Editing Registry from Recovery Console

Archived from groups: microsoft.public.windowsxp.configuration_manage (More info?)

Hello,

Whenever I logon into my system it goes thru the motions then immediately
logs me out - not allowing me to do anything. I'm pretty sure this is the
result of spyware and I need to edit my registry settings. I boot into the
recovery console, but none of the commands available after that allow me to
edit the registry.

Is there a way to edit the registry from the recovery console?

Thanks!
- Rob
5 answers Last reply
More about editing registry recovery console
  1. Archived from groups: microsoft.public.windowsxp.configuration_manage (More info?)

    This sounds like it might be caused by the removal of the wsaupdater.exe.
    A piece of spyware replaces the C:\Windows\system32\userinit.exe file with
    a file called wsaupdater.exe. It then modifies the registry so that when
    you logon the wsaupdater.exe file is executed. After removing the spyware,
    (via Adaware, SpyBot S&D, or another spyware detection tool), the
    wsaupdater.exe is removed, but the registry still points to it and tries to
    execute it during login.

    The best procedure to correct this is:

    1. Boot into recovery console. More info can be found at
    http://support.microsoft.com/default.aspx?scid=KB;EN-US;307654

    2. Navigate to the c:\windows\system32 folder and type (without the
    quotes) "copy userinit.exe wsaupdater.exe". This will trick the system
    into booting by copying the legitimate XP userinit.exe file to the
    wsaupdater.exe file and allow the system to boot.

    3. Reboot the system and logon.

    4. Open regedit (from start->run type regedit)

    5. Navigate to the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
    NT\CurrentVersion\Winlogon and modify the value of Userinit to
    C:\WINDOWS\system32\userinit.exe

    6. Next in Windows Explorer delete the c:\windows\system32\wsaupdater.exe
    file.

    At this point your system will be stable and allow you to logon
    consistently. However, I would recommend following the guidlines in this
    article
    http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_BLAZEFI
    ND.A to ensure the system is completely cleaned up.

    Best Regards,
    Rob Hoffman, MCSE
    Microsoft Enterprise Support Engineer
    Get Secure! - www.microsoft.com/security

    =====================================================
    When responding to posts, please "Reply to Group" via
    your newsreader so that others may learn and benefit
    from your issue.
    =====================================================

    This posting is provided "AS IS" with no warranties, and confers no rights.


    --------------------
    | Thread-Topic: Editing Registry from Recovery Console
    | thread-index: AcTYjFOuQbwteRJPR8+ZkwubtgTvzQ==
    | X-WBNR-Posting-Host: 24.61.252.209
    | From: =?Utf-8?B?Um9i?= <Rob@discussions.microsoft.com>
    | Subject: Editing Registry from Recovery Console
    | Date: Thu, 2 Dec 2004 08:31:08 -0800
    | Lines: 12
    | Message-ID: <F25422EC-E3A8-40F0-AE8F-D05429815F7B@microsoft.com>
    | MIME-Version: 1.0
    | Content-Type: text/plain;
    | charset="Utf-8"
    | Content-Transfer-Encoding: 7bit
    | X-Newsreader: Microsoft CDO for Windows 2000
    | Content-Class: urn:content-classes:message
    | Importance: normal
    | Priority: normal
    | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
    | Newsgroups: microsoft.public.windowsxp.configuration_manage
    | NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.1.29
    | Path: cpmsftngxa10.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
    | Xref: cpmsftngxa10.phx.gbl
    microsoft.public.windowsxp.configuration_manage:30434
    | X-Tomcat-NG: microsoft.public.windowsxp.configuration_manage
    |
    | Hello,
    |
    | Whenever I logon into my system it goes thru the motions then immediately
    | logs me out - not allowing me to do anything. I'm pretty sure this is the
    | result of spyware and I need to edit my registry settings. I boot into
    the
    | recovery console, but none of the commands available after that allow me
    to
    | edit the registry.
    |
    | Is there a way to edit the registry from the recovery console?
    |
    | Thanks!
    | - Rob
    |
  2. I got into recovery console and followed the instructions copy userinit.exe wsaupdater.exe, but I still cannot log on, in any mode - normal or safe. Any further advice?
  3. I had this same problem and it sounds like the common solution is to copy a new userinit.exe file to wsaupdater.exe. In my case, the registry key for userinit.exe was not pointing to wsaupdater.exe, it was pointing somewhere else entirely. The only way I was able to log in again was to edit the registry as mentioned in an earlier post.

    Navigate to the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
    NT\CurrentVersion\Winlogon and modify the value of Userinit to
    C:\WINDOWS\system32\userinit.exe

    In order to edit this, I downloaded and created a BartPE boot disk (http://www.nu2.nu/pebuilder/). Once the boot CD is created, boot the affected machine from the CD and follow these steps.

    1. Click the icon in the lower left corner and select Run
    2. Type Regedit.exe
    3. Highlight HKEY_USERS
    4. Click the File menu and select Load Hive
    5. Navigate to %SystemRoot%\System32\Config\Software
    6. Name the hive something like MyHive
    7. Open MyHive and navigate to Microsoft\WindowsNT\CurrentVersion\Winlogon and modify the value of Userinit to C:\WINDOWS\system32\userinit.exe
    8. After you have made this change, it is important to unload the hive
    9. Highlight the MyHive, click on the file menu, and select unload hive.

    This should fix your log on problems.
  4. Anonmous said:
    I had this same problem and it sounds like the common solution is to copy a new userinit.exe file to wsaupdater.exe. In my case, the registry key for userinit.exe was not pointing to wsaupdater.exe, it was pointing somewhere else entirely. The only way I was able to log in again was to edit the registry as mentioned in an earlier post.

    Navigate to the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
    NT\CurrentVersion\Winlogon and modify the value of Userinit to
    C:\WINDOWS\system32\userinit.exe

    In order to edit this, I downloaded and created a BartPE boot disk (http://www.nu2.nu/pebuilder/). Once the boot CD is created, boot the affected machine from the CD and follow these steps.

    1. Click the icon in the lower left corner and select Run
    2. Type Regedit.exe
    3. Highlight HKEY_USERS
    4. Click the File menu and select Load Hive
    5. Navigate to %SystemRoot%\System32\Config\Software
    6. Name the hive something like MyHive
    7. Open MyHive and navigate to Microsoft\WindowsNT\CurrentVersion\Winlogon and modify the value of Userinit to C:\WINDOWS\system32\userinit.exe
    8. After you have made this change, it is important to unload the hive
    9. Highlight the MyHive, click on the file menu, and select unload hive.

    This should fix your log on problems.

    Thanks! I had accidentally removed Userinit from registry which prevented me from login, and thanks to your instructions, I was able to fix it.
  5. I am getting an Access is Denied error when trying to load the Hive! please help
Ask a new question

Read More

Configuration Registry Recovery Console Windows XP