Home > Uncategorized > SOLVED: STOP: C0000135 The program can’t start because %hs is missing. Try resintalling the program

SOLVED: STOP: C0000135 The program can’t start because %hs is missing. Try resintalling the program

September 14th, 2011 Leave a comment Go to comments

Update 21 Jan 2012: I have noticed that this consrv.dll virus is back again this week. It also seems to have some friends, make sure you do a scan with TDSSKiller and, once you’re up and running, that your Base Filter Engine Service, Windows Firewall Service and Security Center Service are running. If they aren’t, take a look at my blog entry on fixing a missing BFE in Windows 7. Also, if you are clueless on how to edit the registry from the recovery console, take a look at Web Traffic’s post from 4 Dec 2011 or Nick’s comments below from 20 Jan and my comment from 24 Jan 2012, this may help (and remember to unload the hive when you are finished with the edit).

This was a Windows 7 machine that had caught a virus. The virus was removed while the drive was out of the machine but upon subsequent boot to either safe mode or normal mode, the blue screen error “STOP: C0000135 The program can’t start because %hs is missing. Try resintalling the program” would appear. No error logs and no help on The Google (the computer does not have AVG installed).

The fix for this problem requires a registry edit to remove a reference to the consrv.dll file that was a virus and was removed. Using regedit from the repair console, the following keys required editting:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\SubSystems

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Session Manager\SubSystems

Under theses keys, edit the data in the Value Name “Windows”, changing the text “consrv” to “winsrv”. This is a long string so just parse through it and make the one change, here is what a good entry looks like:

%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16

I have bolded the entry that previously said “consrv”.

Alas, there are apparently (many?) other reasons for this error, if this doesn’t fix yours, you may want to give up early and reinstall because there do not appear to be any other solutions out there.

  1. David Palafox
    September 28th, 2011 at 12:45 | #1

    My computer has this exact same problem. I looked into both registry entries, and the one under ControlSet002 I was actually able to modify. However, the one under ControlSet001, I tried to modify, but after doing so, clicking OK, then opening the entry again to verify, it’s back to consrv. If you have any thoughts or ideas on this, It’ll be greatly appreciated. Thanks in advance.

    • admin
      September 28th, 2011 at 20:08 | #2

      Hmmm. My immediate thought is that you are editing the registry from a still-infected computer and the virus is changing the entry back on you. Try making the changes either by booting into Safe Mode and running regedit or perhaps from the system repair screens (F8 at boot, Repair System, Command Prompt, regedit). You also might try doing some more virus checking, especially for boot-sector viruses. Malwarebytes is pretty good at that, you might also try TDSSkiller from Kaspersky.

  2. October 2nd, 2011 at 16:00 | #3

    I Just want to say thank you for posting this working on someones computer and this was it. Something called OpenCloud Security caused the registry change.

  3. Nate
    October 10th, 2011 at 21:07 | #4

    Thanks for the info, pulled me out of a jam. I have one question though, how did you find out how to fix it? did you just search for conserv in the registry knowing ahead of time that it was the infected dll?

    • admin
      October 10th, 2011 at 22:37 | #5

      Good question, and yes, I knew what I was looking for. The infection had substituted some files under the system32 folder so I replaced all of them with good copies. Then there was this conserv.dll there that just didn’t belong. When I tried to boot the computer and it wouldn’t, I figured maybe that was the bad guy. And it was.

  4. October 11th, 2011 at 13:57 | #6

    This just saved my arse…might I ask HOW exactly you found this registry key? I knew that Avira had removed “consrv.dll” but I wouldn’t think the file being in place would cause SMSS to load or not. Did you somehow compare the registry to a good copy? Or did you have preexisting knowledge of this key?

    Thanks again, you’re the man!!

    • admin
      October 11th, 2011 at 14:06 | #7

      Well I knew that consrv.dll had been deleted along with a number of other key Windows files, yet the computer would still not boot. I double-checked that I had replaced all the proper Windows files and during that process determined that consrv.dll did not belong on the machine at all. So, I deduced that in the registry there was a call to consrv.dll (now missing) that was preventing boot. From there, I searched the registry for the “consrv” string, compared what I found in those entries to a known good installation and made the changes recommended above.

  5. ray
    October 19th, 2011 at 15:30 | #8

    Damn I have been looking to repair this error for a couple of days every time the scan removes the virus file it BSOD grrrrrrrrrrrr I almost had it sorted myself because I did a search through the registry for the file name but it didn’t show up.

    Any huge thanks for the post :OP

  6. bilgisiz
    October 27th, 2011 at 17:59 | #9

    i have the exact problem. but i cant get into windows(safe mode doesnt work) so how can i open regedit?

    • admin
      October 27th, 2011 at 18:19 | #10

      If you’re on Vista or Windows 7 use your installation disk and choose “Repair”. You can open a command prompt and just run Regedit. If you’re on XP, I don’t think you can do that, Google’s your friend on that one.

  7. bilgisiz
    October 28th, 2011 at 05:37 | #11

    hi. i run regedit and looked up that line…. there is no ‘consrv’… it was already winsrv… so entry is this….

    %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16

    So why this error still goes on?

  8. bilgisiz
    October 28th, 2011 at 05:39 | #12

    i dont have any ControlSet002 by the way just ControlSet001… and i have 64 bit windows 7

    • admin
      October 29th, 2011 at 15:53 | #13

      I’ve never seen a registry without a ControlSet002, but I suppose there are some reasonable reasons why you might not have one (see http://support.microsoft.com/kb/100010 for some insight). If you are not seeing the “consrv” entry that either you have a different problem or you’re looking in the wrong place/registry (see other comment from everettf)

  9. everettf
    October 29th, 2011 at 15:28 | #14

    Am having same problem. I looked at registry from recovery disk command prompt and did not see the consrv entry. Then I realized when booting with recovery disk the registry you see when using regedit from the command prompt is not the Windows 7 installed registry. I imported the actual Windows 7 installed registry, and there it was!

  10. everettf
    October 29th, 2011 at 16:58 | #15

    Turns out editing the Windows 7 installed registry is slightly less than straightforward. Here are instructions from Microsoft that worked for me. Thank you admin for this solution, I’ve been working on it for three days, crazy.

    To edit the registry of your target device

    Boot Windows PE on the device.
    At the command prompt, type regedit.
    Click HKEY_LOCAL_MACHINE.
    From the File menu, choose Load Hive.

    A series of message boxes may appear that state that the folder cannot be found and that the location is unavailable. Ignore these messages and click OK when they appear.

    The Load Hive dialog box appears.
    In the Files of type box, select All Files.
    Navigate to the registry location on your target device.

    For example, if your image is on drive C, navigate to C:\WINDOWS\system32\config.
    In the config folder, select the hive you want to edit and then choose OK.
    In the Load Hive dialog box type a Key Name. For example, TEST_DEVICE.

    To load more hives, repeat the previous steps.
    Choose HKEY_LOCAL_MACHINE, and then choose the new reg key(s) you created.
    Edit or view the reg keys.
    When you have completed your reg key changes, choose HKEY_LOCAL_MACHINE, choose the File menu, and then choose Unload Hive.

    Link is here: http://msdn.microsoft.com/en-us/library/ms940849%28v=winembedded.5%29.aspx

  11. Bill
    October 31st, 2011 at 20:30 | #16

    Thanks for posting this. Ran into this issue on a client computer and was beating my head against the wall trying to find the culprit. Was about to the point of formatting and reinstalling when I came across your page and sure enough in ControlSet001 it was pointing to consrv.dll.

    Thanks again for posting this. Saved me a lot of time!

  12. Raf
    November 5th, 2011 at 07:48 | #17

    Thank you very much guys! saved my day :)

  13. Jarvis
    November 9th, 2011 at 19:26 | #18

    With a lethal combination of this blog and everefft efforts, my machine is back after 3 painful days!!!! (More or less) Thanks a bunch for the great info!!!

    • November 9th, 2011 at 21:39 | #19

      I’m glad this helped. This virus is a real rascal. I’ve seen it quite a bit lately. The last one had a bootkit virus with it as well. As far as I can tell that one is unfixable without removing the hard drive from the computer.

  14. Eris
    November 10th, 2011 at 10:44 | #20

    Thank you so much for this. I’ve been battling it out for days searching through my registry, using malwarebytes and avast, boot time scan and everything. Biggest headache I’ve ever run into. Hopefully my system is stable enough to fix more of the damage caused. The person(s) really should get punished for this.

    Anyway, thanks again for everything.

  15. ImpetuousRacer
    November 10th, 2011 at 23:21 | #21

    THANK YOU! There was a lot on the internet about AVG causing the problem (Which I dont have or ever had installed)

    I loaded regedit and thought I was looking at the Windows 7 registry and only saw the one CurrentControlSet and thought i was looking at the actual Windows 7 registry.

    I didnt get any error messages, and thought Load hive was necessary in the command prompt if there were errors. Thanks to the notes I figured out that Load hive is the selection from the file menu once regedit pops up, then to select the Windows 7 hive in the location you specified.

    Anyway, saved a HUGE amount of time, don’t know how you figured this one out.

  16. zac
    November 12th, 2011 at 16:33 | #22

    you are my hero.

  17. November 15th, 2011 at 16:06 | #23

    Thank you so much.

    All I had in my toolbox was a Linux recovery pen, so you can note this as an alternative solution:

    Boot into Linux
    Mount system drive (mount /dev/sda2 /mnt)
    Copy Windows/system32/winsrv.dll to consrv.dll (co command)
    Boot into Windows
    Perform suggested registry surgery
    Reboot again
    Delete consrv.dll file

  18. Nag
    November 18th, 2011 at 22:27 | #25

    I have the similar problem, but mine OS is Windows 2008 Server, how to go into the registry and edit the files. I have configured a server and was sucessful after 2 months of hard work and time.
    I have installed McAfee Antivirus and the system gives blue with the above error. Please help.

    • November 19th, 2011 at 21:45 | #26

      As far as how to edit your registry, Google’s your friend (here a link that might help). But first, I would uninstall McAfee, it’s an atrocious application and is more likely to complicate your problem that to fix it if you still have a virus. Try using Malwarebytes to start getting rid of any residual infections then install a proper antivirus like Norton, Avast or Eset.

  19. Jmath666
    November 20th, 2011 at 01:38 | #27

    Symptoms: The computer kept rebooting.. in booting to safe mode a BSOD flashed for a split second… so I made a movie of the screen by a camera, froze a frame with the BSOD pointing to consrv.dll googled that and found this post. Thanks!

    This worked for me: 1. boot into recovery console 2. copy winsrv.dll consrv.dll 3. reboot into safe mode run regedit and replace all consrv by winsrv in all strings that come up 4. reboot and delete consrv.dll

    Why: cannot edit registry from recovery console… and with registry pointing to nonexistent consrv.dll cannot boot to run regedit.. there is http://support.microsoft.com/kb/307545 but it’s way to awkward…

    System: XP 64bit

    • November 20th, 2011 at 13:53 | #28

      I think this is a good strategy if you are having trouble getting to a point that you can use regedit. This might be a good way for Nag above to solve his problem.

  20. Jon
    November 22nd, 2011 at 09:28 | #29

    You saved me an incredible amount of time. THANK YOU!

  21. MacLeod
    November 22nd, 2011 at 23:22 | #30

    Thank you very much to the original author as well as several others in this comment section. I was able to successfully edit my Windows 7 registry from the Repair Console (after deleting that virus) using these methods. As someone else noted, the Windows 7 registry hives must be imported separately to edit (\system32\config\)

  22. Jason S Congdon
    November 23rd, 2011 at 10:21 | #31

    I had the same problem… I had a Cycbot infect my system, and corrupted my registry. I installed AVG’s Recovery Boot usb loader to mount my Windows installation allowing me to edit the Reg. Worked like a charm! Thanks !!!!

  23. Shibu
    November 25th, 2011 at 17:38 | #32

    @everettf
    Thanks for the input. I’m afraid I’m still stuck. When I check the Windows value it appears to have the correct winsrv value. I tried loading the hive, but I can’t tell if the hive has loaded. I selected ‘system’ as the hive to load. Is that correct?

    By far the worst issue I’ve ever run into. If I am looking at the correct Hive and the winsrv value is correct, and I still have the issue… is the next step concession?

    • November 25th, 2011 at 18:43 | #33

      Well, that SOUNDS like you’ve done it right. The 3 possibilities you have are that 1) you’ve loaded the wrong registry, 2) you’ve looked in the wrong place within the correct registry, or 3) you have a different problem.

      On my system, I can’t load a foreign hive with the “System” key highlighted so I don’t know how you’ve done that. You have to highlight HKEY_Local_Machine and then select the correct drive and location, THEN open the system file. Is that what you mean you did?

  24. Joseph
    November 30th, 2011 at 03:13 | #34

    In regards to the original key mentioned by our savior (no Joke, I didn’t even know where to start until I came here and read the post).

    you may also find the value in

    HKEY_LOCAL_MACHINE\windows\ControlSet002\Control\Session Manager\SubSystems

    and

    HKEY_LOCAL_MACHINE\windows\ControlSet001\Control\Session Manager\SubSystems

    its the exact same key value, and needs the exact same changes made to it. I was lost because the Key I was looking under didn’t have the value being mentioned. so I poked around. Found the value there, made the suggested changes. now all is well :)

    • November 30th, 2011 at 11:10 | #35

      Thanks for your input on this Joseph, I haven’t seen the problem in that key but I’ll keep an eye out for it now.

  25. Rich Z
    November 30th, 2011 at 22:17 | #36

    Excellent work!!!! Thank you for posting this!!!! You saved me many, many hours of work. This was the only hit that I found in Google that solved my problem!!! Good job!

  26. December 4th, 2011 at 23:26 | #37

    For those of you who don’t see the “consrv” string and/or the ControlSet002 folder it is most likely because you are looking in the wrong place/registry. To navigate to and fix the infected registry follow these steps:

    1. click on HKEY_LOCAL_MACHINE
    2. Go to the “File Menu” and select “Load Hive.” A Load Hive Dialog Box will appear.
    3. In the navigation bar up top make sure you have the INFECTED drive selected. For me, it was the (C:) Drive. The full path was: Computer > Loacal Disc (C:) > Windows > System 32 > Config
    4. Select “System” from the list.
    5. A dialog box will ask you to enter a Key Name. Enter TEST_DEVICE.
    6. Click on the HKEY_LOCAL_MACHINE folder again.
    7. Navigate to the new TEST_DEVICE folder and change the “consrv” string to “winsrv” as outlined by the admin in the post above. Make sure to edit BOTH keys:

    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\SubSystems

    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Session Manager\SubSystems

    8. Once you’ve completed your reg key changes, click on the TEST_DEVICE folder you named and then go to the “File Menu” and select “Unload Hive.”

    9. Restart your computer and it should be working again.

    I want to give a special thanks to the admin and everettf for all the helpful info — you saved me a trip to Geek Squad and about $80. Thanks again!

  27. Ghosh I
    December 5th, 2011 at 11:32 | #39

    gr8 help @Admin, @everettf

  28. none
    December 5th, 2011 at 15:21 | #40

    AVG just deleted the file, causing the BSD upon boot. Your edit fixed it, thanks a bunch!!!

  29. firepro
    December 6th, 2011 at 10:50 | #41

    worked perfect.. Thx thx thx. Worked perfect. I owe you a beer

    • December 6th, 2011 at 11:49 | #42

      I will happily take that beer firepro, I prefer Boddingtons if you please.

  30. Peter D
    December 11th, 2011 at 17:26 | #43

    Hey Mr LCRB

    Thanks for the tips. It helped me to actually come up with what I thought was an even better solution. I too deleted the virus consrv when the infected drive was slaved to another PC, and was shocked when it did not boot.

    I really did not feel like editing the registry of an external drive. So after some thought it suddenly hit me… just copy winsrv into consrv, changing consrv into a perfectly legit windows file. I did this by booting linux mint and making the delete of consrv and copy of winsrv into consrv. Worked like a charm, then applied the .exe association fix, then ran tools to finish the job, like malwarebytes and avast.

    • December 11th, 2011 at 18:09 | #44

      I approve of this strategy to get the machine bootable again. I think you should not leave it like this, but rather do the registry fix. Your solution will work until suddenly it stops working because some antivirus decides it’s a file wrongly named in a vulnerable directory or some Windows Update patch comes along that updates winserv.dll (but not your mis-named conserv.dll)

  31. Matt
    December 11th, 2011 at 17:34 | #45

    I cannot navigate to the infected drive. When I try to Load the Hive, the only drive that is available is “Boot (X:)”. If I cannot find my C: drive, what do I do then?

    • December 11th, 2011 at 18:15 | #46

      Take a look at the comment above from “laarka” for another strategy that avoids the problem you are having. You’ll need to create a linux boot disc. You should be able to do the same thing as he suggests though just booting to the repair partition/repair disc and clicking on the “Command Prompt”.

  32. Peter D
    December 11th, 2011 at 19:39 | #47

    @admin
    Yes, I thought about that and did the registry fix. I just forgot to mention it. Sharp of you to think of that. I think this is a much easier fix than initially struggling to change the registry on a basically non-functional PC.

    Peter D

  33. Matt
    December 12th, 2011 at 02:24 | #48

    Well, the Linux solution worked, in that it allowed me to boot into windows. However, as soon as windows came up, it gave me a new BSoD error:
    STOP: c000021a {Fatal System Error}
    The Windows Subsystem system process terminated unexpectedly with a statos of 0x
    c0000005 (0x76cfe4b4 0x00bef100).
    The system has been shut down.

    • December 12th, 2011 at 08:48 | #49

      To Matt, I would guess you’ve either got another infected driver/program or you haven’t got rid of the virus yet. If you’re getting it after you login, that suggests to me it’s probably the latter. Try booting into Safe Mode. If that works then you could use Malwarebytes or use MSCONFIG to take a look at what’s going on.

  34. Matt
    December 12th, 2011 at 02:25 | #50

    Sorry, to further clarify, this was after windows got the the login screen, immediately after I logged in.

  35. Peter D
    December 12th, 2011 at 02:37 | #51

    @Peter D
    Replying to myself, mostly. Laarka beat me to it! I didn’t read his post before I put up my identical solution. I think this is the best and easiest solution to this nasty nasty virus. I fear however, that the evolution of this virus will see renaming or removing winsrv.dll. Still not a major issue, as all you have to do I suppose is get it from another PC.

    Peter D

  36. I.G.
    December 12th, 2011 at 16:36 | #52

    Adding kudos to those already ’cause it does work. 64 bit Win 7 users: be aware that the config you seeketh is in the 32 bit section. the 64 bit section only has Control001 and it appears to be good. Yes, you must load/unload hives as described above; just be sure to use the 32 bit section. There you will find the keys as described.

    • December 12th, 2011 at 17:44 | #53

      Thanks for the clarification on that. I think one of the commenters may have had that exact problem.

  37. badthebA
    December 14th, 2011 at 16:50 | #54

    Wow this was a life saver. I was getting this error long after AVG was uninstalled and replaced by MSE. MSE found a virus called sirefef.b, and HijackThis found a userinit.exe exploit at the same time. Upon reboot, I got this error, even though AVG was not installed, and I had used the removal tool long before. There were still traces left of AVG, but not in the drivers folder, and nothing that ran on bootup, so I didn’t believe AVG was a factor anymore. This made it all clear and concise, and it made sense now, knowing that the registry contained the error, and it wasn’t actually any running files causing it. I have spent year recommending AVG, but with all the bloat added in recent versions, I have been drifting quickly away from it and recommending MSE quite a bit. Thanks again!

    • December 14th, 2011 at 17:02 | #55

      I agree about AVG, I think it tries to do too much and that just leads to problems. I used to be a fan of MSE, but subsequently found it is just missing too many viruses. I’m using Avast now as the free AV I put on customer machines and Norton as the paid one.

  38. Toshiba-3
    December 14th, 2011 at 20:09 | #56

    Thanks a ton for your article, sir! And to people who commented about loading hive too.

  39. Toshiba-3
    December 14th, 2011 at 20:10 | #57

    Oh and btw, here it was Avast that took care of the virus and generated this error as a consequence.

  40. Elias
    December 14th, 2011 at 22:42 | #58

    I tried most of the suggestions here: change registry to remove consrv via repair cd, linux boot CD to replace the consrv with the winsrv (consrv didn’t exist, but copied it as consrv anyways), then finally,the solution that did the trick was loading the hives in post 15. I’m an IT professional and have been doing this for years, but this has kicked my butt for 3 days. FYI, a complete restore isn’t really an option at this point….although I know that’s the best…

  41. December 15th, 2011 at 20:28 | #59

    Thanks for admin and “web traffic wizard”. I had the same problem and didnt have AVG.
    Everything solved and I’m soooo happy to see my windows again.

    I’ve got infected from that virus but I’m still getting “Registry Editor” at windows start. Everything looks fine there but at start up, registry editor comes up so I don’t know if my solution is temporary. I started to get it about 1 week ago and made a full scan with eset. When I come back to my computer, it was not starting and that’s how I found this blog.

    And 1 question: Even we solved our problem, I’m wondering if any of details (like email usernames and passwords) sent to internet by this virus!

    • December 15th, 2011 at 21:47 | #60

      I’m glad this fixed your problem. Unfortunately its hard to know just what the virus did. You should assume all your passwords are compromised.

  42. Venya
    December 16th, 2011 at 23:34 | #61

    A customer says his computer has got viruses, I do all the required scans and updates and so forth, as soon as I install Security Essentials and update, MSE finds a bunch of viruses, I remove them and reboot and get the C0000135 error. Can’t boot no matter what. Same issue, spent 3 hours on it. Hopefully when I go back to the customer I can get it fixed and at least have Windows boot.

    It seems whatever virus it is, its a pretty heavy duty rootkit, any new info on how to remove it?

    • December 17th, 2011 at 11:58 | #62

      I don’t really have anything new on this virus but I have found consistently good results by getting the hard drive out of the machine and scanning it before trying to work on it live.

  43. K
    December 17th, 2011 at 19:03 | #63

    Thank you!!! You guys rock! I’ve got everything up and running with your fixes.

    I’m noticing some strange things that maybe you can help with.

    First, proxy settings were hi-jacked in Moz w/ neverstopus.info…oh great – removed.

    All my firewall/security snap-ins for Win7 are missing…gone! Not in services or anything…wondering if they’re hiding or were removed or what. Running sfc right now…maybe should do a complete reinstall. Ever seen this before???

    • December 17th, 2011 at 23:50 | #64

      Yes, I have seen this problem and I hate to tell you but I think you’ll have a real struggle getting those plug-ins back. First, take a look at this post on missing BFE. My guess is that the problem you have is that the registry entries for a bunch of your services are missing. You can rebuild this to some extent by copying the reg entries off another similar system (SFC won’t help you). The problem is that this solution doesn’t scale well. I just had a Vista system in here that was missing the BFE, Firewall, Security Centre and a few other things. It eventually got to the point where I felt that I could not get the system back into a known good state again.

      As it turned out, I did. After fixing all the virus stuff, I used system restore to go back a few weeks and that did work. Maybe a similar strategy will work for you. Good luck

  44. K
    December 18th, 2011 at 21:28 | #65

    Thanks for the reply…I can forward on some good news as I figured out what was going on that may help others.

    After the hit from “Win7 Antivirus”, I downloaded MicrosoftSE and found it replaced most of the items I was referring to. It has it’s own built-in firewall and security features that replace the native Win7 versions. I did a complete scan and also patched some apps with Secunia PSI and all is well in productivity land again. I’m still trying to figure out how I ended up with it since the machine is mostly a workstation for Design/Vids, etc. Ironically (and probably coincidentally), it all showed up after doing the latest Windows Update.

    Thanks again for a great resource and knowledge about Hive loading/unloading :).

    • December 18th, 2011 at 21:37 | #66

      I’m glad this all worked out for you. BTW, MSE doesn’t actually have its own firewall, it just uses the in-built Windows one.

  45. proud_dad
    December 21st, 2011 at 01:22 | #67

    Holy Cow, thanks to admin, and web traffic wizard, this actually worked for me, it took me 2 days to find this link through google.
    The full process from beginning to end took approx. 5 minutes by following the directions. I am now logged in and working my case for court.

    It was weird, I had a virus on my machine that Malware bytes found, so I installed MSE, which found 6 trojans, once the scan was complete, MSE requested that i restart the laptop, after reboot, the problems arose, I wonder where the common factor is in all of this.

    Thank you again to all who put their personal time and efforts in aiding us.

  46. December 21st, 2011 at 05:23 | #68

    THHHHHHHHHHHHHHHHHHHAAAAAAAAAAAAAAAAANKKKKKKKKKKKKKSSSSSSSSSSSSSSSS

    Web Traffic Wizard
    December 4th, 2011 at 23:26 | #37
    Reply | Quote

    For those of you who don’t see the “consrv” string and/or the ControlSet002 folder it is most likely because you are looking in the wrong place/registry. To navigate to and fix the infected registry follow these steps:

    1. click on HKEY_LOCAL_MACHINE
    2. Go to the “File Menu” and select “Load Hive.” A Load Hive Dialog Box will appear.
    3. In the navigation bar up top make sure you have the INFECTED drive selected. For me, it was the (C:) Drive. The full path was: Computer > Loacal Disc (C:) > Windows > System 32 > Config
    4. Select “System” from the list.
    5. A dialog box will ask you to enter a Key Name. Enter TEST_DEVICE.
    6. Click on the HKEY_LOCAL_MACHINE folder again.
    7. Navigate to the new TEST_DEVICE folder and change the “consrv” string to “winsrv” as outlined by the admin in the post above. Make sure to edit BOTH keys:

    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\SubSystems

    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Session Manager\SubSystems

    8. Once you’ve completed your reg key changes, click on the TEST_DEVICE folder you named and then go to the “File Menu” and select “Unload Hive.”

    9. Restart your computer and it should be working again.

    I want to give a special thanks to the admin and everettf for all the helpful info — you saved me a trip to Geek Squad and about $80. Thanks again!

  47. December 21st, 2011 at 10:37 | #69

    This is exactly what I needed. Thanks dario!@Web Traffic Wizard

  48. Tom Richardson
    December 22nd, 2011 at 09:26 | #70

    I thought I would post this for those struggling with this nasty virus, because I do believe tihs is exactly what you need to fix it – getting rid of the consrv.dll.

    The problem is, it has hooks in the registry and I had the same issue as someone above where I couldn’t change those registry values! I couldn’t change them in Safe Mode, running RegEdit from the command line – anywhere. It looked like I could change them. I keyed in winsrv in place of consrv, but the consrv would just be back after I opened the value again. This wasn’t permissions because I could change it to something else and it would stick. I just couldn’t change it to winsrv. For instance, I could change it to just win. But, if I changed the value to winsrv, it would put it back to consrv. How it was doing this is beyond me. Consrv was actually in three places in my registry also. The two mentioned in this great blog and also in a Current Session (or something like that) Key. Seems like I got the ControlSet002 to change once, but could never get all three changed. I even delete the whole thing and added it back and it wouldn’t stick.

    Window Essentials found this virus, but when it removed it, I got the C0000135 and this looked like the perfect fix for me. It’s unbelievable that Microsoft, who designed the registry and the operating system, had a virus removal program that leaves your computer unbootable! That’s just ridiculous.

    But, I did get it fixed without doing a OS restore. I’m not one to plug for products, and I usually look for manual fixes like this. But, HitMan found it, removed it and my computer was able to boot aftewards without me having to do the registry hack. They also have a 30-day free trial, so it didn’t cost me anything. Just thought I would toss that out there for you guys about to pull your hair out over this thing. Good luck.

    • December 22nd, 2011 at 09:57 | #71

      Tom, how did you manage to run Hitman Pro (which I like as well) if you were getting the C0000135? The computer needs to boot into normal mode AND have access to the internet in order to run it.

  49. Tom Richardson
    December 22nd, 2011 at 12:55 | #72

    When I got the C0000135, I would cut off my machine and when I booted again, it would ask me if I wanted to try and fix Windows since it couldn’t start normally at that point. When I said, yes, I would then get a Pop-up that asked if I wanted to restore to the last running instance. I would select that and I could bring windows up, but Security Essentials would be gone and I would be back to the point before I installed it – complete with the virus still intact. The consrv.dll would still be in the Windows/System32 directory and the Registry would still be wrong, but my computer would boot (I guess since the restore put the consrv.dll back).

    If I reloaded Security Essentials, it would find the virus again, ask me to Reboot after cleaning it and I would be right back to the viscious circle.

    I kept trying the registry fix before cleaning the virus, but that is where I couldn’t get the value to change.

    Hitman Pro found the virus, did a reboot and removed the consrv.dll out of the Windows directoy. I haven’t checked the registry because that was the last thing I did before leaving the house, but I do know it removed the DLL file, so I’m assuming it made the registry change for me. I’m going to check that this evening when I get home.

  50. Hani
    December 22nd, 2011 at 18:29 | #73

    THANK YOU!
    days of work, after remving this conserv.dll crap
    checked the registry, boom!
    fixed!
    thanks, a million!

  51. Aquiles
    December 23rd, 2011 at 13:55 | #74

    Thank you so much! This saved me from formatting my PC …. I was searching for many hours and only here I found the solution to my problem.
    I am infinitely grateful to you guys …. God bless you.

  52. Breeze
    December 28th, 2011 at 12:44 | #75

    Worked for me…you are a god, sir.

  53. December 28th, 2011 at 18:16 | #76

    I had a client bring me a computer that had this problem. I can only afford to spend so much time on each job and if an hour or so of research and attempted fixes don’t solve the problem it’s on to the dreaded file backup and reinstall of the OS.

    Well, the last search I did came back to this solution and it fixed the problem! Client is thrilled and I’m thrilled I didn’t have to backup her over 200gb of data and reinstall the OS on her brand new Lenovo.

    Kudos to everyone on this thread!

  54. Neil
    December 30th, 2011 at 22:12 | #77

    Worked perfectly…and I was so close to the “factory reset”.

    For those reading this, don’t forget you have to load the system hive into the registry, work on it, and then unload it when done, otherwise you won’t see ControlSet001 and ControlSet002. – Yes…I forgot to do this before going DOH.!

    Thanks for a great fix!!

  55. Bob
    December 31st, 2011 at 19:14 | #78

    Fantistic! Thank you so much! Got my computer up and running again after Malwarebytes removed some ickyness and left me dead.

    And kudos also to Neil – good call on reminding me to load the system hive. I thought this wasn’t my problem as I did not see the consrv entry, but then I saw your comment and I also said DOH! I was looking at the recovery console registry, of course it looked clean.

  56. Anon
    January 4th, 2012 at 10:48 | #79

    This worked for me! Thank you. It was infact the virus that was causing these issues in the first place I removed the threats and once I did the AV wanted to restart the system. Upon restarting the system, I got the above error and found this and now am able to remove any other threats from the system. Thanks again!!

    Anon

  57. LuvTech
    January 8th, 2012 at 22:38 | #80

    This registry was not changed in my case, so I had to find other solution, which I did and fixed it. It was very simple for my friend’s laptop with same exact BSOD error as above to do system restore to past date before a virus infection. You reboot, hit F8, then click Repair windows, login and do system restore and it worked. – Thanks for nice article

    LuvTech

  58. bigpoke25
    January 10th, 2012 at 02:11 | #81

    @Aquiles

    I’m not computer savy but I to am getting “C0000135 The program can’t start because %hs is missing” I can’t want to do the steps mentioned above but i can even get my laptop to start up in safe mode. I have windows 7 home basic. Can someone help me fix this issue?

    • January 10th, 2012 at 11:00 | #82

      Editing the registry is fraught with danger for the non-computer savvy but you can start by booting to the repair console from your installation disc (If you don’t have one of those do yourself a favour, give up and take your computer to a qualified local repair technician). In the repair console from the command line run “regedit” then follow the instructions above, from Aquiles for example.

  59. betty boop
    January 10th, 2012 at 04:17 | #83

    Thanks so so so much! Finally fixed after 5 hrs. So glad I did not listen to my brother to reinstall!! all the comments and your post truly saved my life!!!!! Going through the test device key was the trick that did it

  60. SteveH
    January 12th, 2012 at 07:34 | #84

    THANK YOU! you guys helped me a lot.

  61. Dirk
    January 14th, 2012 at 16:45 | #85

    greets from lexington ky. funny we are both in the same city

    • January 14th, 2012 at 17:25 | #86

      Hi Dirk, Well everyone’s got to be SOMEwhere. :-)

  62. Nick
    January 20th, 2012 at 18:51 | #87

    Hey All, Can someone who has Loaded and Unloaded the Hive Expand on this for me. I keep getting Access Denied when trying to unload after making the change. I’m not a 100% sure I am loading the correct hive. I noticed in recovery mode i’m defaulting to Drive X and C is not my normal C and has moved to D. But when navigating to the Hive im fairly certain in in the right directory (Windows\System32\config) and I am loading system. When it asks for the key im not sure what I’m putting in and basically I’m guessing from this point forward.

    Thanks,
    Nick

  63. Nick
    January 20th, 2012 at 19:13 | #88

    @Nick

    I love it when I can answer my own question :)
    Anyone having trouble with this to Load a Hive make sure you are looking in the right drive, as i mentioned your typical C drive may move to D or another letter.

    Run regedit from a command prompt in recovery mode
    click on HKEY_LOCAL_MACHINE (this removes the grey out on Load Hive)
    Go to File and click Load Hive…
    Navigate to the Hive storage location (Windows\System32\config)
    Load System
    Name the Key something easy to recognize (BLAH)
    Navigate to HKEY_LOCAL_MACHINE\BLAH

    Basically \BLAH is the real HKLM\SYSTEM that the article refers to.

    Once you make the changes to both control sets click back on BLAH and Unload the hive

    Restart

    ??????

    profit.

  64. Curtis
    January 23rd, 2012 at 22:30 | #89

    Thank you Nick!!! I was getting this exact problem but whenever I looked at the registry key I did not see the consvr reference. Your steps to navigate and load the proper HIVE did the trick.

  65. Bad Andy
    January 24th, 2012 at 06:55 | #90

    Ive finally got the reg edit open…..But I don’t understand this HIVE people keep talking about?

    I cannot find the line to edit, and when I go into the local machine / control set, et cetera it looks like everything is ok? how does one access the hive, let alone upload the changes? Cheers and thanks so much.

    • January 24th, 2012 at 08:58 | #91

      See my comment to Aker below, I think you may still be looking in the wrong place.

  66. Aker
    January 24th, 2012 at 07:09 | #92

    I’ve loaded the hive and followed Nick’s instructions and it says “winsrv” everywhere, cannot find anything that say consrv, should I be looking in current control set?

    • January 24th, 2012 at 08:57 | #93

      If you see “current control set” you are probably looking at the wrong registry hive. The “foreign” hive you are trying to load should only have Control Set 1 and 2, there is no “current” one because you are not booting out of that hive. Nick leaves out of his instructions on the line that says “Navigate to the Hive storage location (Windows\System32\config)” that this should be on the the drive that you NORMALLY boot from, probably C:

  67. Steve
    January 25th, 2012 at 00:43 | #94

    @Nick

    Thanks so very much for this fix and thank you Nick for pointing out the correct hive to load. It worked perfectly!

  68. Greg
    January 29th, 2012 at 01:28 | #95

    Great information here! Saved me from a malware removal gone bad, and only took a bit over an hour from the start of the problem to my desktop being up and running again. Big thanks! Additional thanks to the comments about loading a hive. I believe it was Neil who mentioned it first.

  69. ed
    January 29th, 2012 at 14:52 | #96

    Wow !!! thanks Nick you resolve my problem. I was close too to format the computer

  70. SergeyD
    February 4th, 2012 at 07:31 | #97

    Thank you, man!
    To edit the registry, I used ERD Commander for windose 7

  71. timitin
    February 6th, 2012 at 10:49 | #98

    @Nick

    Thanks a lot sir!

    My noobishness took its time but I finally figured out what you meant with drive letters and found my way into d:\windows… thanks a lot :)

  72. timitin
    February 6th, 2012 at 17:37 | #99

    aaannd it turned into a loop.

    I cant stop the damn consrv,dll virus. I go do all the things as instructed then back again on windows, anti-virus finds and deletes some more viruses and tells that it needs to restart PC and the blue screen again. Then if I do all the things again when back on windows the same thing.

    and btw I only change the `ControlSet001`’s consrv string. `ControlSet002`’s string is already set to `winsrv`

    Now I did all the things I remember I had this problem before and I remember doing stg with spydoctor program and solved it or I did a format on my PC. Everything’s on internet about consrv.dll virus suggest a -not free- spyware program with a wall of text instructions. Obvious scammers are obvious.

    Guess I’ll format my PC as soon as I get my hands on my bro’s flashdrive 😛 Or maybe I should crack some malware program and do what they say first… shit.

    • February 6th, 2012 at 18:33 | #100

      Sorry you still have a problem. I can assure you that this protocol works as I just used it on another machine today (also noted that only control001 had the consrv.dll entry). The machines that I am getting with this on it now, for example this one today, also tend to have a Master Boot Record Bootkit associated with them. This means you can be re-infected every time you boot if you don’t sort this first. The problem you are having is re-infection either from within Windows or from the bootkit.

  73. timitin
    February 6th, 2012 at 19:29 | #101

    @admin

    thanks for the reply.

    I had mbrfix on my bro’s flash drive.. this is getting messy. maybe it’s time for a format. 1.5 years of formatginity.

    also what does WinRe partition do exactly? Is it useful for these situations?

    • February 6th, 2012 at 20:29 | #102

      Well, this IS a messy problem because I’ve seen cases where the virus can persist after a format and after re-installing from the recovery partition. If it’s Windows 7 you should be safe in using the bootrec /fixmbr command from the recovery console (which I’ve used to successfully get rid of a bootkit), you could try that and use a live CD like the one available from Avira. The WinRe partition sounds like your Windows Recovery partition which you may be able to get to through Recovery Console as well if all else fails and you want to reinstall Windows.

  74. Trk
    February 6th, 2012 at 21:49 | #103

    @Web Traffic Wizard
    Thanks a lot lot lot !!!

  75. Trk
    February 6th, 2012 at 22:11 | #104

    YYYYYYEEEEEAAAAAAAAHHHHHH !!!! and more and more …

  76. JonERotn
    February 9th, 2012 at 10:49 | #105

    I almost gave up on this solution after trying both the original steps and Nick’s steps. Then I started doing some actual critical thinking. The laptop I was troubleshooting was a Dell, which included a repair tools partition. So I was booting to drive X:. I used the following commands to determine the real OS partition:

    diskpart ‘diskpart will display header information and put you into the diskpart con
    select disk 0
    list volume

    DiskPart will list the partitions and their labels. Identified the OS partition as drive E:. Type exit to get out of DiskPart:

    exit

    Change the drive letter to E::

    e:

    Run regedit and follow Nick’s steps to load the system hive FROM DRIVE E:. Sure enough, there were the consrv values!

    Thanks everyone!

  77. Slow
    February 10th, 2012 at 03:36 | #107

    @JonERotn
    Having trouble locating (if that’s the case) the changed values. I’ve only been able to locate a control001 and no 002(no current control either, just 001) with any changed values. Looked in d: e: x:, c: drive states “this folder is empty” under load hive

    • February 10th, 2012 at 09:05 | #108

      If you’ve found consrv.dll under control001 then you are looking in the right place. The latest version of the virus only infects control001. If you are in the right place, you should not see current control. Sounds like you’ve got it right.

  78. Marina
    February 16th, 2012 at 23:25 | #109

    @Nick

    Thank you so much, you are the best!!!! It did worked :)

  79. Bulbonio
    February 17th, 2012 at 14:41 | #110

    Thanks bro, this was so helpfully

  80. ag
    February 19th, 2012 at 05:41 | #111

    @JonERotn

    thank you sooo much just had to run regedit in E: !! and thank you nick and to the original poster!!!

  81. February 20th, 2012 at 18:28 | #112

    HI,

    Thanks guys for this post, much more useful than the microsoft WebSite.
    Can anyone help me? How could I access the regedit on my laptop? I cannot start windows at all, none of the modes will do (debug, dos command …) all of the starts would fail.

    Do I need a special software to access the regedit? do I need to restore to old version, but in this case, I’m afraid of loosing my personnal files in my C:\ drive?

    Regards

    • February 20th, 2012 at 18:33 | #113

      The comments above, especially from Nick and a couple others explain how to do this. If you’re using Vista or Windows 7, use Start-up Repair and start the registry editor from the command prompt.

  82. February 20th, 2012 at 19:40 | #114

    Hi,

    Thx for your quick reply, but when I use startup repair, it does not want to go to the command prompt, it just wait a couple of seconds on the /system32/Drivers/classpnp.sys then it restarts, it keeps restarting whatever the repair I do (except the one that forces windows to not restart in case of an error, that’s how I found out the error label)

    Thx again
    Regards,

  83. February 20th, 2012 at 19:50 | #115

    Here is what I did :

    I used a boot from my usb using ubuntu, then I copied an pasted the winsrv.dll, the renamed the new copied dll to consrv.dll (as the virused one), and now I am getting the new error :

    Stop : c000021a {fatal system error }
    The Windows subsytem system process terminated unexpectedly with a status of 0x c0000005 (0x77cee4B4 0x00daf350)
    The system has been shut down.

    So this means I think that the error is indeed related to the consrv.dll, is there any way to restore the virused version? at least I would be able to boot !

    Regards,

    • February 20th, 2012 at 20:17 | #116

      I think it’s going to be hard to get the old one back as, I assume, your AV quarantined it. You might be able to find it using your Ubuntu USB. Are you sure you have the right winsrv.dll? Same version of Windows exactly? Did you put it in the correct folder?

  84. February 20th, 2012 at 19:57 | #117

    By doing so, if I start by using the command prompt, now the login screen appears (even though I don’t want to appear, I just want to use the command line screen), and once I login, after few seconds, a bleu screen appears and restart the computer, damn !

    Could I restore the virused version of the consrv.dll? this is a nightmare :-)

  85. JHill
    February 20th, 2012 at 22:51 | #118

    so…I’m a bit of a computer novice. My Gateway laptop got knocked off the counter today and fell about 2 feet to the floor. When I turned it on I got the exact same message that everyone here has been posting about “stop: C0000135 the progrsam can’t start because the program %hs is missing from your computer. Try reinstalling the program to fix this problem.” Would this be related to the hard impact or was I just unaware of a virus and now it’s taking affect as I am restarting and the system is rebooting? Thanks in advance for your help.

    • February 20th, 2012 at 23:19 | #119

      I don’t see any relationship between the two. It seems more likely in your case that the hard drive was damaged and you are getting this error for a different reason. You can try checking the registry to see if you’ve got consrv hiding in there but it sure seems unlikely.

  86. February 21st, 2012 at 16:50 | #120

    I agree with you, but how could I access the regedit when the start in the command line mode does not work?

    Regards,

    • February 21st, 2012 at 16:56 | #121

      Well, you’re not supposed to be trying to start in command-line-mode – that will not work because that starts the same instance of Windows 7 that you are trying to fix. You need to start in Start-up Repair and then open a Command Prompt and run Regedit.

  87. February 22nd, 2012 at 21:41 | #122

    Brilliant! This fixed my problem. Thanks so much

  88. Matze
    February 23rd, 2012 at 12:47 | #123

    Thank you so much for this!
    It worked perfect for me , and saved me alot of work!

  89. English Nooble
    February 26th, 2012 at 10:55 | #124

    Worked great, you should wrap the comment about loading the hive right up there with your fix, Once instructed on that it was a simple 3 minute fix.

  90. Juanmi
    March 1st, 2012 at 11:52 | #125

    Thank you so much, it worked! I had my computer fixed by avast after being infected by annoying Sirefef (consrv.dll).

  91. March 2nd, 2012 at 19:01 | #126

    amazing! after two days of non stop self teaching and searching you finally solved my problem thank you sooo much! you are the f#cking MAN!

  92. Branden
    March 5th, 2012 at 20:06 | #127

    This was an amazing find. Thank you so very much for posting. After I loaded the hive, made the changes, and restarted, everything came up perfectly. Thank you.

  93. bendodge
    March 6th, 2012 at 16:02 | #128

    @timitin
    Everything’s on internet about consrv.dll virus suggest a -not free- spyware program with a wall of text instructions. Obvious scammers are obvious.Actually, several of best antiviruses do indeed cost money. Also, wall-of-text instructions are far better than super-simple instructions, because people make mistakes and get lost in oversimplified instructions. (Compare Nick’s detailed explanation to the original blog post.)

    All that said, you probably need to do OFFLINE removal of your virus, meaning take the hard drive out of the computer and scan it with another one. That should get you out of the loop.

    • March 7th, 2012 at 16:12 | #129

      It’s traditional to not disparage the author of the solution for the way it is presented.

  94. Modder-eter
    March 7th, 2012 at 15:52 | #130

    Thanks à lot. You rule!

  95. calvin
    March 8th, 2012 at 18:37 | #131

    @JonERotn

    Thanks Jon!
    I kept having problems trying to find the consrv.dll file too. After your tip, it worked.
    You are a genius!

  96. March 13th, 2012 at 18:15 | #132

    I battled back and forth on this for about an hour after trying 100 other “fixes” people had advised. I’ve been a PC Tech. (officially and unofficially when I moved to copiers) for 20 odd years. My brain was about to implode when I found this solution, so thanks!

    For newbs; don’t give up. If you haven’t found the registry entry with ControlSet001 and ControlSet002, you are in the wrong place. (You may see CurrentControlSet and ControlSet001 and THINK you are in the right place and that they are just worded differently, but you would be wrong.) If you have a system that moves your normal boot drive to D:, try regedit on C: anyway, and, if necessary, D:. It will work if you are booting from a recovery/installation disc into the repair console. (Also, another clue that you are in the wrong place is that the “System” hive you go to choose will have a “System” file (with no clear file type) and a “System.txt” available for choice; that’s another indicator that you are in the wrong place; you should only see the “System” file without the file type; there should be no other selections available that say “System.” THANKS AGAIN, OP!! And clarifiers!

  97. Michael
    March 13th, 2012 at 19:12 | #133

    My Son(also named Michael) and I repair computers for a living and were working on this Dell Inspiron 1546 which was infested with several virus’, had a rootkit, wouldn’t install updates and was very unresponsive when we first got it. There were several AVs running simultaneously, and I could write a small novel on all the steps we’ve taken with it (you know…one of those jobs where the usual fixes, as well as the not so usual fixes, aren’t working). We thought we had it to the point where it was working pretty well and were even going to forgo the ‘In-Place Upgrade’ that we had thought about doing. We ran ‘TDSS Killer’ which found and killed the rootkit that Malwarebytes kept finding and killing but would find again on every reboot. After running ‘TDSS Killer’, we ran Malwarebytes again and it found nothing. Many steps ago, we pulled off the existing AVs, so at this point (after following up the ‘TDSS Killer’ with Malwarebytes and finding nothing), there were no AVs currently installed (I read, while researching, that sometimes an AV can interfere with updates). We installed Microsoft Security Essentials and it did its thing and wanted a reboot. Upon reboot, we got the ‘STOP: C0000135′ error. Your fix, involving replacing the ‘Consrv’ with ‘Winsrv’ was a SOLID step that got us over that hurdle…just wanted to say, ‘Thanks for being there’…have a good one!

    Michael

    • March 13th, 2012 at 21:23 | #134

      Hey, thanks for taking the time to post. I’m glad this final step worked for you. It makes the effort worth it when you don’t have to end up with a Nuke & Pave!

  98. Matt
    March 21st, 2012 at 21:47 | #135

    Thank you so much!

  99. Sitou
    March 22nd, 2012 at 11:34 | #136

    Hello, I’ve followed the instructions but I can’t seem to find the following within the Windows hive:

    %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16

    Instead I have a whole bunch of hex values. I’m on a win 7 and since I cannot boot into windows at all I’m using the AVG Recovery CD to access the Registry Editor.

    I’ve tried all the drive but I get the same content for all windows hives. Help please, I really don’t want to clean up the whole system.

  100. Sitou
    March 22nd, 2012 at 13:18 | #137

    I tried laarka solution and it seems to have changed something. Now I get to my logon page but I get an error message then rght after a BSOD but this time with a different message “STOP: 0x000000F4 (0x0000000000000003, 0xFFFFFA800BEFB060, 0xFFFFFA800BEFB340, 0xFFFFF800035D25F0)”

    Help please

    • March 22nd, 2012 at 13:32 | #138

      AFAIK an 0x0F4 is a paging file issue which means you might have a problem with your hard drive but that’s not certain. Here’s a reference to an 0x0f4 solution.

  101. Sitou
    March 22nd, 2012 at 13:45 | #139

    And now I’m getting the same error Stephan got:

    Stop : c000021a {fatal system error }
    The Windows subsytem system process terminated unexpectedly with a status of 0x c0000005 (0x77cee4B4 0x00daf350)
    The system has been shut down.

    :-(

  102. thierry
    March 22nd, 2012 at 13:52 | #140

    @Nick

    I love you!!!!!!!!!!

  103. Sitou
    March 23rd, 2012 at 08:36 | #141

    I got lucky! I had a week old backup that I was able to restore from. I had to use a Ubuntu live disc to dig it and move it to the right location! Thanks for all your help!

  104. Sachin Lakra
    March 25th, 2012 at 17:04 | #142

    Thanks A ton trying to fix my pc since last 6 hours At last Fixed it :)

  105. Dominik
    March 25th, 2012 at 21:34 | #143

    Hey I stumbled over this blog on my smartphone, after I got exact the same bluescreen and text. After reading all this I guess something critical of Windows is infected, or has been, after malwarebytes found it and I deleted it.

    My Problem is: How do I get into the registry editor? I don
    t have a Windows cd/dvd or ubuntu to start with.

    Thanks beforehand

  106. Dominik
    March 26th, 2012 at 09:08 | #144

    @Dominik
    Ok im in ubuntu 11 right now, started it from DVD, but when i open the regedit through wine, the registry is almost empty.

    In HKEY_LOCAL_MACHINE\System theres only the sub folders CurrentControlSet and MountedDevices, no ControlSet001 or ControlSet002

    I have tried to import a actual registry but i dont now how in ubuntu (wine)
    Does anyone know what i am doing wrong or how to import the right regstry file?

    Thanks beforehand again

  107. Dave.
    March 30th, 2012 at 16:53 | #145

    Thanks for this info. You saved me a ton of time.

  108. Saintal
    April 3rd, 2012 at 07:59 | #146

    Thanks for sharing! Really awesome!!!!!!

  109. Brett Friitts
    April 9th, 2012 at 12:55 | #147

    Thanks, solve my problem

  110. Cyril
    April 12th, 2012 at 11:52 | #148

    You save my live !!!!
    Thanks !!!

  111. S3TH
    April 14th, 2012 at 03:11 | #149

    I am only seeing drive X . i know im in the wrong spot cos im seeing system file & system text. i go to cmd from repair tool and try diskpart to determine my drive and the option f “0” was not shown. I may be supernoob for asking this but, I am running raid 0, does that dsqualify me from this solution? I cannot see why it would, but at this point im pretty “meh” and require sleep

    • April 14th, 2012 at 08:42 | #150

      Well, first of all personally I think it’s insane to be running RAID 0, you’re just asking to lose all your data. I don’t see anything though that says diskpart wouldn’t work under it (and since you can use it to set up a RAID…). I couldn’t understand your sentence about f “0” but what do you see when you run diskpart and do a “list disk”? Do you see your C: drive? If not, then obviously you’re going to have a problem making it the active drive (not to mention editing your registry). This would mean though that your recovery environment can’t see your Windows installation either, is that correct?

  112. S3TH
    April 14th, 2012 at 14:09 | #151

    Apologies for the poorly arranged post from earlier. Anywho, when I run list. disk i get…
    list disk: “there are no fixed disks to show”
      
    I ran list volume getting  “there are no volumes”
    and list partition as well getting ” there is no disk selected to list partitions.Select disk and try again”

    I am not seeing anywhere to select a disk or I am simply ignorant as to how to do it =\
      As to the bit regarding my less than perfect sentence  , ” i go to cmd from repair tool and try diskpart to determine my drive and the option f “0″ was not shown” the “f” of  ‘f”0″ ‘ was a typo and the “0” portion of that was in reference to JonERotn post stating ” diskpart ‘diskpart will display header information and put you into the diskpart con
    select disk 0
    list volume…”
     I simply do not see any disk to choose from. So yes, It seems my recovery environment can’t see my Windows installation either.  oh, and as to why raid, this is strictly gaming pc, externally backedup important stuff etc, I just want to beat this damn issue as a matter of stubborn pride >< . Thanks for your help and this useful thread. Back to work =P 

    • April 14th, 2012 at 18:27 | #152

      RE:I just want to beat this damn issue as a matter of stubborn pride – I’m working on one of those right now myself.

      If we set aside the diskpart issue, when you get into the recovery environment can you run the first option, “Startup Repair”. Oh, and before you try that, just above it it should say something like: “Operating System: Windows 7 on C: Local Disk”. If that’s missing and/or you can’t successfully run Startup Repair, I’m guessing broken RAID.

  113. S3TH
    April 14th, 2012 at 14:09 | #153

    Apologies for the poorly arranged post from earlier. Anywho, when I run list. disk i get…
    list disk: “there are no fixed disks to show”
      
    I ran list volume getting  “there are no volumes”
    and list partition as well getting ” there is no disk selected to list partitions.Select disk and try again”

    I am not seeing anywhere to select a disk or I am simply ignorant as to how to do it =\
      As to the bit regarding my less than perfect sentence  , ” i go to cmd from repair tool and try diskpart to determine my drive and the option f “0″ was not shown” the “f” of  ‘f”0″ ‘ was a typo and the “0” portion of that was in reference to JonERotn post stating ” diskpart ‘diskpart will display header information and put you into the diskpart con
    select disk 0
    list volume…”
     I simply do not see any disk to choose from. So yes, It seems my recovery environment can’t see my Windows installation either.  oh, and as to why raid, this is strictly gaming pc, externally backedup important stuff etc, I just want to beat this damn issue as a matter of stubborn pride >< . Thanks for your help and this useful thread. Back to work =P 

  114. dieconsrvdie
    April 15th, 2012 at 08:59 | #154

    Oh. My. God. You saved my life. THANK YOU

  115. Daan
    April 19th, 2012 at 11:13 | #155

    Same here… THANK YOU.

    In my case it was TrendMicro that removed a simple BitCoin Miner.
    Took me 6 hours to resolve this.
    Thx again!

  116. Demain
    April 19th, 2012 at 17:47 | #156

    This solution worked great! THANK YOU!! For anyone having issues with editing the registry on a computer that doesn’t boot, just download the newest version of kaspersky rescue disk 10 boot cd (it’s free) which now includes a registry editor that will automatically connect to your offline registry.

  117. melina
    April 21st, 2012 at 12:16 | #157

    @Nick
    many thanks!!!!you save my computer’s life and me for saving money!!! many thanks again!!!

  118. Salah
    April 29th, 2012 at 18:08 | #158

    This worked for me. I used “Offline Registry Editor” to make the change.

  119. David
    May 1st, 2012 at 21:30 | #159

    6 hours in, I found this and it saved my expensive computer from being thrown into a lake. You sir, are my hero.

  120. akira
    May 2nd, 2012 at 08:16 | #160

    I love youuu! I was so close to reinstalling Windows. I’m no expert and couldn’t find the right file at first but then I followed instructions from “everettf” and my system works again!!! If you can’t see both ControlSet001 AND ControlSet002 under HKEY_LOCAL_MACHINE\SYSTEM be sure to follow instructions from “everettf”.

  121. SDJCL
    May 8th, 2012 at 11:35 | #161

    If the above instruction doesn’t work, try a simple registry restore.

    rename the 5 registry (system, software, security, sam and default) file c:\windows\system32\config to .bak
    then copy the 5 backup registry from c:\windows\system32\config\regback
    answer yes when prompted to overwrite.
    Reboot.

    • May 8th, 2012 at 12:02 | #162

      I don’t see why this wouldn’t work unless you recover to a registry version that still has consrv.dll referenced in it. In the latter case, you’ll still have the problem and a registry in a rather unknown state.

  122. Javier
    May 10th, 2012 at 18:26 | #163

    @Nick thank, you save me and my computer

  123. Skyler
    May 13th, 2012 at 17:39 | #164

    I have this problem on my wife’s machine, and when I insert the Windows 7 CD, I chose command prompt and typed “regedit” and it brought up the registry editor.

    The strings above are the way they should be. Am I missing an extra step? Something about loading hives, etc.? Is my registry editor ran from the command prompt from the Windows 7 CD displaying the correct registry to fix? Thanks!

  124. Skyler
    May 13th, 2012 at 17:45 | #165

    @Nick

    Amazing! I didn’t realize what the above post in italics meant when it referred to as the post on Jan 20th, because I didn’trealize that the site put me to the last page. THANK YOU for this invaluable information. YOU are AWESOME!

    (Got PayPal? haha!)

    Skyler

  125. Jennifer
    May 15th, 2012 at 13:32 | #166

    everytime i am in C: i type regedit, i follow all instructions, load hive, then i see double of all (example system, system-one is a text document the other is a file) btw i have AVG installed.

  126. Jennifer
    May 15th, 2012 at 14:50 | #167

    “To use System Restore, you must specify which Windows installation to restore.
    Restart this computer, select an operating system, and then select System Restore”

    how do i select OS. I have Win7. its an upgrade

    • May 15th, 2012 at 15:10 | #168

      While System Restore might work to fix this problem, it is not the method I’m recommending to use here.

  127. Kate
    May 21st, 2012 at 14:46 | #169

    You are a Godsend. My computer was going along fine – I thought – then I did the latest updates and it installed MSE and SP1, etc. MSE popped up with a message that I needed to reboot and POOF! That bloody, miserable error! I did a system restore thinking it had something to do with the SP and the machine started up fine again – then I tried reinstalling the updates and it had the same effect. Found this post, followed the steps (I used Hiren’s 15.1 Boot disk and the PE registry editor), corrected the problem and rebooted – started right up and configured the newly installed updates with no further issues. Thank you SOOOOO much!!! You just saved me countless hours of beating my system into submission!!

    • May 21st, 2012 at 15:46 | #170

      You’re welcome. I’m glad this helped. I’m still getting 300-400 hits a day for this problem so you’re not alone.

  128. zubi
    May 31st, 2012 at 03:59 | #171

    hi, i’m facing the same issue and I have the
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\SubSystems (exists)
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Session Manager\SubSystems (doesn’t exist). should I create it or leave it alone, my machine still won’t boot (stuck on BSOD)…. please help!
    thanX in advance
    zubi

  129. R Tahir
    June 7th, 2012 at 02:39 | #173

    Very helpful blog indeed I wish to thank the blog article and the author for an extremely useful article not only w.r.t the removal of the changed file but also tremendously helpful for becoming an advanced user of recovery console.

    For what its worth I will add my experience as it was with a production test server, maybe it would be helpful for someone next time. I had a Windows 2008 R2 server SP1 with latest updates installed, inclusive of windows defender and MSE (Microsoft security essentials), no backup of our single drive existed before this darned BSOD appeared. As instructed here I followed the step by step procedure to remove the consrv.dll prior to doing this I had already used the recovery console to copy essential application files to a USB storage device, then proceeded by

    1. loading the hive
    2. removal of entries in ControlSet 001 and ControlSet 002
    3. Unloading the hive

    Booting was successful however the task was not done after a successful boot I manually searched for traces of consrv.dll and so forth which i did find in windows system 32 directory, and after removal of these traces a fresh full scan of the updated MSE (Microsoft security essentials) was performed, this fresh scan removed a couple of other trojans (which may be specific to my server). The point is that this whole process also works for a fully functional 64-bit production server.

    I personally believe now that Windows has evolved to become a powerful OS for the SOHO and Medium sized enterprises with reference to Application and DB being hosted on the same machine, on this blog I have people not satisfied with the recovery options, recently I had the opportunity working with S.U.S.E Linux in a large enterprise and when it crashed despite trying methods such as Kernel repair and other block recovery methods it took a whole 2 days to eventually recover from backups, however with windows 2008R2 in production environments it does not corrupt with power outages and each time we have been able to recover from crashes at multiple sites and own sites with and without backups, credited is definitely due here. (see on sandbox servers we perform extreme measures such as cutting of power from live servers, crashing drives using recovery methods and so on despite what people argue about Windows today as an OS not other products has the fastest recovery rate and fault tolerance without support devices).

    There are 2 things I would like to mention before I end my comment.

    1. Even if this does not work, there is a method in debugging mode where you can recover by identifying what entry in the registry has been changed what you will need is a serial cable (for connecting two machines, also called laplink) preferably same OS on both machines and enter debugging mode of the working machine, you will be able to trace the exact registry entries that were changed and where and fix the problem

    2. I forgot to mention what caused the error in my server in the first place, yesterday morning for no apparent reason the machine rebooted, I assumed that it was a low voltage dip which the UPS could not handle and hence reboot, however the real culprit was this consrv.dll file or virus, what I did later in the day was updated the server, install windows defender run scans and also install MSE, MSE identified the threat and cleaned 99.8% problem however on reboot this BSOD occured.

    Thank you for your time, and to whoever reads this comment thank you for bearing with this somewhat long comment

    regards to all riz

  130. SmartAceW0LF
    July 13th, 2012 at 12:08 | #174

    Just wanted to leave a note confirming this did in fact work for me. Thanks a trillion blue million!

  131. Albert
    August 13th, 2012 at 02:46 | #175

    Worked for me

  132. Boon
    November 6th, 2012 at 11:36 | #176

    Im using win7 64bit. I don’t have \windows\system32 but I have only \windows\system64 and I tried but it doesnt work as it should be the wrong folder!! what should I do!!! help mee plzzzzzz

    • November 6th, 2012 at 11:38 | #177

      Well, you need to look harder, you can’t run Windows without the System32 folder. Try changing folder options to show hidden and system files and folders. Maybe the virus hid System32

  133. Boon
    November 6th, 2012 at 14:35 | #178

    @admin

    Yeah, I think so. It should be virus and malware that hide system 32!!!!. Anyway if I have Ubuntu and I have other PC in Win 7 but 32bit, anything that I can do with these to help recovery??

    • November 6th, 2012 at 14:49 | #179

      I think one of the comments above has a suggestion for this. It goes something like this: Either slave the infected hard drive on the Ubuntu machine or boot the infected computer from an Ubuntu live CD. Find consrv.dll and delete or change it to consrv.vir. Then find winsrv.dll and copy it, naming the copy consrv.dll. This will cause the malicious registry entry to actually run the correct program. Restart Windows, fix the registry, profit. There are also Windows registry editing programs that run in Linux.

  134. Boon
    November 7th, 2012 at 08:55 | #180

    Hi,
    Now that I manually find winsrv.dll and copy it, naming the copy consrv.dll, I can go to the welcome screen but after that it will crash to blue screen again with other reason. What should I do? I still trying to edit the registry by your method but it seems that some virus hide the system32 folder in my C:OS drive!. I am so desperate now.

  135. Boon
    November 7th, 2012 at 09:01 | #181

    Or should I do like this; I have the non-genuine win7 64-bit CD installation with me. Should I install it in other partition and try to run malwarebyte to kill the viruses in my infected genuine C:drive? and then try to edit the registry again. What do you think?

    • November 7th, 2012 at 09:23 | #182

      Hej, You’re in over your head here and I’m not sure I can help you enough to get you out of it. You may be getting the blue screen from an MBR virus or some other driver or program that the virus put on the computer. To eliminate the possibility of MBR problems, you can follow these steps. Note that you can kiss your operating system, programs and data goodbye if something goes wrong here, but it is a good use for your Windows 7 boot disc. If the computer still boots to a blue screen after that, then you’ve still got a virus problem. You’ll need to boot to Safe Mode (if you can) and try to get Malwarebytes working.

  136. Jortiz
    November 28th, 2012 at 00:45 | #183

    Thanks a million.

  137. November 29th, 2012 at 03:30 | #184

    You are awesome. You saved one of my clients machines. You are my hero !!!!

    BTW, be sure to load the system registry file from the c:\windows\system32\config registry in windows 7 64 bit edition (in this particular case.) and name it something of your choice, then edit the keys in controlset1 and controlset2, then unload the hive, then reboot the machine.

  138. Sam
    February 2nd, 2013 at 08:22 | #185

    I can’t load the hive because apparently “system” is already in use.

    • February 2nd, 2013 at 09:49 | #186

      Mmm, no. I’ve seen problems with permissions but if you couldn’t edit the registry because it was in use, you’d never be able to edit the registry. How are you mounting the registry?

  139. Sam
    February 2nd, 2013 at 09:55 | #187

    @admin

    I’m not extremely tech savvy so excuse me if I misintepreted you’re comment. But I accessed /cmd via my windows disc and regedit ‘ed that way.

    • February 2nd, 2013 at 10:10 | #188

      So, if you are using Regedit after booting from a CD, you need to explicitly load the hive of the registry on your computer. My guess is you’ve run Regedit and you’re looking at the registry on the CD. Look at: http://technet.microsoft.com/en-us/library/cc759303%28v=ws.10%29.aspx. The hive you want to be loading is on your hard drive, probably C: under /Windows/System32/config. WARNING: You can permanently damage your Windows installation by messing with the registry

  140. Sam
    February 2nd, 2013 at 10:15 | #189

    @admin

    Apologies, I restart and it worked this time, I must have done something wrong. I have no consrv where winsrv should be however, so I’m looking into other problems, many thanks anyway.

  141. Wesley
    February 15th, 2013 at 14:16 | #190

    Found a computer where this would not fix it. After digging around for several hours, I finally realized (with the hard drive in another machine) that the winsrv.dll file was dated more recently than the same file on another Win7 machine. I copied it from a working machine to the hard drive, and it has now booted up. Next step is to do some scanning and make sure there is no virus or rootkit still left behind…

  142. Brian
    June 16th, 2013 at 15:52 | #191

    Sir, I’m currently having the same problem, It implies “winsrv” already in the registry, what do I do If It already says “winsrv?”

  143. Brian
    June 16th, 2013 at 18:00 | #192

    Hello Sir, I’m currently experiencing the same problem, I have controlset001, however I do not have “controlset002″, and the fact when I go try to change “conserv”, It’s already “winsrv”, may you please help, thank you!

    • June 16th, 2013 at 22:05 | #193

      Welll, AFAIK you don’t have to have a controlset002. However, if you are not seeing it, my first guess is that you are not looking at the correct registry. Are you sure you’re looking at the registry on your C: drive and not the one on your boot drive?

  144. Brian
    June 18th, 2013 at 19:56 | #194

    Well Sir, I’m not sure, however as soon as I turn on the desktop computer, I hold F8 to reach the point where it implies many options including “repair computer” (which I click) and than I submit the password of one of the users, and than I go to “command prompt” at the bottom of the list, and than I type “regedit” in the screen, and than “regestry Edit” appears. (Is that the correct registry sir?)

  145. R Tahir
    June 20th, 2013 at 16:57 | #195

    @admin

    Mr Boon should have followed your advice of looking for the system32 folder it sits right there in the windows folder hidden and masked as _system32 which happened in my case, as mentioned earlier (thread 35) I failed to mention it in my article posted by you, a comment is a too long word for it, we simulated this scenario once again in a security training session last year, I had even noted down the name of virus which caused this event in the 64 bit environment, I will try to locate the old paper notepad or ask for the name of the adware which caused this event by the trainees who attended the session, this much I remember that the BSOD was caused by malicious adware. regards R Tahir

  146. R Tahir
    June 20th, 2013 at 17:03 | #196

    @Brian
    Admin is right if you are not seeing set 2 and consrv.dll then you are definitely looking at the wrong place happened with me as well the first time I was looking at the wrong place follow the steps really carefully

    1. load the hive (done properly u will see both sets)
    2. remove and repair (replace with proper entry)
    3. Unload hive

    make a slight mistake anywhere it simply wont work

  147. Brian
    June 20th, 2013 at 19:33 | #197

    Hello, R Tahir, I have loaded hive and I still haven’t seen “consvr.dll”

  148. Brian
    June 20th, 2013 at 19:46 | #198

    I have highlighted “HKEY_LOCAL_MACHINE” and than “file” at the top left of the screen, and “load Hive” and then “config” and then scrolled down to “system” on the list, and then replaced the entry name with “newuser”, Or “Test_device”, And then I clicked the entry name in the regedit list in “HKEY_LOCAL_MACHINE”, and I still haven’t seen “controlset002″ only “controlset001″

  149. Brian
    June 23rd, 2013 at 14:25 | #199

    I have located “ControlSet002″, and I also See “ControlSet003″ because I have clicked “computer” on the left hand side of the screen, and clicked a different “Hard Disk” setting which was “Recovery”, However I still haven’t seen “consvr” In the value Data It’s still “winsvr”.. Do you have any suggestions of what to do Sir?

    • June 23rd, 2013 at 14:44 | #200

      It’s hard to give you personalised support on this because it’s difficult to know really what’s happening on your end. I will say that I can’t remember ever seeing a ControlSet003 but I know of no reason why that would be a problem.

      It’s not clear to me that you are opening the right registry. Make sure you are. You should be importing the System hive from your target drive. If you aren’t doing an import then you are probably not looking at the right registry.

      As noted in the post, there can be other reasons for the C0000135 error, it may be that you do not have the consrv virus problem. If you do, you should have been able to locate the consrv.dll file somewhere on your computer. If that program is not and has never been there (cleaned up by an antivirus program for example) then maybe this solution does not apply to you.

  150. Brian
    June 23rd, 2013 at 15:18 | #201

    What do you mean by “importing the system hive from your target drive” sir?

  151. Brian
    June 24th, 2013 at 19:49 | #203

    Sir, how would I “import my system hive from my target drive?”

    • June 24th, 2013 at 20:26 | #204

      That question is the computer equivalent to “which end of this chain saw should I be holding?” It’s a very valid question, but if you have to ask it, you should not be messing with it (the registry). The link above gives a very clear description of how to load a slaved registry file.

  152. Brian
    June 25th, 2013 at 19:49 | #205

    Well evidently sir I haven’t seen the “consvr” in the “value data” in the Registry even when I proceeded to “load hive” on my recovery drive and the “Os drive”, would you by chance know of any other suggestions of what may be causing the problem if it’s not that, Or clearly what I haven’t done to locate the “consvr?”

  153. Raffae
    October 15th, 2013 at 23:33 | #206

    Hi sir, i got the same problem here. I already do all the thing like load hive and i had the controlset001 and controlset002 but still it state “winsvr” instead of “consvr”. What should i do? This is an office comp there is so many data in there.
    pardon for my broken english.

  154. November 23rd, 2013 at 20:04 | #207

    Thank you. I wouldn’t have thought to remove that edit. Got it all fixed and up and running again. Take care.

  155. Deborah
    March 29th, 2014 at 00:54 | #208

    Oh My Gosh, thank you, thank you so much!!!!! I know nothing about computers and got this frustrating virus. Read your article and I fixed it. So beautiful to see my desktop again. You are marvelous! xo

    • March 29th, 2014 at 12:45 | #209

      We live for feedback like this, thanks. Glad you’re up and working.

  156. oscar
    September 12th, 2014 at 08:44 | #210

    Well, for some people it worked but not for me. I followed the directions to the letter. I finally decided to reinstall, well, guess what it didnt work either. I think the final answer would be to buy a new hard drive.

  1. February 14th, 2013 at 01:03 | #1