Monday, December 4, 2006

Enable the Registry Editor

Sometimes, my machine is infected by some virus. Almost all viruses change many registry entries and disable the Windows Registry Editor (Regedt32.exe and Regedit.exe) so that I could not change them back. Of course, that is not a problem if you have some other tool to edit the Windows Registry; but I don't have such tool. Creating a .reg file and import into the registry often does not help because Windows could be configured to deny running registry editor in silent mode. Trying to enable the Windows registry editor by using Group Policy (gpedit.msc) might still no help, and even the Group Policy could be disabled. Plus, not everyone knows how to edit the .reg file or using Group Policy. That is why I wrote a small C# tool to enable the registry editor. The source code of the tool is like this:

using Microsoft.Win32;
string path = @"Software\Microsoft\Windows\CurrentVersion\Policies\System";
using (RegistryKey key = Registry.CurrentUser.OpenSubKey(path, true))
{
  if (key != null)
  {
    Object o = key.GetValue("DisableRegistryTools");
    if (o != null)
    {
      key.DeleteValue("DisableRegistryTools", false);
    }
  }
}

The snippet above deletes the "DisableRegistryTools". Note that you achieve the same result by updating the value to 0, which is the default value if the entry is not there. "DisableRegistryTools" is a DWORD whose value could be one of the following:

  0   Default. Registry Editor can be started either in interactive mode or in silent mode.
  1   Registry Editor can only be started in silent mode. You can still import an .reg file.
  2   Registry Editor cannot be started at all.

Some viruses also add "DisableRegistryTools" entry to HKEY_USERS\.DEFAULT, so I should also delete it:

using (RegistryKey key = Registry.Users.OpenSubKey(@".DEFAULT\" + path, true))
{
  if (key != null)
  {
    Object o = key.GetValue("DisableRegistryTools");
    if (o != null)
    {
      key.DeleteValue("DisableRegistryTools", false);
    }
  }
}

You may want to start the registry editor right after enabling it:

System.Diagnostics.Process.Start("regedit.exe");

Note that you should first kill every malware process or it will re-disable the tool very soon. Many viruses disable the Windows Task Manager and/or automatically restart the computer when you open it. In that case, you may need a third-party tool, like Process Explorer, to identify and kill malicious processes. However, I also included this functionality in my tool. Just drag a list box (lstProcess) and a button (btnKill) onto the form:

private void Form1_Load(object sender, System.EventArgs e)
{
  lstProcess.Items.AddRange(Process.GetProcesses());
}

private void btnKill_Click(object sender, System.EventArgs e)
{
  Process selectedProcess = lstProcess.SelectedItem as Process;
  if (selectedProcess == null) return; // no item selected

  string exePath = selectedProcess.MainModule.FileName;
  if (DialogResult.OK ==
    MessageBox.Show("Kill: " + exePath, "Confirm kill", MessageBoxButtons.OKCancel))
  {
    selectedProcess.Kill();
  }
}

After starting registry editor, you should check all programs that automatically run when Windows starts and delete malicious entries and their physical files (some versions of Windows include a good tool for this purpose (msconfig.exe), but some malware might still escape so you had better check the registry - see Run and RunOnce Registry Keys to know where to check). Then check and delete malicious scheduled tasks. Also check Windows services (run services.msc). Following are some other registry entries that you should check:

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions

Believe it or not, I have cleaned many viruses on my PC just with the help of my tool and the Windows' search functionality to search for recently created files which are likely malware ones.

4 comments:

Anonymous said...

Hey anh Thi, how have u been .

Should you rename this blog "title" to "A glass of wine" ?

sre94 said...

Repairing your registry on your own is very tricky. Even the most advanced users usually stay away from it, since one bad move can do serious harm.

The other alternative is to use a registry cleaner. You can get a review of the top programs here: www.registryrepaironline.com

Anonymous said...

Your blog keeps getting better and better! Your older articles are not as good as newer ones you have a lot more creativity and originality now keep it up!

Anonymous said...

Amiable dispatch and this mail helped me alot in my college assignement. Thanks you for your information.