John Karr on 10 Jan 2010 13:48:10 -0800

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Edit Windows Registry from Linux LiveCD?

If the hardware is still good, why not just reinstall the OS? 

By the way when dealing with a badly infected computer that is what I
recommend over attempting a repair.

-----Original Message-----
[] On Behalf Of JP Vossen
Sent: Sunday, January 10, 2010 4:30 PM
Subject: Re: [PLUG] Edit Windows Registry from Linux LiveCD?

I will preface this by saying my cousin gave up and is going to BestBuy 
to see what they say or maybe to just replace the PC...  :-(  (Sigh, I 
know, but not my call...)

Having said that, I think this is still a useful thread, and I wanted to 
address a number of points.

 > Date: Sat, 09 Jan 2010 20:52:30 -0500
 > From: "Brian Vagnoni" <>
 > What windows affliction do they have?

Windows XP, and as Art notes it is, in fact, installed on the hard 
drive.  Unfortunately.  :-)

All they do is email and web, so they are perfect candidates for Ubuntu, 
which I will demo next time I'm in S. Jersey.

 > Date: Sat, 9 Jan 2010 21:31:19 -0500
 > From: James Barrett <>
--and-- From: "brent timothy saner" <>
 > "chntpw", a GPL, linux-based utility:

I've used the bootable versions of that to blank passwords (changing 
them has never worked for me) several times over the years, but I'd 
forgotten it was also an editor of sorts, and I hadn't known it was in 
the repos.  Nice!

Just tried it in a VM.  It's in Universe which is not in the stock 
/etc/apt/sources.list.  NBD.

chntpw -e /mnt/WINDOWS/system32/config/software
	cd Microsoft\Windows\CurrentVersion\Run

works.  Looks like it'd be clunky, and there is no command history, but 
I could work with it.  There is an "rdel <keyname>" (recursive del) 
command.  Scriptable as follows.

Interesting, this did not work as it complained that the key didn't 
exist, but it did since I'd just created it:
echo -e "rdel Microsoft\\Windows\\CurrentVersion\\Run\\JP1\nq\ny\n" \
   | chntpw -e /mnt/WINDOWS/system32/config/software

But this did work but shouldn't have, since I also created a value 
inside JP1:
echo -e "dk Microsoft\\Windows\\CurrentVersion\\Run\\JP1\nq\ny\n" \
   | chntpw -e /mnt/WINDOWS/system32/config/software

Pretty cool anyway.

 > Date: Sun, 10 Jan 2010 09:37:14 -0500
 > From: Steven Phillips <>
 > I've cleaned out about 6 or 8 boxes with this crap on it in recent
 > weeks.

How?  Are you using a LiveCD of some sort?  Because as noted elsewhere I 
can't get it to allow me to run anything.

 > What you need to do is clean out every temporary folder in
 > every user account, and all the contents of the temporary folders in
 > the windows folder.  Empty the prefetch folder too.

I have a batch file that does temp files, but it hard-codes the user 
names IIRC and won't work under Ubuntu.  But that's easy enough to do in 
bash.  Easier actually, as for;do;done is a real PITA in batch which is 
why I just hardcoded mine.

# UNTESTED, and will generate errors for missing stuff
SETTINGS="$CDRIVE/Documents and Settings"
rm -rf "$CDRIVE/temp/*"
rm -rf "$WINDOWS/temp/*"
rm -rf "$WINDOWS/prefetch/*"
for user in "$SETTINGS/*"; do
     rm -rf "$SETTINGS/$user/Local Settings/Temp/*"
     rm -rf "$SETTINGS/$user/Local Settings/Temporary Internet Files/*"

Did I miss anything?

 > Check the hosts
 > file, because some variants will write an entry to a malevolent dns
 > server for all the popular search engines.

Yup, we tried to do that, that's how I found out that Notepad won't 
work.  Start, run, cmd won't work either, BTW.  I didn't try 
TaskMangler, File, New Task, but I suspect that won't work either.

 > Look for av2009 also.

Did Google for something similar since I was aware that it had 
previously been called that, but I didn't find anything better than the 
2010 ones.

 > Copy and paste everything into the editor between the x's making
 > regedit4 the top line.
 > [-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
 > [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet

Am I to assume that the leading '-' deletes the regkey?  If so, that is 
really cool!  I've been creating *.reg files since the mid-1990's and I 
never knew that!  (OTOH, did you know that regedit /s \some\regfile.reg 
will do a *S*ilent import?)

 > If you can keep it from loading from all the temp folders, you can
 > clean it up fairly easily, it's just time consuming.

Yup, that's the trick.




Yeah, that's the one I've been working from.

 > Download and install Malwarebytes Anti Malware from cnet.

I would, but as I mentioned it won't let me run *anything* so I doubt 
it'll let me run that, even if I could download it from that infected 
machine, which I can't.

 > download and install Windows Defender from Uncle Winkie's website
 > (M$), not because I have any confidence in it's efficiency, but
 > because it offers and easy way to delete programs from starting up.
 > Much better than using msconfig.

Same issues as above.  I was planning on giving him StartupCPL (Google 
for it) which is much more simple and less scary than the better 
SysInternals AutoRuns.

 > Date: Sun, 10 Jan 2010 09:02:36 -0800 (PST)
 > From: Edmond Rodriguez <>
 > I have helped with removing malware on a few machines.  It seemed to
 > me that once the executable was removed, the registry did not matter
 > so much, though it did need to be cleaned up.
 > So what is the danger if any, of using Linux to remove the
 > executables, then trying to reboot windows, and if it boots, using
 > the Windows tools to clean up the registry.

That was the original plan.  I just figured two things.  First, if it 
was easy to do from Linux, I could do it myself rather than trying to 
talk him through regedit over the phone.  Second, if I missed any exes, 
but cleaned the registry so they never ran...

 > Getting a remote connection though is another matter, and very
 > complicated (windows remote desktop assistance) for anyone not
 > computer savvy  (the person being helped has to set permission to
 > allow remote connections, then all this invitation stuff, have to use
 > MSN messenger or attach invitations to email).

Not if I am doing it via SSH command line from the Ubuntu Live CD.  He 
types "sudo aptitude install openssh-server && ifconfig" into a terminal 
window and he's done.  (I find it a hell of a lot easier to tell someone 
what to type than to try to describe GUI operations over the phone.)

 > BTW, how does one deal with the port mapping of the router of a
 > person you are trying to help (when using something like ssh)?  I
 > guess there are some software tools, that maybe use STUN server (I
 > think that is the right word) like technology to punch through
 > routers.  Is there such software that one can install and run to
 > punch through a non port mapped router for using ssh?  Or that person
 > connects to you and opens a terminal for you on your machine (but you
 > have to explain how to do that).

Good point.  I'm not sure they have a firewall or anything.  I was going 
to have him plug the PC directly into his Comcast cable modem, which 
should work.  If not, then it gets sticky.  I had half-formed thoughts 
of having him SSH into one of my servers, and then just doing SSH port 
forwarding to allow me to tunnel back to his side.  There are other ways 
to do it too, Google "reverse shell".

 > Date: Sun, 10 Jan 2010 12:54:02 -0500
 > From: "Arthur S. Alexion" <>
 > some of these nasty extortion-ware programs keep hidden re-install
 > instructions in the registry so that removing the executable only
 > solves the problem until the next boot and auto reinstall.

I haven't read that this one does, but yeah, that was in the back of my 

Thanks again to everyone!
JP Vossen, CISSP            |:::======|
My Account, My Opinions     |=========|
"Microsoft Tax" = the additional hardware & yearly fees for the add-on
software required to protect Windows from its own poorly designed and
implemented self, while the overhead incidentally flattens Moore's Law.
Philadelphia Linux Users Group         --
Announcements -
General Discussion  --

Philadelphia Linux Users Group         --
Announcements -
General Discussion  --