Sign in with
Sign up | Sign in
Your question

Editing Registry from Recovery Console

Last response: in Windows XP
Share
December 2, 2004 11:31:08 AM

Archived from groups: microsoft.public.windowsxp.configuration_manage (More info?)

Hello,

Whenever I logon into my system it goes thru the motions then immediately
logs me out - not allowing me to do anything. I'm pretty sure this is the
result of spyware and I need to edit my registry settings. I boot into the
recovery console, but none of the commands available after that allow me to
edit the registry.

Is there a way to edit the registry from the recovery console?

Thanks!
- Rob
Anonymous
December 2, 2004 10:55:06 PM

Archived from groups: microsoft.public.windowsxp.configuration_manage (More info?)

This sounds like it might be caused by the removal of the wsaupdater.exe.
A piece of spyware replaces the C:\Windows\system32\userinit.exe file with
a file called wsaupdater.exe. It then modifies the registry so that when
you logon the wsaupdater.exe file is executed. After removing the spyware,
(via Adaware, SpyBot S&D, or another spyware detection tool), the
wsaupdater.exe is removed, but the registry still points to it and tries to
execute it during login.

The best procedure to correct this is:

1. Boot into recovery console. More info can be found at
http://support.microsoft.com/default.aspx?scid=KB;EN-US;307654

2. Navigate to the c:\windows\system32 folder and type (without the
quotes) "copy userinit.exe wsaupdater.exe". This will trick the system
into booting by copying the legitimate XP userinit.exe file to the
wsaupdater.exe file and allow the system to boot.

3. Reboot the system and logon.

4. Open regedit (from start->run type regedit)

5. Navigate to the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon and modify the value of Userinit to
C:\WINDOWS\system32\userinit.exe

6. Next in Windows Explorer delete the c:\windows\system32\wsaupdater.exe
file.

At this point your system will be stable and allow you to logon
consistently. However, I would recommend following the guidlines in this
article
http://www.trendmicro.com/vinfo/virusencyclo/default5.a...
ND.A to ensure the system is completely cleaned up.

Best Regards,
Rob Hoffman, MCSE
Microsoft Enterprise Support Engineer
Get Secure! - www.microsoft.com/security

=====================================================
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.



--------------------
| Thread-Topic: Editing Registry from Recovery Console
| thread-index: AcTYjFOuQbwteRJPR8+ZkwubtgTvzQ==
| X-WBNR-Posting-Host: 24.61.252.209
| From: =?Utf-8?B?Um9i?= <Rob@discussions.microsoft.com>
| Subject: Editing Registry from Recovery Console
| Date: Thu, 2 Dec 2004 08:31:08 -0800
| Lines: 12
| Message-ID: <F25422EC-E3A8-40F0-AE8F-D05429815F7B@microsoft.com>
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="Utf-8"
| Content-Transfer-Encoding: 7bit
| X-Newsreader: Microsoft CDO for Windows 2000
| Content-Class: urn:content-classes:message
| Importance: normal
| Priority: normal
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
| Newsgroups: microsoft.public.windowsxp.configuration_manage
| NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.1.29
| Path: cpmsftngxa10.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
| Xref: cpmsftngxa10.phx.gbl
microsoft.public.windowsxp.configuration_manage:30434
| X-Tomcat-NG: microsoft.public.windowsxp.configuration_manage
|
| Hello,
|
| Whenever I logon into my system it goes thru the motions then immediately
| logs me out - not allowing me to do anything. I'm pretty sure this is the
| result of spyware and I need to edit my registry settings. I boot into
the
| recovery console, but none of the commands available after that allow me
to
| edit the registry.
|
| Is there a way to edit the registry from the recovery console?
|
| Thanks!
| - Rob
|
Anonymous
November 22, 2008 10:29:33 AM

I got into recovery console and followed the instructions copy userinit.exe wsaupdater.exe, but I still cannot log on, in any mode - normal or safe. Any further advice?
Related resources
August 18, 2009 1:23:09 PM

I had this same problem and it sounds like the common solution is to copy a new userinit.exe file to wsaupdater.exe. In my case, the registry key for userinit.exe was not pointing to wsaupdater.exe, it was pointing somewhere else entirely. The only way I was able to log in again was to edit the registry as mentioned in an earlier post.

Navigate to the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon and modify the value of Userinit to
C:\WINDOWS\system32\userinit.exe

In order to edit this, I downloaded and created a BartPE boot disk (http://www.nu2.nu/pebuilder/). Once the boot CD is created, boot the affected machine from the CD and follow these steps.

1. Click the icon in the lower left corner and select Run
2. Type Regedit.exe
3. Highlight HKEY_USERS
4. Click the File menu and select Load Hive
5. Navigate to %SystemRoot%\System32\Config\Software
6. Name the hive something like MyHive
7. Open MyHive and navigate to Microsoft\WindowsNT\CurrentVersion\Winlogon and modify the value of Userinit to C:\WINDOWS\system32\userinit.exe
8. After you have made this change, it is important to unload the hive
9. Highlight the MyHive, click on the file menu, and select unload hive.

This should fix your log on problems.
September 9, 2009 1:44:09 AM

Anonmous said:
I had this same problem and it sounds like the common solution is to copy a new userinit.exe file to wsaupdater.exe. In my case, the registry key for userinit.exe was not pointing to wsaupdater.exe, it was pointing somewhere else entirely. The only way I was able to log in again was to edit the registry as mentioned in an earlier post.

Navigate to the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon and modify the value of Userinit to
C:\WINDOWS\system32\userinit.exe

In order to edit this, I downloaded and created a BartPE boot disk (http://www.nu2.nu/pebuilder/). Once the boot CD is created, boot the affected machine from the CD and follow these steps.

1. Click the icon in the lower left corner and select Run
2. Type Regedit.exe
3. Highlight HKEY_USERS
4. Click the File menu and select Load Hive
5. Navigate to %SystemRoot%\System32\Config\Software
6. Name the hive something like MyHive
7. Open MyHive and navigate to Microsoft\WindowsNT\CurrentVersion\Winlogon and modify the value of Userinit to C:\WINDOWS\system32\userinit.exe
8. After you have made this change, it is important to unload the hive
9. Highlight the MyHive, click on the file menu, and select unload hive.

This should fix your log on problems.

Thanks! I had accidentally removed Userinit from registry which prevented me from login, and thanks to your instructions, I was able to fix it.
March 16, 2010 3:22:44 PM

I am getting an Access is Denied error when trying to load the Hive! please help
!