[SOLVED] Error '\systemroot\system32\config\software was corrupted and it has been recovered'

[allanc]

Allan, shoot us the model # of that Acer.

Acer AX3470-EF10P.
AMD Quad Core, 8 Gb of RAM, 2 Tb HD
Windows 7 Home Premium sp1 64-bit

 

[FremontPC]

What kind of info are you seeing in the event log?

 

[allanc]

What kind of info are you seeing in the event log?

At this point (3 am) I am exhausted.
This is obviously not for the money but for the challenge and learning experience.
A couple of hours ago I ran SFC and Chkdsk (both for the third time) and they ran clean.
Currently, I am downloading 'DriverPack Solution' and will try to run it on the Acer.
Afterwards, I will reboot in Windows Mode and then SAFE Mode and post the errors in this thread.
I have been working on the software trial and have not tried pulling a ram chip out yet.

 

[FremontPC]

OK, get a good night's rest and tomorrow let us know what the event viewer is saying. I'd expect to see something that would give us a lead here.

If nothing illuminating on the prior two steps, back up the registry hives and copy in all the hives from \Regback.

Check the serial number against updates available from Acer as well.

Are there any add-in cards, wireless NIC or the like?

Running on one RAM chip, then the other would be a good route too, if the prior steps don't yield any good info.

This PC may not have the most stellar power supply known to computing, so check your voltages in BIOS and with a multimeter.

 

[allanc]

OK, get a good night's rest and tomorrow let us know what the event viewer is saying. I'd expect to see something that would give us a lead here.

If nothing illuminating on the prior two steps, back up the registry hives and copy in all the hives from \Regback.

Check the serial number against updates available from Acer as well.

Are there any add-in cards, wireless NIC or the like?

Running on one RAM chip, then the other would be a good route too, if the prior steps don't yield any good info.

This PC may not have the most stellar power supply known to computing, so check your voltages in BIOS and with a multimeter.

Last night at some point, everything seemed stable (after restoring the 'software' hive).
I probably rebooted a couple of times then did an image backup.
I just restored that 'stable' image backup, shutdown the computer and powered it up again.
I then filtered the event viewer to only include critical, error and warning.
I then copied the three events into WordPad.
As soon as I clicked 'save' within WordPad the following message popped up '"documents.library-ms" is no longer working. This library can be safely deleted from your computer. Folders that have been included will not be affected'.

Below are the contents of both the System and Application logs before the WordPad message appeared:

System 12:04:34
Log Name: System
Source: Microsoft-Windows-Kernel-PnP
Date: 26/05/2013 12:04:34 PM
Event ID: 219
Task Category: (212)
Level: Warning
Keywords:
User: SYSTEM
Computer: Erin-Lily-PC
Description:
The driver \Driver\WUDFRd failed to load for the device WpdBusEnumRoot\UMB\2&37c186b&1&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_GENERIC-&PROD_COMPACT_FLASH&REV_1.01#058F63616420&0#.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Kernel-PnP" Guid="{9C205A39-1250-487D-ABD7-E831C6290539}" />
<EventID>219</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>212</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2013-05-26T16:04:34.893647800Z" />
<EventRecordID>433000</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="52" />
<Channel>System</Channel>
<Computer>Erin-Lily-PC</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data Name="DriverNameLength">119</Data>
<Data Name="DriverName">WpdBusEnumRoot\UMB\2&amp;37c186b&amp;1&amp;STORAGE#VOLUME#_??_USBSTOR#DISK&amp;VEN_GENERIC-&amp;PROD_COMPACT_FLASH&amp;REV_1.01#058F63616420&amp;0#</Data>
<Data Name="Status">3221226341</Data>
<Data Name="FailureNameLength">14</Data>
<Data Name="FailureName">\Driver\WUDFRd</Data>
<Data Name="Version">0</Data>
</EventData>
</Event>
-------------------------------------------------------------
System 12:04:41
Log Name: System
Source: Microsoft-Windows-Wininit
Date: 26/05/2013 12:04:41 PM
Event ID: 11
Task Category: None
Level: Warning
Keywords:
User: SYSTEM
Computer: Erin-Lily-PC
Description:
Custom dynamic link libraries are being loaded for every application. The system administrator should review the list of libraries to ensure they are related to trusted applications.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Wininit" Guid="{206F6DEA-D3C5-4D10-BC72-989F03C8B84B}" />
<EventID>11</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x4000000000000000</Keywords>
<TimeCreated SystemTime="2013-05-26T16:04:41.664059600Z" />
<EventRecordID>433006</EventRecordID>
<Correlation />
<Execution ProcessID="536" ThreadID="572" />
<Channel>System</Channel>
<Computer>Erin-Lily-PC</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data Name="StringCount">2</Data>
<Data Name="String">C:\PROGRA~2\IMESHA~1\Mediabar\Datamngr\x64\datamngr.dll</Data>
<Data Name="String">C:\PROGRA~2\IMESHA~1\Mediabar\Datamngr\x64\IEBHO.dll</Data>
</EventData>
</Event>

---------------------------------------------------------------
Application 12:06:07
Log Name: Application
Source: Microsoft-Windows-WMI
Date: 26/05/2013 12:06:07 PM
Event ID: 10
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: Erin-Lily-PC
Description:
Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-WMI" Guid="{1edeee53-0afe-4609-b846-d8c0b2075b1f}" EventSourceName="WinMgmt" />
<EventID Qualifiers="49152">10</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2013-05-26T16:06:07.000000000Z" />
<EventRecordID>37227</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>Application</Channel>
<Computer>Erin-Lily-PC</Computer>
<Security />
</System>
<EventData>
<Data>//./root/CIMV2</Data>
<Data>SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage &gt; 99</Data>
<Data>0x80041003</Data>
</EventData>
</Event>
-----------------------------------------------------------------

 

[allanc]

OK, get a good night's rest and tomorrow let us know what the event viewer is saying. I'd expect to see something that would give us a lead here.

If nothing illuminating on the prior two steps, back up the registry hives and copy in all the hives from \Regback.

Check the serial number against updates available from Acer as well.

Are there any add-in cards, wireless NIC or the like?

Running on one RAM chip, then the other would be a good route too, if the prior steps don't yield any good info.

This PC may not have the most stellar power supply known to computing, so check your voltages in BIOS and with a multimeter.

Event from Windows Logs posted.

 

[FremontPC]

This is starting to sound more and more like a RAM issue. Pull both sticks and put in ONE different stick that you know to be good.

Have you checked with ASUS for driver/bios updates?

 

[allanc]

This is starting to sound more and more like a RAM issue. Pull both sticks and put in ONE different stick that you know to be good.

Have you checked with ASUS for driver/bios updates?

No, I haven't done either yet.
I thought it would be a good idea to go back to a 'stable' time and move forward from there.
I will swap the RAM a little later today and report back.
Thank you for the suggestion.

 

[FremontPC]

Arrgh! I meant Acer, not ASUS!

OTOH, a BIOS update might not be the best thing to attempt if you're running with flaky RAM. I'd try the RAM first and see if there's any difference.

 

[frederick]

Log Name: System
Source: Microsoft-Windows-Kernel-PnP
Date: 26/05/2013 12:04:34 PM
Event ID: 219
Task Category: (212)
Level: Warning
Keywords:
User: SYSTEM
Computer: Erin-Lily-PC
Description:
The driver \Driver\WUDFRd failed to load for the device WpdBusEnumRoot\UMB\2&37c186b&1&STORAGE#VOLUME#_??_ USBSTOR#DISK&VEN_GENERIC-&PROD_COMPACT_FLASH&REV_1.01#058F63616420&0#.

Ignore this error, it means nothing.

Log Name: System
Source: Microsoft-Windows-Wininit
Date: 26/05/2013 12:04:41 PM
Event ID: 11
Task Category: None
Level: Warning
Keywords:
User: SYSTEM
Computer: Erin-Lily-PC
Description:
Custom dynamic link libraries are being loaded for every application. The system administrator should review the list of libraries to ensure they are related to trusted applications.

I've seen this issue two ways. 1 is with Kaspersky (primarily) and other anti-virus programs at boot up. It is usually something I igrnore because what you have to fix isn't there to begin with 9/10 times.

Log Name: Application
Source: Microsoft-Windows-WMI
Date: 26/05/2013 12:06:07 PM
Event ID: 10
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: Erin-Lily-PC
Description:
Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

easy fix...so easy, microsoft has it on their site. The hot fix is 50688

Look at the event log again, tear it apart. I doubt it's the hardware, unless device manager says so, or BIO's is telling you it's been disabled. Go to event viewer, custom views, administrative events. Whats there? Don't look at warning, criticals and errors only. If you see a critical followed by several warnings all at the same time, you have something that's messing up other things. If you have a critical or error and then a long list of errors, same thing. Try to install something, what does event viewer say? Was is successful? Try to uninstall something (preferably what you just installed). Same thing, whats in event viewer? Open, close programs. Whats event viewer saying. Go back to your original issue, what was going wrong. What else was happening at that time.

A client brings in her computer saying that she "can't get any programs to run, the computer seems to be OK in safe mode but that mode is too limited".

I wish ya luck buddy

 

[allanc]

OK, get a good night's rest and tomorrow let us know what the event viewer is saying. I'd expect to see something that would give us a lead here.

If nothing illuminating on the prior two steps, back up the registry hives and copy in all the hives from \Regback.

Check the serial number against updates available from Acer as well.

Are there any add-in cards, wireless NIC or the like?

Running on one RAM chip, then the other would be a good route too, if the prior steps don't yield any good info.

This PC may not have the most stellar power supply known to computing, so check your voltages in BIOS and with a multimeter.

An update (final I hope).
I ended up nuking the computer.
I have to admit that I hate throwing in the towel.

 

[FremontPC]

Well, you gave it a good go, but one can only spend so much time on that kind of stuff.

Did you ever get around to swapping out the RAM? Just curious.

 

[mikeroq]

I didn't read if you tried a repair install before you nuked it. That helps me about 2/5 times.

 

[allanc]

Well, you gave it a good go, but one can only spend so much time on that kind of stuff.

Did you ever get around to swapping out the RAM? Just curious.

No, I ran out time due to other commitments and the client wanting the computer back.
At one point I did try running on one of her sticks of RAM rather than two but that did not improve the situation.

 

[allanc]

I didn't read if you tried a repair install before you nuked it. That helps me about 2/5 times.

Yes, I tried the repair install several times.