Most modern malware has the bad habit of disabling basic system tools, to prevent the user from cleaning the system. In the previous article I described how a malicious program can disable safe mode, but there are two targets that are much more common than safe mode, they are the task manager and the registry editor.
If you can't start the task manager, you can't kill the process of the offensive program. If you can't start the registry editor you cannot edit the list of autorun programs and prevent the offensive program from starting next time Windows boots.
These tools can be disabled via the registry, the following key holds the values we need: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
The question is - how to edit the registry if the registry editor is disabled? ;-)
Windows comes with a command line tool called REG, you can alter the registry by providing command line arguments to this utility. Here's what has to be done to enable the task manager and the registry editor:
REG add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f
REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f
REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0 /f
Armed with this knowledge, you're one step closer to not re-installing Windows each time something goes wrong, because most problems can be fixed with a minimal effort.
great info, if a virus has done some damage this comes in handy and will be used
Comment from: Max [Visitor]
Very usefull info
Form is loading...