XP boot logging can reveal broken services

Earlier this week I was working on a laptop with a dying hard drive. There was some minor data loss, but I copied as much as possible to a new drive, fitted it and, amazingly, XP booted without a problem. It spent half an hour chugging away with various hard-to-identify services, and eventually demanded a restart. Unfortunately it then crashed at the welcome screen with the classic ‘PAGE_FAULT_IN_NONPAGED_AREA’. This is generally a ram problem, but it coped cheerily with hours of memtest86+ so this seemed unlikely.

Given the possible data loss I’d normally run a repair install of XP at this point. The recovery cd was long gone, but it’s still possible to repair with the correct XP CD. Unfortunately ‘correct’ was problematic. XP has two different versions, Home and Professional, and each comes in three flavours: retail, upgrade and OEM. The CDs are, as far as I know, exactly the same apart from one file specifying which flavour the cd contains, and you can only run a repair install using the exact flavour of the original install. I suppose this is an extra security precaution, but given that you have to enter a valid (flavour-specific) product key it seems rather superfluous. This particular laptop had XP Home Upgrade installed, and I didn’t have one of those to hand. It’s possible to make one by extracting and changing the differing file on an alternative flavour (perfectly legal, as you still need the correct product key), but it’s a fuss. I figured I’d see whether there was an easier solution.

Safe mode worked, and showed the BSOD was at least leaving ‘minidump’ crash files. Unfortunately analysing one indicated the problem was with ‘ntoskrnl.exe’, which is way too general to be of use. The error logs didn’t help either. I uninstalled a few possible candidates without any luck, and was running out of ideas until I saw the ‘enable boot logging’ option in the F8 startup options. This records startup information to the ‘Ntbtlog.txt’ file in the Windows directory, and has never been all that much use in the past, but I enabled it anyway, let XP crash on a normal startup and checked out the file in safe mode. It listed all the running services, but anything related to Symantec was surrounded by question marks. I ditched the installed Symantec Client Security1, and everything started working! I think this is the first time boot logging has solved a problem for me.

This is probably a bit specific to be of use to googlers, but I thought the boot logging thing was worth writing up.

  1. actually I disabled the services as Windows Installer doesn’t work in safe mode – this is annoying []