STOP: c0000135 – The program can’t start because consrv is missing. Try resintalling the program.

Getting this error?  Wouldn’t you know, it’s actually the product of a nasty little rootkit called ZeroAccess MAX++ of which you might be familiar.  The particular variant that causes this error actually uses the consrv.dll file to ensure it is able to load at boot on 64-bit systems.  As such, among other items, this rootkit drops a file called consrv.dll into the %SYSTEMROOT%\system32 folder.  It’s the reference to this file in the registry which wreaks said havoc once the file is removed by any means (antivirus, offline deletion, etc.).

To rectify the problem, you will need to gain access to the %SYSTEMROOT%\system32\config\SYSTEM registry hive remotely (whether by Recovery Console’s regedit and the Load Hive… command or by booting to another operating system and loading the hive in similar manner) and change an entry modified by the rootkit back to its default value.

The infected machine will have a modified string (REG_EXPAND_SZ) data of the Windows registry value in HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\SubSystems which looks like this:

%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=consrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
This value is wrong, and it’s the reference to consrv which is generating your c0000135 stop error.  Instead, change it to:
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16

This will solve the problem and enable the machine to boot.  Please note that you should also modify the same value in HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\… for completeness.

For a little more background/ancillary info, on the machine I was repairing which experienced this issue, the rootkit was accompanied by an additional MBR bootkit of the family Rootkit.boot.Pihar.a.  TDSSKiller actually took care of this one and restored the clean MBR.  In addition, plenty of other malware was along for the ride (all of it predictably hidden by the rootkit combo).  It was a nasty situation, but nothing I couldn’t handle. 😉
I hope you have found this case study useful.  Please let me know if it has helped you!

33 thoughts on “STOP: c0000135 – The program can’t start because consrv is missing. Try resintalling the program.

  1. Hey, I followed your guide, I’m having the same error, Just cleaned my machine with antivirus and wont boot. Loaded regedit pointed to my C: drive from BartPE and the registry value is already correct… Still get the error.. What else could cause this?

    Thanks, Nathan

  2. Never Mind! I was actually editing the registry of something else..lol.. I needed to load a remote SAM and point to the C:\windows\…… location of the registry files, the instructions work great and fixed my computer after windows security essentials cleaned it, i changed controlset 1 & 2 as you advised… thanks very much

  3. Hi, I have this problem. I would like to follow your guide, but actually if i use Windows Vista Installation CD, after it loads windows files, it get stucked on a black screen. there is other why to get access to my registry? i have seen BartPe or UBCD4WIN but both doesnt support vista, so i dont know if it is still usefull make a cd with XP…
    thanks for help…

  4. Hey Sam,

    Actually, it doesn’t matter what Windows version or flavor the PE disc you choose is based on. Provided you have access to the Windows registry hives of the infected machine, that’s all you need.

    -Steve

  5. I have the same problem. when I run regedit with from win/7/ultimate
    i see:
    %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=consrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
    and
    consrv.dll is in system folder
    should I:
    1. manually delete consrv.dll
    2. reboot with windows 7 cd and run :recovery consoles regedit load hives and edit changing the consrv line.
    3. reboot hopefully problem solved

    Sorry to take your time much appreciated

  6. Hey Steve,
    One more quick question.
    What is the potential risk of the virus.
    For example: Should I be worried that someone is mining all my personal info off my computer or gleaing my online banking info etc.

    In short what is happening when this consrv.dll is setting there in my system folder.
    Thanks again dennis

  7. Hey Dennis,

    1. Rather than delete the file, I prefer to rename it to something like consrv.dll.vir to allow for reversible changes in case it’s necessary.
    2, 3. Yep, that’s right. If you want to be extra careful, it’s never a bad idea to back up the registry hives before working on them also.

    As for privacy implications, yes, ZeroAccess is actually known to steal information. Although details are scarce regarding which variants do what, it’s safe to assume your data is at least partially at risk if you’re infected by it.

    Here’s a little bit of info on this particular variant from the MMPC:

    http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3AWin64%2FSirefef.B

    It doesn’t mention a backdoor component, but that’s because this specific article is written about the downloader component, which is related to the consrv.dll file.

    Anyway. just to be safe, it’s always a good idea to change all of your passwords and keep an eye on your financial information following such a deep-rooted infection…

    -Steve

  8. Hey steve,
    Thanks for helping me out on this.
    I tried procedure through windows 7 disc but really wasn’t sure what i was doing. I gave up!
    I then cloned my hard drive for backup. I simply ran regedit within windows 7 and made changes to set001 and set002 rebooted winsrv.dll changes were still there so I renamed consrv.dll to consrvbak.dll rebooted and she booted right up and all changes were still there.

    Have we fixed this I hope so.

    I visted your website and am impressed. Do you offer remote system virus scans and removal instructions. Of course I would be a paying a customer. If so let me know and I’ll give you a call to discuss arangements price etc.

    Thanks Dennis

  9. Hey Dennis,

    Sure, I’d be pleased to. Truthfully, remote disinfection isn’t as commonly done as other remote services, simply because it is in fact less effective overall than on-site (as I generally leverage a custom build of a remote operating system to do much of my diagnosis on a compromised system), but of course it is entirely possible. In your case, especially since you seem to have solved the primary culprit behind your woes, some ancillary cleanup very well may benefit you. I perform manual removal followed by more conventional cleanup procedures, so I can certainly check it out for you and have it running as it should. 🙂

    Just drop me a line whenever you have the chance (I’ve got a packed schedule also at this very moment) and we can work out a time/date. The whole procedure, including any additional tune-up measures (if you’d like those performed) probably wouldn’t take longer than 1-1.5 hours anyway.

    And thanks again for the kind words! I’m thrilled you found my site useful. 🙂

    -Steve

  10. Pingback: Avvio impossibile di Vista - probabile rootkit

  11. Hi Steve, actually i had problem with getting access to my registry, but with an xPUD bootable disc, i navigated to system32 folder and i created a copy of winsrv.dll and then i renamed as consrv.dll. in this way i was able to stop temporary this error and make the pc boot.
    so i have founded new problem. first of all, if i start normally windows, i’m able to just arrive to screen log (where i can choose user to log) and if i’m fast i can type the pw and try to log but in anycase (if i start to log or not) the pc reboot, with no apparent reason (it seems it runs out of time and reboot).
    in safe mode it is stable: so i tried ddr.scr (from bleepingcomputers.com) with a crash dump error. combofix (if i start normally it get stucked on installation procedure) if i run as combofix /killall i got a crash dump error, if i run as combofix /nombr i got a crash dump error but when i reboot the pc it start a checkdisk, then i tried tdsskiller with no results. i wanted to try a scandisk but after i plan it trought command prompt when i poweroff the pc i got a crash dump and then no scandisk starts rebooting…

    if you please you can also follow all my try, here:
    http://www.bleepingcomputer.com/forums/topic428388.html

    if you can help me somehow i would really be thankful.
    sam

  12. Hey Sam,

    It’s probably still loading a malicious driver someplace. The services continue to load even as logon takes place, and especially if a filesystem filter driver or something else of the sort is to blame, it could easily trigger a stop error/reboot. Out of curiosity, is your machine set to reboot automatically upon system crash?

    -Steve

  13. Hey Sam,

    I was following your thread on BC and I saw that you have received a stop error code of c000021a. It is a good idea to continue following their advice as they are also experts on this matter, and plus, they prefer you stick to their procedure as opposed to trying things on your own from other sources (such as myself ;-). However, I can tell you that, as I previously thought to be the case, it is very likely that you have an infected system file on your hands; most likely an .exe. I have a post about this issue as well:

    http://triplescomputers.com/blog/?p=25

    You should be able to get this resolved once you locate the culprit. They will help you do this I’m sure.

    Good luck, and keep me in the loop! 🙂

    -Steve

  14. Hi Steve,
    just to update you, after a registry fix elaborated by Elise025 from Bleeping Computers, i was finally able to boot normally the pc.
    and thanks to a scan with ComboFix, also the winodws dvd started to work normally (actually i’m able to boot from the dvd)
    if you wanna see all the story you can check the thread
    http://www.bleepingcomputer.com/forums/topic428388.html
    thank for your support! 🙂

  15. Thanks for saving my weekend !
    For users that have 2 win OS’s on 1 machine, wherof 1 has the startup problem, this was the way I loaded the registery of the infected OS for edit into regedit f the good OS:
    open regedit.exe on the good Win OS
    Select HKEY_LOCAL_MACHINE folder.
    Regedit->file->Load hive, now navigate to your infected machines //Windows/system32/config folder and select the file SYSTEM.
    Regedit now asks you to give this hyve a name: for example use `infectedsysreg` and press OK.
    From now on you have a new folder under HKEY_LOCAL_MACHINE/infectedsysreg that you can edit as described above.
    Don’t forget to select HKEY_LOCAL_MACHINE/and press Regedit->file->unload hyve when you are done.
    Cheers and thanks.

  16. Sam,

    Thanks very much for the update. I’m glad your issue was resolved and I’m sure your feedback will help others in the future with the same problem!

    Till our paths cross again,

    Steve

  17. OMG!!!!!

    Thank you so F*&^%$ much!! you literally saved me man, instructions could have been a bit more detailed for people not used to editing registry, but really that is beside the point. Your info was dead on, and completely fixed my problem, as far as i can tell, at the very least im not dead in the water anymore, THANK YOU STEVE

  18. Hi, I appreciate all the information offered here. All the syptoms match my own and I followed the advice. I loaded the hive but could not find consrv. But Im wondering if I did something wrong as I could not find the registry entry control 002, just 001. The hive I loaded was as suggested: in the system 32 folder. Any ideas. Thanks

  19. I decided to use System Restore to the point before Mcafee eliminated the virus. Looked in the registry and found and changed the consrv to winsrv. Now running a Dr web Live USB scan and hoping for the best:)

  20. Hey Chris,

    Be sure that when you reboot you follow up with a check for rootkits. I’d recommend a scan with TDSSKiller, then ComboFix in
    this case followed up by Malwarebytes if you can’t handle any manual removal. It sounds like you’ll have it licked after that! 🙂

    Let me know how it goes.

  21. Thanks Steve! It worked perfectly.

    I used the Avira offline Linux rescue scanner which found the consrv.dll file and renamed it, but I was unable to boot into safe mode to finish the cleanup until I found your article.

    Note:
    People may also want to check for btwusb.dll and nisum.dll. These were reported alongside consrv.dll in the Avira scan.

    I highly recommend that anyone removing malware start with a tool that does not require booting the infected operating system, such as Avira’s excellent free rescue disc or other Linux-based scanners.

  22. Yes, I agree, offline removal is truly the way to go. I even prefer manual removal using tools like OTL to any other method these days.

    And thanks for the tip on the other two files! Yes, there is very likely other malware at work if you find these symptoms apply to your PC. Even ZeroAccess by itself is quite a multifaceted and complex threat with many different components.

  23. So, I looked in the control set, and it was already set to winsrv, but it is still giving me the bsod, but mine is saying “%hs is missing from your computer”. Any ideas?
    Thanks!

  24. My issue is exactly as Jeff’s the last post, I looked in my registry and it’s already showing winsrv, but I still get the BSOD about the %hs is missing.

  25. I received this bluescreen after using Malware Bytes to remove a suspicious virus, and when I restarted my computer, I got the blue screen. I have checked the registry on the computer in question, and all the entries already specify winsrv as the file.

  26. Hey guys,

    Sorry I missed the most recent questions.

    Skyler:

    If it’s specifying consrv in the Stop Error, it most certainly exists in the registry hive as well. Be sure to check all of the ControlSets when parsing the hives. It could very well exist in one but not in the others. Also, make certain you are searching the REMOTE registry hives and not the ones loaded for whatever bootable operating system you happen to be using for the task. Let me know your progress!

  27. WHEW this junt was nasty, but this was ultimately the answer. Hard to hunt down this precise solution, you should add some keyword spam or something to make this a more prevalent result. I tried different combos of AVG, consrv, vista. Theres some stupid solution circulating that renaming the AVG folder fixes the problem (obviously didn’t do the trick.) Lots of forums of people posting massive logs, etc no help. Thanks a lot. God what a pain. SSS stands for Syanara, Schizo Struggles

  28. I Have not installed avg or avast but quick heal help me with this error……..please anyone……and please explain it properly because i am an average pc user.

  29. hello-I have done exactly as your guide has mentioned. Howevermy problemis finding “controlset002″… I found controlset001 but not the other. Inside controlset001 under windows i did not find any consrv to change! Any tips where I could possibly find 002???

    Thanks

  30. Hi Tiko,

    It isn’t absolutely necessary to change the other ControlSets, but you have to get whichever one currently corresponds to the OS’s “CurrentControlSet”. If you cannot find the entry elsewhere, it probably doesn’t exist. I’d simply reboot next and see if that took care of it. 🙂

    -Steve

  31. Hey Steve

    I looked through the regkey but it was already set to winsrv.dll but my problem still remains. I was infected with sirefef and presumably Avast has deleted it but now windows doesn’t get past the “Windows Starting” screen and when I try the safe mode I get the infamous STOP: c0000135 error. I would be really grateful if told me how I could take care of it.

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.