The infamous trashing of C:\windows\system32\config\system registry hive

This is a followup to a few other threads where users have described an association between this particular registry corruption and CSC. For example, https://forums.comodo.com/comodo_system_cleaner_fileregistryprivacy_cleaner/windowssystem32configsystem-t37903.0.html and https://forums.comodo.com/empty-t41245.0.html.

On many of the systems I’ve run the most recent versions of CSC ultimately result in this outcome.

At first, I thought there might be some effect from Symantec Antivirus Corporate Edition, so I began removing it before running CSC, but it made no difference.

Recently, I had four SP2 (service pack 2) systems which I intended to upgrade to SP3 (service pack 3).

Separately from this situation, CSC claims it will backup the registry, although it’s not clear what’s it’s doing here. It doesn’t seem to be creating a system restore point and it’s not clear even if it had, how one could revert it. Anyway, on the first reboot after running it, about half the time, it throws up a dialog asking to FINALIZE the changes. The other half the time, there is no dialog. In either case, the second reboot is the kicker. There are two basic outcomes, it either works or it either trashes the registry. When it works, there is no problem and the system is good. When it doesn’t, it may either result in the corrupted system registry hive at boot message or it may blue-screen at some earlier point.

On one system with SP2, after I ran CSC and rebooted twice, I was able to install SP3 and reboot, allow the SP3 postinstallation to run but when I logged in, it immediately blue-screened. At the next reboot, the system registry hive was corrupted.

On another system with SP2, I also rebooted twice after running CSC and tried to install SP3. It blue-screened during the installation. So I used system restore to get it back to the point before running CSC. Then I tried CSC again and tried installing SP3 in safe mode. This succeeded and it rebooted to run the SP3 postinstallation. On the subsequent boot, however, it failed to boot with the system registry hive error.

On a third system, the behavior was essentially identical.

On a fourth system, I wanted to run a test to see if CSC was really responsible, so I decided to upgrade it to SP3 first. This succeeded and I rebooted and it ran its postinstallation tasks, then I rebooted again and logged in. No problem. The system seems to be stable. So I ran CSC. I rebooted and presumably it finalized without prompting me. So I rebooted again. So far so good. I logged in. After about 15 seconds, blue screen, which was similar to the first case I described above. And again, I rebooted and was greeted with the infamous system registry hive corruption error.

I decided to restore this fourth system from backup, so right now I have access to an SP2 system that I believe will reliably become corrupted from running CSC and installing SP3.

By the way, all these systems are ordinary Dell desktops used by secretarial staff. The most unusual hardware is a wireless mouse.

I believe it is reasonable to conclude CSC is somehow damaging the registry such that SP2 systems are not affected by SP3 usually is. I have other SP3 systems affected this way, although I can’t say for certain they were installed that way or had once been SP2 and were upgraded at some point in the past. I suppose that is also a possibility.

However, I’ve had at least one system with SP2 that accepted CSC’s registry cleaning and upgraded to SP3 with no ill effect, so it can work, although this is uncommon!

I’m attaching the registry log from CSC from the third and fourth system described above. There is no guarantee, however, that CSC does everything the logs says or whether it does something missing from the log, but hopefully it’s helpful getting to bottom of this.

I’ve never done CSC before doing all available windows updates myself.

Personally, my procedure involves the following steps.

1. Spyware check and elimination (should there be any suspicion): Spybot to be thorough though many times the new Iobit Security 360 will suffice. If Spybot, remove after use. If IObit Security 360, it’s kinda handy, removing it is optional.
2. Updates of Windows and other on board software, installation of necessary tools and additional software, and removal of other undesirables (sometimes that includes inferior security suites) [I throw in my favorite defragger at this time, My Defrag].
3. Cleaners and optimizers: IObit SystemCare Free (I run a few of its utilities as well, specifically Disk Cleaner and Internet Booster), CCleaner, CSC (in that order) without backups or safe deletion or logs. Do this twice under maxed out settings. Reboot.
4. Addition of CIS if security is not previously available or client has opted to switch followed by definition updates.
5. Operations check and miscellaneous troubleshooting. Running cleaners afterward is a favorable option.
6. Disable page file and System Restore before rebooting into safe mode to run cleaners for every user account before going into the built in Administrator account. Cleaners as well, single pass.
7. Run command “fsutil usn deletejournal /n c:”.
8. Run MyDefrag’s Slow Optimize algorithm, twice.
9. Reboot a couple of times into a regular account with the page file and system restore reenabled (the latter is optional if speed is concerned). Let whatever indexers compile their databases and let all disk activity settle down each time before the next course of action.
10. Run MyDefrag’s Fast Update algorithm, twice.
11. Enjoy.

Thus far I’ve done this on numerous (I’ve lost count once I hit double digits) computers without fail, give or take a few variations.

Hi,

Mauricev, I understand the scenario you described and the symptoms, but you never said what version of CSC have you used or what security software you have installed. If this is the 38 latest official version, I think there might be something wrong with sp3 update package, as there are now many variants of modified and customized setups. We tested CSC 38 for a long time with SP3 but never encountered a BSOD (bluescreen) or registry corruption and we never received feedback of CSC conflicting with SP3.

Thank you for your support.

but you never said what version of CSC have you used or what security software you have installed. If this is the 38 latest official version

Yes, 38. I’ve had 6 systems altogether where this happened. The four above were all SP2 to SP3, but I don’t remember about the others; it’s possible they were as well. I’ve run it on four other SP3 systems without a problem, so it can work at times.

I think there might be something wrong with sp3 update package

Downloaded fresh each time from windows update!

or what security software you have installed

Since you were claiming Norton Protect 360 caused a similar problem, I had removed our Symantec antivirus before running the SP3/CSC on these 4 systems.

We tested CSC 38 for a long time with SP3 but never encountered a BSOD (bluescreen) or registry corruption and we never received feedback of CSC conflicting with SP3.

I have a computer right now where I’m pretty sure if applied SP3 and ran CSC, it would BSOD and trash the registry. This is a reproducible bug. Also, I referenced a few other threads where it seemed CSC was damaging the registry as well.

I also have a copy of a trashed registry.

Hi,

We analyzed your CRC logs and found some suspicious entries deleted specific to Dell. I assure you, the problems you encountered are not from updating from SP2 to SP3, as we tested on many occasions on XP SP3 computers. It might be triggered by Dell driver/software.

Please tell me if Dell has created a Dell folder in the root of C drive instead of the standard drivers location from system32 ( it should look like C:\Dell ).

You didn’t tell me yet what security software are you using, you just told me you have removed Norton 360. Are you using other antivirus, firewall or anti-spyware products ? An besides that, make sure that Norton 360 is properly removed ( especially from this path : “C: \ windows \ system32 \ drivers \ N360” )

If you can, please tell me, or make a screenshot of the programs from Add/Remove menu in Control Panel and post it here ( make an archive if it’s too big )

Thank you for your support.

We analyzed your CRC logs and found some suspicious entries deleted specific to Dell. I assure you, the problems you encountered are not from updating from SP2 to SP3, as we tested on many occasions on XP SP3 computers. It might be triggered by Dell driver/software.

From the testing I did, it seemed SP2 post CSC was working and post-SP3 from SP2 minus CSC was working, so this suggests that even if Dell software is involved, CSC is somehow triggering it, but only in the SP3 state.

Please tell me if Dell has created a Dell folder in the root of C drive instead of the standard drivers location from system32 ( it should look like C:\Dell ).

On an affected system where I have access to the pre-crash state, it does and I expect they all do. I’m attaching a screenshot of its contents. But I don’t see anything from it installed in Add/Remove Programs.

You didn't tell me yet what security software are you using, you just told me you have removed Norton 360. Are you using other antivirus, firewall or anti-spyware products ? An besides that, make sure that Norton 360 is properly removed ( especially from this path : "C: \ windows \ system32 \ drivers \ N360" )

There is no Norton 360; I just mentioned it because it gave you problems. We have Symantec Antivirus Corporate Edition and no other security software installed. I’m fairly sure any drivers it installs are getting removed, although I didn’t specifically scan the directory for them.

If you can, please tell me, or make a screenshot of the programs from Add/Remove menu in Control Panel and post it here ( make an archive if it's too big )

Attached. Here you are looking at a pre-crash system before I removed Symantec.

[attachment deleted by admin]

Hi,

We will recreate your environment ( XP SP2 to SP3, Symantec Antivirus etc) in order to reproduce your scenario. I will get back to you after we’ve completed testing to inform you if we encountered the same results.

Thank you for your support.

Great. Three more things to note: 1) it can work and has done so on 4 systems, all Dells, and 2) is that three of the six failing systems were Dell Optiplex G745 systems and the fourth was an Optiplex G755, 3) of these four failing systems, they had Windows update running for quite some time adding in updates post-SP2.

I decided to give the system I restored another go, but this time using jv16 PowerTools to clean the registry instead and it upgraded cleanly with no problem. This seems to further support the notion that CSC is the culprit.