Need a way to edit a registry without REGEDIT...

LoneWolf

2[H]4U
Joined
Jul 13, 2004
Messages
3,190
Hey all,

I have a machine of someone else's that's been badly compromised by malware and trojans. I have managed to clean the vast majority of the mess up, however, even in Safe Mode, I cannot run REGEDIT or open a command prompt: if I try to do these two things using the Run command, they start to process, and then terminate. I'm sure the registry has been modified to prevent this.

The Command Prompt stuff I can take care of with a BartPE CD. What I now need is a third-party registry-editing program, or a way to edit the registry of the local system while booted off the BartPE CD, so that I can discover what is wrong and fix it. Any suggestions would be helpful.
 
run regedit on the local hard drive from the Bart PE disc. Or download UBCD4WIN then run it from the local hard drive through that.
 
BartPE has regedit. You just load the hives offline. I'm assuming they disabled the global policy to run regedit locally.

This posting is provided "AS IS" with no warranties, and confers no rights.
 
BartPE has regedit. You just load the hives offline. I'm assuming they disabled the global policy to run regedit locally.

This posting is provided "AS IS" with no warranties, and confers no rights.

Hmm, I hadn't thought about that. If that's the case, maybe I can use GPEDIT to fix things.

Been running around so much with other people's issues lately, I didn't stop to look at it from that perspective. Thanks for the help! :)
 
BartPE has regedit. You just load the hives offline. I'm assuming they disabled the global policy to run regedit locally.

This posting is provided "AS IS" with no warranties, and confers no rights.

QFT, this has always worked for me if it's a problem.

You ought to build yourself a general windows image and ghost when you come across stuff like this to save your time, pretty fast and easy when you have BartPE to let you take care of your backups etc.
 
Hmm, I hadn't thought about that. If that's the case, maybe I can use GPEDIT to fix things.

Been running around so much with other people's issues lately, I didn't stop to look at it from that perspective. Thanks for the help! :)

The other thing you can try is running:
http://safety.live.com
and doing a scan from there. If the malware is still running, and known to disable regedit, the safety scanner will reset the global policy keys.

But again, I might be biased. ;)

This posting is provided "AS IS" with no warranties, and confers no rights.
 
QFT, this has always worked for me if it's a problem.

You ought to build yourself a general windows image and ghost when you come across stuff like this to save your time, pretty fast and easy when you have BartPE to let you take care of your backups etc.

As said before, this isn't my system. It's a client's.

Try and tell most of my clients that I'll have to reload their whole machine, and imagine the screams. Considering that I get paid either way, and I'm pretty darn good at removing crap from their systems, I'll only tell someone it can't be done if it truly can't be done, or if I think there's a rootkit that not even my rootkit utils can find. About half of them are fine once their system has been cleaned, have a good free AV app and antispyware installed, firewall configured and OS patched, and they get a bit of friendly advice on how to keep their system clean. The remaining half just have me clean their system once a year or so.

I don't even let these systems on my network unless I'm sure they're clean; I use a thumbdrive with my favorite utilities and a BartPE CD with a number of plugins to do the job (perhaps I'll consider firewalling a port on my router to allow limited access, net only, for these systems as well). While I've been too busy to yet, I'll be checking out this Registry Commander program tonight.
 
if it was that badly messed up, are you sure you dont wanna grab the necessary data off it and wipe it?
 
if it was that badly messed up, are you sure you dont wanna grab the necessary data off it and wipe it?

Read my previous post. If it was my system, yes. Most average users don't have the faintest on how to start from scratch, and can't even always tell you where they stored their files, or which data is the most important. In this particular case, I have a family with a few kids who aren't quite as smart as they think (each with their own separate user profile and settings), and a parent who understands how to turn the computer on, open Word, and search via Google, and that's it. Trying to explain to this person how to reset up their e-mail would take long enough that cleaning this up was easier, and as I said (no arrogance intended), I am pretty good at it, when equipped with the proper tools.

After a bit more digging, I was able to run REGEDT32. I found that odd, since REGEDIT wouldn't run. Didn't find anything unusual in the registry, so I went hunting through foldsers again, and found that the bug had implanted a CMD.COM and REGEDIT.COM files (hidden attributes) in directories along the path. Any attempt to execute just "CMD" or just "REGEDIT" from a Run prompt would fail, because .COM files are always executed before .EXE by the OS. Deleted them, and now things are fine.
 
Read my previous post. If it was my system, yes. Most average users don't have the faintest on how to start from scratch, and can't even always tell you where they stored their files, or which data is the most important. In this particular case, I have a family with a few kids who aren't quite as smart as they think (each with their own separate user profile and settings), and a parent who understands how to turn the computer on, open Word, and search via Google, and that's it. Trying to explain to this person how to reset up their e-mail would take long enough that cleaning this up was easier, and as I said (no arrogance intended), I am pretty good at it, when equipped with the proper tools.

After a bit more digging, I was able to run REGEDT32. I found that odd, since REGEDIT wouldn't run. Didn't find anything unusual in the registry, so I went hunting through foldsers again, and found that the bug had implanted a CMD.COM and REGEDIT.COM files (hidden attributes) in directories along the path. Any attempt to execute just "CMD" or just "REGEDIT" from a Run prompt would fail, because .COM files are always executed before .EXE by the OS. Deleted them, and now things are fine.

My psychic powers tell me you were infected with Win32/Alcan.
http://www.microsoft.com/security/encyclopedia/details.aspx?name=Win32/Alcan

Please scan with either safety live which I posted above, or run mrt.exe, the malware removal tool from windows update.

This posting is provided "AS IS" with no warranties, and confers no rights.
 
Back
Top