Script to modify ntuser.dat

I need a script to modify keys and values in user profile registry hives (ntuser.dat). I need the script to modify the hive directly from the profile. I can not use a login script that modifies HKCU because the keys I need to get rid of are virus / malware components and if the users log in they will re-infect the computers.
LVL 4
jcurrieAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

jcurrieAuthor Commented:
Oh I forgot. I prefer JScript but VB script will do as well.
0
Lee W, MVPTechnology and Business Process AdvisorCommented:
This may help - but I don't think it's scriptable.
http://support.microsoft.com/kb/146050/EN-US/
0
jcurrieAuthor Commented:
Thank you for the quick response leew. I could load the registry hives into regedit (as described in the article). However, this would be unreasonably time consuming to perform on all my user accounts.

I need to check all existing profiles (about 150 accounts) for the existance of a specific registry key and delete it if it exists.
0
Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Lee W, MVPTechnology and Business Process AdvisorCommented:
What might be easier is if you determine what file the virus/spyware/adware is looking for and remove that.  This way the user can log in then you can use tools like REG.EXE to get rid of the registry lines you don't want.  What line(s) are you looking for?
0
jcurrieAuthor Commented:
I've found several of the components of this virus and cleaned the computers. However, there are also components in the user profile which I am not able to pinpoint. The registry key in the user profile that I am concearned about is:
HKCU\..\Run: [Windows Media Player] msass43.exe

Unfortionatly msass43.exe is nowhere to be found, but the system has no problem launching the service when it is called. I have spoken to Symantec and we are working on a definition. In the meantime I would like to scan all my user profiles to ensure that I don't have any users with this key that will re-infect any systems when they log in. I have removed the local files that I can find and the HKLM keys. This has removed the symptoms of the virus, but if a user logs in and starts msass43.exe the virus will re-infect. The horrible thing is that this thing seems to infect all computers on the LAN very quickly once one is infected.

0
Lee W, MVPTechnology and Business Process AdvisorCommented:
Nearly 3 weeks old this virus is. And Symantec seems to have known about it for a while, if this post is to be believed.
http://isc.sans.org/diary.php?date=2004-11-07

I'd pull a machine off the network, boot up and hack around.  Look for hidden files, run silentrunners - www.silentrunners.org - and go through all items that start when the system does.
0
jcurrieAuthor Commented:
I've seen that post and I beleive ot tp be refering to two seperate viruses. I spoke to a Symantec Corporate Antivirus technician yesterday and sent the virus files I had related to this, and they did not have it in their database.
0
jcurrieAuthor Commented:
In any case. I have got the virus under control at this point. What I am really interested in is a script that will allow me to query and modify user registry hives directly from ntuser.dat
0
Lee W, MVPTechnology and Business Process AdvisorCommented:
I don't think such a scriptable method exists.  Good luck in finding it.
0
oBdACommented:
Are you talking about local or roaming profiles?
0
jcurrieAuthor Commented:
roaming profiles
0
oBdACommented:
Try it with this script. It uses reg.exe, which comes by default in XP, and is included in the Support Tools for W2k.
Adjust the path to the root of your roaming profile folders at the beginning (can be a UNC path as well), and set the registry key and value to delete.
The test is currently in test mode, it will only display the delete command that would be executed otherwise.
The script loads the ntuser.dat in the top-level subfolders of the profile root into the local registry, checks for the value in the given key, and if ii finds it, deletes it. The hive is then unloaded.
For testing, you can of course work with copies of the ntuser.dat files in a separate directory.

Windows 2000 SP4 Support Tools
http://www.microsoft.com/windows2000/downloads/servicepacks/SP4/supporttools.asp

As usual: No warranties included, use it at your own risk, test it before you apply it in earnest.

====8<----[RemoveVirus.cmd]----
@echo off
setlocal
set ProfileRoot=D:\Profiles
set VirusKey=Software\Microsoft\Windows\CurrentVersion\Run
set VirusValue=VirusStart

for /d %%a in ("%ProfileRoot%\*") do call :process "%%a"
goto leave

:process
set RegFile=%~1\ntuser.dat
echo Processing %RegFile% ...
set Infected=TRUE
reg load HKU\TempHive "%RegFile%" >NUL 2>&1

reg query "HKU\TempHive\%VirusKey%" /v "%VirusValue%" >NUL 2>&1
if errorlevel 1 set Infected=FALSE
echo ... Infected: %Infected%
if /i %Infected%==FALSE goto :Return

:: *** Test mode: Remove the "ECHO" in front of the following line to arm the script:
echo Deleting virus key ...
ECHO reg delete "HKU\TempHive\%VirusKey%" /v "%VirusValue%"
echo ... done.

:Return
reg unload HKU\TempHive >NUL 2>&1
goto :eof

:leave
====8<----[RemoveVirus.cmd]----
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jcurrieAuthor Commented:
Well Done! It works great.
0
Lee W, MVPTechnology and Business Process AdvisorCommented:
cool -  you learn something new every day.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Networking

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.