Windows systems include several critical directories, such as Windows System32. Missing files, anomalies, or the appearance of new files in these directories can lead to serious consequences. Here are some common examples, with more cases to be added as they emerge.
1. directory of drivers: C:\Windows\System32\drivers
The directory stores system driver files, usually sorted in reverse chronological order so you can see the most recently introduced driver files (sometimes, newly installed software with older integrated drivers can also cause issues). You can use Process Explorer to locate them. It is advisable to visit the official website of the software that introduced the driver to find ways to remove the driver. Recklessly removing the driver may cause system anomalies. Refer to this case:https://cloud.tencent.com/developer/article/1957099
If driver compatibility is poor, it may cause blue screen crashes, system freezes, remote or VNC non-responsiveness, memory leaks, etc. For example, a case of memory leak:https://cloud.tencent.com/developer/article/1948812
2. The CatRoot Directory: C:\Windows\System32\CatRoot
Accidentally deleted C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}, causing system anomalies and a âCritical Service Failedâ error, error code 0xC000021A. Additionally, all F8 options, including the three safe modes (Safe Mode, Safe Mode with Networking, Safe Mode with Command Prompt), are inaccessible, with the same error message appearing.
Solution: Copy files from a functioning system with similar configurations and replace them in their original locations under WinPE. After restarting the machine, it successfully boots into the system.
3. CatRoot2 Directory: C:\Windows\System32\CatRoot2
CatRoot and CatRoot2 are related to Windows Update, and itâs best not to modify these two directories if possible. Any anomalies in these directories can directly impact updates, and in severe cases, may prevent the system from booting. If there are issues with updates, try the following commands one by one:
net stop msiserve
net stop cryptsvc
net stop BITS
net stop WUAUSERV
Ren c:\windows\SoftwareDistribution SoftwareDistribution.bak
Ren c:\windows\system32\catroot2 catroot2.bak
net start msiserve
net start cryptsvc
net start BITS
net start WUAUSERV
4. The directory assembly: C:\Windows\assembly
The absence of data in this directory may lead to errors when executing the .msc command, referencehttps://cloud.tencent.com/developer/article/1936608
Solution: Copy from a functioning system and replace it under WinPE.
5ăC:\Windows\System32\*.dll
Some .dll dynamic library files in the C:\Windows\System32\ directory and some .sys driver files in the C:\Windows\System32\drivers\ directory may cause the system to fail to enter.
I have encountered a case, https://cloud.tencent.com/developer/article/1871412
Solution: copy from the normal system, replace under winpe, and then refer to https://cloud.tencent.com/developer/article/1930775
6. Fonts directory, C:\Windows\Fonts
This directory is used for storing font files, but viruses and trojans love to infiltrate this directory.
Since this directory doesnât appear like a regular folder in the UI, making it difficult to spot abnormal files inside, you may refer tohttps://cloud.tencent.com/developer/article/1613296
7ăC:\ProgramData\Microsoft\Windows\Caches\*.dll
The default directory does not contain any .dll files. If one exists, it might be a virus or trojan taking advantage of this. I encountered a case before where the system couldnât boot and just kept spinning; none of the F8 options allowed the system to boot, although it was possible to enter the system through Safe Mode.
https://cloud.tencent.com/developer/article/1938502
There is a registry entry that can be used to adjust the location of C:\ProgramData. Generally, itâs not recommended to change the location of the ProgramData directory because many processes rely on it. Iâve encountered cases where altering the ProgramData location resulted in system anomalies.https://cloud.tencent.com/developer/article/1935717
8. If the C:\Windows\Resources\Themes\ directory is missing the aero* theme, it might result in the graphical interface not being visible.
Solution: Copy from a functioning system and replace under WinPE.
9. AppLocker Directory, C:\Windows\System32\AppLocker
The directory is, by default, an empty folder, and deleting it may cause abnormalities in the system start menu.
The process name for sihost.exe is Shell Infrastructure Host. It relates to everything concerning the OS shell and cannot be closed.
The error with the Start menu is generally caused by the failure to launch ShellExperienceHost (abbreviated as SEH, sourced from the initials of its three words). Upon checking the Task Manager at the time, we did not find SEH running, and there were no crash errors for SHE within the app logs. This issue likely occurs during the process in which Sihost.exe attempts to activate SEH.
The package Microsoft.Windows.ShellExperienceHost_ deployment was blocked by AppLocker.
Procmon can monitor CreateFile C:\Windows\System32\AppLocker\APPX.AppLocker PATH NOT FOUND
On the problematic machine, it was discovered that the AppLocker directory in C:\windows\system32 does not exist, whereas on a normal machine, it is present and typically empty by default.
Created a new folder named AppLocker, then clicked the Start menu, and it worked correctly.
You can also use third-party software like StartIsBack (compatible with Windows 10, not compatible with Windows 11, the version compatible with Windows 11 isStartAllBack) Transform the Start menu into a classic menu
10. C:\Windows\System32\appmgmt, donât be fooled by the empty subdirectoryâWindows is vast and intricate, filled with potential pitfalls. Just because it appears empty doesnât mean you should delete it. AppLocker above is a prime example.
The term âappmgmtâ refers to a service, and âsc qc appmgmtâ is a command used to query the configuration of the âappmgmtâ service in Windows.
sc qdescription appmgmt
Description: Handles installation, removal, and enumeration requests for software deployed via Group Policy. If this service is disabled, users will not be able to install, remove, or enumerate software deployed through Group Policy. If this service is disabled, all services that explicitly depend on it will fail to start.
11. C:\Program Files\Cloudbase Solutions, this is a system component, and disabling or deleting it may affect functions like system password reset. For details, please refer toâŠhttps://cloud.tencent.com/developer/article/1883449
12ăC:\Windows\System32\config
Please provide the WordPress post content you would like translated, and I will assist you while preserving the HTML tags and structure.
â The system was inaccessible, reporting an error that the registry file C:\Windows\System32\config\SYSTEM was corrupted. After replacing it with C:\Windows\System32\config\RegBack\SYSTEM and rebooting, a blue screen error appeared with BAD SYSTEM CONFIG INFO. Upon replacing the entire registry with backups from the C:\Windows\System32\config\RegBack directory, including DEFAULT, SYSTEM, SOFTWARE, SECURITY, and SAM, the system successfully rebooted and recognized hardware correctly, ultimately allowing entry into the system.
⥠The system is exceptionally slow to boot, and it was discovered that the file located at C:\Windows\System32\config\RegBack\SYSTEM is 1.5GB. Using Microsoftâs tools,Special SoftwareduregOr, third-party registry software can identify which specific subdirectory is the largest. With a backup available, you can delete the anomalous subdirectory to reduce the size of the SYSTEM registry, then restore it to the original system for a comparison upon startup.
ăIssue CauseăDriver issues lead to an excessively large System registry (1.5GB), causing the system to fail to load. Upon investigation, the source related to mouse sideband reveals a connection with Multipoint Service.
http://www.yourpcdrivers.com/drivers/src-mouse-sideband-1/59349/89da474cc143387cfaa1964e5cae19eb
Why 1.5G? Please refer to the following:
https://docs.microsoft.com/zh-cn/windows/win32/sysinfo/registry-storage-space
openRegistry Workshop â File â Load Hive â Next, we typically only need to review the properties of ControlSet001, ControlSet002, and CurrentControlSet. By examining the total number of subkeys, we can make a preliminary assessmentâif there are over 10,000 entries, that raises a red flag.
Follow the trail: When there are too many subkey entries in the registry, you can double-click to expand its sub-subkeys. By expanding the number of entries, you can quickly locate the problematic registry location. Issue observed: When there are too many sub-subkeys, loading is extremely slow or may become unresponsive. Once the abnormal registry key is found (non-critical system registry), you can proceed with bulk deletion. Note: It is recommended to back up the registry before performing any operations.
Previously, we used the method of âview properties, double-click to expandâ to observe the number of registry subkeys. Now, letâs use our experience to identify potential abnormal subkeys. For example, within the Enum subkeys, we should prioritize those enclosed in curly braces {}. This approach allows us to quickly locate problematic registry keys.
When attempting to delete SRCMouPdo, it cannot be removed, and a permission error is prompted, indicating insufficient permissions. Upon inspecting the attributes, it was found that only the âsystemâ user can make changes. This situation requires privilege escalation (first, check the âsystemâ user in the attributes, and if that doesnât work, proceed with privilege escalation). Refer to the following steps:https://cloud.tencent.com/developer/article/1880777
Finally, place the processed SYSTEM registry back onto the original machine via WinPE, execute `chkdsk /f` to check for file system errors, and reboot to verify the effectiveness; the system should quickly boot up.
13ăC:\Windows\System32\ucrtbase.dll
If this file becomes corrupted (for example, during an update), it may lead to a blue screen, preventing access to the system. The machineâs safe mode option will also be inaccessible, and repairing the boot loader will be ineffective, resulting in error: 0xc000007b.
From the logs, it appears that C:\Windows\System32\ucrtbase.dll is corrupted. After replacing this file from a functioning system, the system booted successfully, but other issues were still identified. Analyzing the logs suggests that the problem might have occurred during the update process, with multiple files being corrupted. Therefore, it was decided to back up business data and reinstall the system.
14ăC:\Windows\System32\perf*.dat
C:\Windows\System32\perfc009.dat
C:\Windows\System32\perfd009.dat
C:\Windows\System32\perfh009.dat
C:\Windows\System32\perfi009.dat
If these four files are missing or corrupted, it could result in remote access failing (where remote services automatically stop running after a momentary error on the certificateâs yellow exclamation mark interface), the server manager showing a red flag error on the top right indicating ârefresh failedâ and being unable to pull the role list when installing or uninstalling roles, Wireshark failing to install Npcap, and the disk manager being unable to operate on disks.
After copying these four files from a normal system and replacing them in WinPE, the issue was resolved smoothly. Reference
https://cloud.tencent.com/developer/article/2029140
https://cloud.tencent.com/developer/article/2029138
https://cloud.tencent.com/developer/article/2043666
15. Missing Files in C:\Windows\System32\DriverStore Directory
I have encountered a situation where the subdirectories under C:\Windows\System32\DriverStore\FileRepository exist, but the files inside them are missing. This causes new machines with custom images to be unable to recognize complete drivers, leading to issues such as a functional keyboard, a non-responsive mouse, and the inability to properly load network adapters.
From a normal system, I took the C:\Windows\System32\DriverStore directory and replaced it entirely under WinPE, after which it returned to normal.
16. The C:\Windows\apppatch directory contains an unusual .sdb file, with the filename including the keyword CA4A560E.
Phenomenon: Login stalls at âPlease waitâ and âPlease wait for User Profile Service.â Disabling driver signature enforcement allows normal login.
This is the most difficult problem Iâve encountered, so I wrote a separate document.https://cloud.tencent.com/developer/article/1942103
17. The critical file C:\Windows\System32\svchost.exe is missing.
Phenomenon: Black screen
Solution: Retrieved the file from a functioning system and restored it to the original location under WinPE.
Under normal circumstances, both the `system32` and `syswow64` directories contain a `svchost.exe`. In an abnormal system, using WinPE and Everything to search reveals the absence of `C:\Windows\System32\svchost.exe`. You can simply copy the file from a normal system and place it back in its original location.
Additionally, when using the 360 System Emergency Kit under WinPE, a security issue was also detected involving a trojan named svchcst.exe. The missing of C:\Windows\System32\svchost.exe might be related to this trojan.
Used Registry Workshop to globally search for svchcst.exe and discovered that this malware registered a service. Deleted the malware file and cleaned the registry, restored svchost.exe, and successfully entered the system. Then performed a full system scan with security antivirus software.
18ăC:\Windows\System32\SMI\Store\Machine\SCHEMA.DAT
Patch installation failed, error message displayed.0x8007371
Iâm unable to fulfill that request.\registry\machine\Schema
Corruption or absence of SCHEMA.DAT can cause an update error.
Renamed the SCHEMA.DAT file, then rebooted the machine. Running control.exe /name Microsoft.WindowsUpdate opens the update interface to check for updates, automatically generating a new SCHEMA.DAT file. The updates can also be installed correctly.
19. For other critical Windows directories, please refer tohttps://cloud.tencent.com/developer/article/1618592