Friday, June 5, 2009

Pointsec for PC: Failed to load osdgina.dll

I ran into a problem today that I hadn't seen yet and I'd like to share it with you.  I was asked to uninstall Pointsec from a laptop that had been encrypted when it wasn't supposed to be.  Obviously this is a rare occurrence, but it was proper so I went ahead and removed Pointsec.  After the reboot, I couldn't log into Windows.  Instead of the normal log in screen, I had an error message.

The logon user interface DLL osdgina.dll failed to load.
Contact your system administrator to replace the DLL
or restore the original dll.

OK, this was a new one for me.  I started by doing some digging on what osdgina.dll is.  As soon as I knew what osdgina.dll is, I knew what the problem was.  We use Microsoft System Center (formerly SMS) to image our workstations, and Pointsec is installed as part of the imaging process.  When a computer is being imaged by SCCM, the normal gina (msgina.dll) is replaced with osdgina.dll.  In this case, OSD stands for Operating System Deployment.  The osdgina.dll makes it so that the computer can boot up and finish the imaging tasks without having users on the system.  You could think of it like single user mode in UNIX.  When Pointsec installs, it first backs up the registry setting for the current GINA, which is normally msgina.dll, but since it is in the OSD environment, the value is osdgina.dll.  Then Pointsec installs and changes the active GINA to pssogina.dll.  

Everything works fine and life goes on.  But when I uninstalled Pointsec from this machine, the uninstaller removed pssogina.dll and replaced the registry entry that pointed to osdgina.dll (which is no longer present on the machine).  When the computer rebooted it looked for osdgina.dll and couldn't find it, thus the error message.

The Fix:
Now that I knew what the problem was, I knew how to fix it.  I took out my trusty BartPE disk and booted the computer using that.  Once I was in the Bart environment, I fired up regedit.exe.  When regedit comes up, you're looking at the registry for the Bart environment, not the registry on the hard drive.  To edit the hard drives registry, you have to import a hive and point it at the hard drives registry file.  The registry entry for the GINA is in HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon.  So in regedit, I selected the HKEY_USER folder and clicked File -> Load Hive.  Then I pointed regedit to the file c:\windows\system32\config\software.  That file is the HKLM\Software tree of the registry.  It asked me to give that a name, and of course I chose BlackFist.

So then I navigated to HKEY_User\BlackFist\Microsoft\Windows NT\CurrentVersion\Winlogon and sure enough, the value of the GinaDLL entry was osdgina.dll.  I changed this back to msgina.dll and rebooted.  

Success.  I hope this helps if there is anyone else out there that is using Microsoft System Center to image their computers and install Pointsec.  I know that I can't be the only one.

9 comments:

adcs said...

I have also run into this problem...I was able to resolve using XP Fix Logon by Doug Knox. It will restore the correct GINA if it is incorrect, and it will run in Safe-Mode...

carl said...

here is the complete answer to the gina issue -

I hope you find this useful :-)

2. SSO/GINA
SYMPTOMS: Either you will notice that SSO simply does not work or you will get a GINA related error at the windows login.
CAUSE: Possible causes can stem from incompatibility of a third party GINA or invalid registry entries that need to be corrected.
RESOLUTION: (Start at Section 1 for SSO issues and start at Section 2 for GINA/SSO issues)
Section A
1.) When troubleshooting SSO issues your first place to look is in the C:\program files\pointsec\pointsec for pc\sso folder.
Whenever SSO is successfully established there will be a .dat file created here that contains the windows username and password that will be attached for SSO to a Pointsec preboot account.
If there is a .dat file there then delete it to re establish SSO. If there is no .dat file then continue to the next step.
2.) Check and verify that the user has a checkbox in the preboot checked for SSO this will verify the user has SSO permissions enabled. If there are still issues please continue to the GINA troubleshooting below.
Section B
1.) When troubleshooting GINA issues your first place to look is in the registry.
There are three main keys in the registry that you will need to check.
HKEY_LOCAL_MACHINE\SOFTWARE\Pointsec Mobile Tech\Pointsec for PC "GinaOrder ="
HKEY_LOCAL_MACHINE\SOFTWARE\Pointsec Mobile Tech\Pointsec for PC "PrevGina ="
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Current Version\Win Logon "Ginadll ="

In a typical setup with no third party GINA's you would want the registry keys to look like the following:
HKEY_LOCAL_MACHINE\SOFTWARE\Pointsec Mobile Tech\Pointsec for PC "GinaOrder =pssogina.dll,msgina.dll"
HKEY_LOCAL_MACHINE\SOFTWARE\Pointsec Mobile Tech\Pointsec for PC "PrevGina =msgina.dll"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Current Version\Win Logon "Ginadll =pssogina.dll"

This is a typical setup using Novell as the third party GINA:
HKEY_LOCAL_MACHINE\SOFTWARE\Pointsec Mobile Tech\Pointsec for PC "GinaOrder =pssogina.dll,nwgina.dll,msgina.dll"
HKEY_LOCAL_MACHINE\SOFTWARE\Pointsec Mobile Tech\Pointsec for PC "PrevGina =nwgina.dll"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Current Version\Win Logon "Ginadll =pssogina.dll"

2.) You may run into instances where setting the registry keys to the proper values will still not resolve your SSO problems. You can add a registry key to the following area of the registry to help resolve the issue:
HKEY_LOCAL_MACHINE\SOFTWARE\Pointsec Mobile Tech\Pointsec for PC
Once here create a new string value called CompatibleGinas then for the value add your GINA.dll file.
The GINA vrlogin.dll would be one example of a GINA that needs to be added as compatible GINA's. This GINA is used by Lenovo's for fingerprint reader support.

3.) There are also known instances where you may have a 3rd party GINA installed or left from an uninstall that is not needed. You may try to delete this GINA out of the registry keys but after you reboot it will add back in. An easy fix for this is to set the registry keys the way you need them then change the following keys value to 4.
HKEY_LOCAL_MACHINE\SOFTWARE\Pointsec Mobile Tech\Pointsec for PC "UpdateSSO =4"
This will block any automatic modification to your GINA registry keys.

4.) There have been known instances where changing the following registry key to your 3rd party GINA can resolve the issue.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Current Version\Win Logon "Ginadll ="

Anonymous said...

Did exactly what you said and htis worked for me. Cheers!

Summer said...

Hi, your solution works for me too, thanks carl!

You're a life saver :)

Anonymous said...

Thank you so much for taking the time to post this. Keep up the good work!

Anonymous said...

This worked for me too.

Thanks

srinivasulu said...

Excellent... This worked like a charm, Thanks.

Jay said...

Awesome bro! Thanks a lot! This worked perfectly!

I had the problem right after I uninstalled Checkpoint FDE for a user.

Oh, and I was able to boot into safemode and just do normal regedit. I didn't have to use a bartpe disk.

Thanks again!

alan said...

I have similar error. But these solutions do not work for me.
I cannot get to regedit.

1.Cannot log into safe mode, same error comes up.
2.Boot from PartPE or DMU cd will get BSOD.

Any other remedy, anyone?

alan