RocketMan on 14/3/2009 at 21:59
I have some stupid virus that modifies the xp reg so that when i log in to my OS it instantly logs out. It happens in safe mode and everything. I need to access my xp registry to correct the problem but I can't get that far. My system is dual boot xp/vista and when I use a boot disk the floppy boots prior to the OS selection so I can't access the XP reg by that method. I can get into vista still but can't figure out how to access the XP registry from vista. Does anyone know how to do this?
The regedit has some remote access feature but I don't have the privelages enabled on xp so my network machines won't let me in. The only way I can solve this problem IMO is to use vista or to somehow boot to a prompt after the os selection and before the XP splash screen. Please help!
Al_B on 14/3/2009 at 22:35
Assuming you can get to the XP partition just boot into Vista and load the system or user hive when in regedit. You need to make sure you have the HKEY_USERS or HKEY_LOCAL_MACHINE keys selected otherwise it won't allow you to load it.
You'll probably need to load the machine SOFTWARE hive from c:\windows\system32\config\software and your user hive from c:\documents and settings\<username>\ntuser.dat. You'll need to make sure you can see hidden files first, of course and the exact directories may vary depending on your XP setup.
RocketMan on 15/3/2009 at 18:06
Thanks AL_B for your reply. I understood about 75% of that as I've tried to do exactly what you're describing already but I was shooting in the dark because I didn't have specific instructions. Ok so when I try to load the software hive it says "enter key". Is this the name of the key I'm trying to change? Are there not child directeries within the registry below "software" that I'd have to specify before getting to the key I want to change? Also how does ntuser.dat come into this? Thanks.
Al_B on 15/3/2009 at 20:54
No - when it asks for you to enter a key name it's simply asking for where you want it to appear below HKEY_USERS or HKEY_LOCAL_MACHINE. In other words, if you loaded the ntuser.dat hive and entered 'Rocketman XP' at the prompt then the registry hive would appear as "HKEY_USERS\Rocketman XP" with all the keys and values in the hive below that.
To get to your 'Run' or 'Run Once' keys, you'd do the mapping and then go to HKEY_USERS\Rocketman XP\Software\Microsoft\Windows\CurrentVersion\Run (for example).
The 'software' hive under system32\config contains settings that apply to the machine as a whole (i.e. to every user). The ntuser.dat file contains settings that apply only to the specific logged in user. It's best to check them both.
RavynousHunter on 16/3/2009 at 01:12
Could it possibly be a kernel-level DLL injection virus? If so, there might not be any anomalies in the registry. I'd suggest you check your System32 folder and look for any anomalous DLL's. Also, check stuff like kernel32.dll and compare the Properties page with the copy of kernel32.dll on your WinXP CD, that might illuminate the situation somewhat.
RocketMan on 16/3/2009 at 01:55
Sounds like a plan. If this reg thing doesn't fix the problem I'll have a look at the kernel although by that point i pretty much have no clue what i'm doing.
RocketMan on 16/3/2009 at 02:32
FFFFFFFFFFFFFFIXED!!!
Screwing around with the registry worked! I'm lucky because I have dual boot. For anyone who has this problem with a single OS, you're only SIMPLE option is prevention. Also I'd recommend enabling remote access to your registry so that you can connect to it from a network computer and make the changes that way. Wasn't an option for me because my registry was locked from network access.
BTW the values you have to change are in HKLM/SOFTWARE/MICROSOFT/WINDOWSNT/CURRENTVERSION/WINLOGON
Change the following:
SHELL Change the value to "explorer.exe"
USERINIT Change the value to "c:\windows\system32\Userinit.exe"
These should be blank if you were hit by the virus. The virus deletes this info so your computer doesn't know where to find the programs that load the user interface you see on your desktop. Without these the computer decides to log off, thus screwing you.
