Sometimes I hate Windows.

Surely, every OS has strong and weak points (I'm still using windows/linux dual-boot), but when something breaks for absolutely no reason, it is never funny.

Today I was supposed to spent a lot of time programming windows software. Unfortunately, at one point I had to reboot the system, and after reboot system went to hell.

For some reason, my network adapters disappeared from "Network Connections" folder (although they were still working), I couldn't start VPN connection anymore, connection sharing broke up, and shortly after startup I was greeted by message telling me that RPC could not start, and system will shutdown in 60 seconds. "Last working configuration" (F8 at the boot time) didn't help either, and of course I disabled system restore on all drives few months ago. System CD was lost too, although I still had copy of installation files.

Investigation (My Computer->Manage->Event Viewer) uncovered dozens of errors in system logs:

  1. Event ID: 4609

    The COM+ Event System detected a bad return code during its internal processing. HRESULT was 800706BA from line 44 of f:\xpsp3\com\com1x\src\events\tier1\eventsystemobj.cpp.
  2. Event ID: 8193

    Volume Shadow Copy Service error: Unexpected error calling routine CoCreateInstance. hr = 0x80040206.
  3. Event ID: 1802

    The Windows Security Center Service was unable to establish event queries with WMI to monitor third party AntiVirus and Firewall.
  4. Event ID: 7023

    The Windows Firewall/Internet Connection Sharing (ICS) service terminated with the following error:
    The handle is invalid.
  5. Event ID: 7023

    The Security Center service terminated with the following error:
    The endpoint mapper database entry could not be created.
  6. Event ID: 7034

    The Remote Procedure Call (RPC) service terminated unexpectedly. It has done this 1 time(s).

At first it looked as MsBlast virus comeback, but virus checking tool made by symantek didn't find the virus, and that vulnerability have been fixed long time ago.

in the end it looked like everything was tied to COM+ and access rights. Somehow access rights on %windir%\restore has been reset to "no access to anyone" and COM+ services couldn't start, but of course fixing access rights didn't fix the problem. Then I searched for instruction on reinstalling/resetting COM+ (google for "reinstall COM+" and you will find them yourself). There were couple of instructions but none fixed my problem. Error messages changed to

  1. Event ID: 4689

    The run-time environment has detected an inconsistency in its internal state. This indicates a potential instability in the process that could be caused by the custom components running in the COM+ application, the components they make use of, or other factors. Error in f:\xpsp3\com\com1x\src\comsvcs\events\lcedisp.cpp(131), hr = 80040206: Failed to CoCreate EventSystem object.
  2. Event ID: 7000

    The COM+ System Application service failed to start due to the following error:
    The service did not respond to the start or control request in a timely fashion.

Somehow I managed to make my NICs visible again, but this didn't make VPN work.
I also tried to monitor processes with processmonitor (to find broken privilegies or missing files), but it quickly become evident that processmonitor is no match for strace/ptrace available on Linux. I was unable to reinstall COM+ completely, because of "Sub-component COM+ raised an exception while processing the OC_COMPLETE_INSTALLATION setup message" error.

In the end, after several hours of googling, swearing, and numerous failed attempt to fix the system, when I was about to give up and initiate full system reinstall, I finally remembered that system was transferred from older harddrive only week ago, and old system partition wasn't overwritten yet. A quick boot into Slackware Linux, ntfsclone+ntfsresize, and voila, I had working system again.

Why all this stuff happened, still remains a mystery to me.

My advice: if you ever encounter similar problem, and if you were unable to fix it in 30 minutes, forget about it, and do full reinstall. You'll waste less time. It also makes sense to keep system restore enabled, and backup system at least sometimes (nothing beats backup, even search engine). NTFS backup can be easily done from linux system, see "ntfsclone manual" for more info.

Links I've been using while trying to fix the system:

  1. How to clean up a damaged COM+ catalog on microsoft.com
  2. Reinstall COM+ forum discussion.
  3. COM+-related events may be logged in Event Viewer when you install Windows XP Service Pack 2 and join the computer to a domain
  4. W32.Blaster.Worm Removal Tool
  5. Linux-NTFS wiki
  6. Linux-NTFS manpages.