travis' brain dump

STOP: C0000135 The program can’t start because %hs is missing. Try reinstalling the program to fix this problem.

by on Nov.28, 2011, under Tech Stuff

  

Well, if it was only that easy eh?

So, poor Andy brings me his laptop with this error. Seems he’d contracted a virus earlier in the day and in the process of cleaning the virus out, rebooted his machine and up pops the error ” STOP: C0000135 The program can’t start because %hs is missing. Try reinstalling the program to fix this problem.” Whoops!?

So we buggered around with the system quite a bit last night and tried to figure out the root cause of the issue. He had mentioned attempting to install AVG so we had started there with the though that it might be the cause, but he couldn’t be sure since he didn’t actually get the install to launch since his system was acting like a complete maniac anyway. Well, further investigations uncovered that AVG had, in fact, not made it to the hard drive. So what now?

Fortunately, the error is pretty straightforward if you read it. It basically states that the system is having a problem launching off some type of program at boot-up. Due to the nasty blue-screen nature of this thing, it’s safe to assume it wasn’t something that lived in the regular ole startup/runOnce/run section of the registry and it behaved a lot like an error I’d seen before due to a csrsss.exe/winlogin issue. Not a full-blown blue screen with a nice kernel dump, but pretty annoying none-the-less. So, with csrss on my mind and a couple of pointers over googling some ideas, the solution came out of the following:

The virus which he had contracted, modified the registry settings under:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\SubSystems
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Session Manager\SubSystems

The value ‘Windows’ was changed from:

%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16

to this:

%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=consrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16

The called ‘consrv’ is part of the virus that was implanted into his machine and when he cleaned it up, the dll went missing, thus causing the system to EXPLODE on bootup. Upon loading up the ole trusty Hiren’s BootCD in MiniXP mode and launching a registry editor from it, I was able to modify the two keys from their viral consrv entries back to winsrv.

With all that cleaned up, I was able to run another viral scan against the system, remove any other traces of such things that I could detect and the system now boots correctly. Unfortunately, there aren’t many things that can change in these fields that won’t spin off other types of error messages so if this particular error rears it’s head and you’re not running AVG and this fix doesn’t resolve it… it’s probably reload time. Also, if you happen to jack-up the entries in the registry, you may encounter a STOP: C000021a error on bootup. That usually happens when you’ve mistyped something in the registry entry while resolving this issue.


2 Comments for this entry

  • sjw

    Thank you Sir, this saved me a lot of research time and a possible Format. I was able to get to (%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=consrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16) but could not find the differences until I found your blog. Its so obvious now. Much Appreciated.

  • Travis

    You’re welcome. That’s why I posted it… It took me FOREVER to find out how to fix this thing and figured it only fair to the community to share the solution. Glad it helped out!

Leave a Reply

You must be logged in to post a comment.

Looking for something?

Use the form below to search the site:

Still not finding what you're looking for? Drop a comment on a post or contact us so we can take care of it!