kit Click here and download it now
November 7th, 2011 9:28am
A couple of questions related to the GPO:
Did you create new GPO or edit the Default Domain Policy when you originally created?
Also when you say you disabled GPO and promoted DC out of domain does this mean you removed Active Directory totally by removing the domain? Have you reproduced this in another domain by chance?
November 27th, 2011 2:25pm
created new GPOs - a locked down version for each of the different types of machines in my AD. Yes - since the DC is a virtual I snapshotted all of the machines- shutdown all but the DC- then DCPROMO to destroy the domain to see if this allowed for the system
to boot properly, but it made no change.
So I see my last post was reported as abusive- I guess the world is not ready for the truth.
BTW this post has had 667 views as of now, and there are a hundred other posts about this issue without an answer - so its obvious I am not the only one having this issue
Free Windows Admin Tool Kit Click here and download it now
December 5th, 2011 6:38am
Hi,
got similar problem like you - after power failure (even UPS didn't help) one VM with Windows 2008 R2 x64 and domain services got blank screen with cursor (on VMware ESXi ).
ctrl+shift+esc, safe mode, debug mode, ad restore services, repair mode - nothing helps.
Found some links on internet:
http://www.topitproviders.net/index.php/2011/07/20/windows-server-2008-boots-to-black-screen-with-mouse-cursor/
http://social.technet.microsoft.com/Forums/en-GB/winserversetup/thread/506aad18-576f-412b-96eb-12426a2cee17
http://projectdream.org/wordpress/2009/03/03/windows-server-2008-and-the-black-screen-of-waiting/
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1011709
Nothing helps. Tried registry trick, even loading registry hive from d:\windows\system32\config\SYSTEM, in repair mode renamed vmware tools folder.
My big guess is that it's vmware tools-related or windows updates-related issue.
Maybe you will be more lucky with provided links.
December 11th, 2011 4:40pm
Hi,
finally got it working:
1. Start repair mode.
2. Go to command promt:
d: (or disk, where your windows is located).
cd \Windows\System32\config
mkdir oldreg
move DEFAULT oldreg\
move SAM oldreg\
move SECURITY oldreg\
move SYSTEM oldreg\
move SOFTWARE oldreg\
copy RegBack\DEFAULT .\
copy RegBack\SAM .\
copy RegBack\SECURITY .\
copy RegBack\SYSTEM .\
copy RegBack\SOFTWARE .\
3. Reboot server to normal mode.
If it does not help, you can try to rename EventLog files (possibly corrupted):
move \Windows\System32\winevt\Logs \Windows\System32\winevt\Logs-old
mkdir \Windows\System32\winevt\Logs
Regards,
Eimantas
Free Windows Admin Tool Kit Click here and download it now
December 14th, 2011 9:47am
Had the same issue, but still unaware of root cause. Has someone managed to identify?
February 17th, 2012 7:39am
Of course now this issue has come up again now... Thank you, Eimantas as
your post was a very good thought. Unfortunately niether of these seemed to resolve the issue. Sorry, Anatolii no
this issue has never been resolved. another mystery of the universe I guess.
Free Windows Admin Tool Kit Click here and download it now
June 20th, 2012 8:58am
I had the issue before on my 64bit Servers and Win7 pcs, and the only thing that worked then was to rebuild or reinstall, but after a while the issue disappeared. So today a had problems with account lockouts, and decided to enable
a policy that ran a startup script to RUN the KILL KIDO removal tool. Turns out that this was the cause of my Black Screen. Since I didn't have a snapshot of my Virtual Machine, I started up the VM with last known good configuration and scheduled
CHKDSK /R /F, disabled the above GPO (after reading the post above about GPOs ) which I most recently enabled and the VM started up normally. So just to be sure this was the actual cause, I restarted the VM one more time and It still booted normally. Then
I re-enabled the GPO and restarted the VM and the Black screen was back. So I tried my previous fix and problem was resolved. I repeated this scenario at least 5 times and had the same results, so I'm certain now that my issue had to do with the GPO (or
more precisely the startup script). Hope this helps.
June 20th, 2012 10:27am