[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Script to modify ntuser.dat

Posted on 2004-11-25
14
Medium Priority
?
3,429 Views
Last Modified: 2007-12-19
I need a script to modify keys and values in user profile registry hives (ntuser.dat). I need the script to modify the hive directly from the profile. I can not use a login script that modifies HKCU because the keys I need to get rid of are virus / malware components and if the users log in they will re-infect the computers.
0
Comment
Question by:jcurrie
  • 7
  • 5
  • 2
14 Comments
 
LVL 4

Author Comment

by:jcurrie
ID: 12675720
Oh I forgot. I prefer JScript but VB script will do as well.
0
 
LVL 97

Expert Comment

by:Lee W, MVP
ID: 12675727
This may help - but I don't think it's scriptable.
http://support.microsoft.com/kb/146050/EN-US/
0
 
LVL 4

Author Comment

by:jcurrie
ID: 12675783
Thank you for the quick response leew. I could load the registry hives into regedit (as described in the article). However, this would be unreasonably time consuming to perform on all my user accounts.

I need to check all existing profiles (about 150 accounts) for the existance of a specific registry key and delete it if it exists.
0
Veeam and MySQL: How to Perform Backup & Recovery

MySQL and the MariaDB variant are among the most used databases in Linux environments, and many critical applications support their data on them. Watch this recorded webinar to find out how Veeam Backup & Replication allows you to get consistent backups of MySQL databases.

 
LVL 97

Expert Comment

by:Lee W, MVP
ID: 12675875
What might be easier is if you determine what file the virus/spyware/adware is looking for and remove that.  This way the user can log in then you can use tools like REG.EXE to get rid of the registry lines you don't want.  What line(s) are you looking for?
0
 
LVL 4

Author Comment

by:jcurrie
ID: 12676103
I've found several of the components of this virus and cleaned the computers. However, there are also components in the user profile which I am not able to pinpoint. The registry key in the user profile that I am concearned about is:
HKCU\..\Run: [Windows Media Player] msass43.exe

Unfortionatly msass43.exe is nowhere to be found, but the system has no problem launching the service when it is called. I have spoken to Symantec and we are working on a definition. In the meantime I would like to scan all my user profiles to ensure that I don't have any users with this key that will re-infect any systems when they log in. I have removed the local files that I can find and the HKLM keys. This has removed the symptoms of the virus, but if a user logs in and starts msass43.exe the virus will re-infect. The horrible thing is that this thing seems to infect all computers on the LAN very quickly once one is infected.

0
 
LVL 97

Expert Comment

by:Lee W, MVP
ID: 12676160
Nearly 3 weeks old this virus is. And Symantec seems to have known about it for a while, if this post is to be believed.
http://isc.sans.org/diary.php?date=2004-11-07

I'd pull a machine off the network, boot up and hack around.  Look for hidden files, run silentrunners - www.silentrunners.org - and go through all items that start when the system does.
0
 
LVL 4

Author Comment

by:jcurrie
ID: 12676252
I've seen that post and I beleive ot tp be refering to two seperate viruses. I spoke to a Symantec Corporate Antivirus technician yesterday and sent the virus files I had related to this, and they did not have it in their database.
0
 
LVL 4

Author Comment

by:jcurrie
ID: 12676263
In any case. I have got the virus under control at this point. What I am really interested in is a script that will allow me to query and modify user registry hives directly from ntuser.dat
0
 
LVL 97

Expert Comment

by:Lee W, MVP
ID: 12676360
I don't think such a scriptable method exists.  Good luck in finding it.
0
 
LVL 85

Expert Comment

by:oBdA
ID: 12683975
Are you talking about local or roaming profiles?
0
 
LVL 4

Author Comment

by:jcurrie
ID: 12684254
roaming profiles
0
 
LVL 85

Accepted Solution

by:
oBdA earned 1000 total points
ID: 12686528
Try it with this script. It uses reg.exe, which comes by default in XP, and is included in the Support Tools for W2k.
Adjust the path to the root of your roaming profile folders at the beginning (can be a UNC path as well), and set the registry key and value to delete.
The test is currently in test mode, it will only display the delete command that would be executed otherwise.
The script loads the ntuser.dat in the top-level subfolders of the profile root into the local registry, checks for the value in the given key, and if ii finds it, deletes it. The hive is then unloaded.
For testing, you can of course work with copies of the ntuser.dat files in a separate directory.

Windows 2000 SP4 Support Tools
http://www.microsoft.com/windows2000/downloads/servicepacks/SP4/supporttools.asp

As usual: No warranties included, use it at your own risk, test it before you apply it in earnest.

====8<----[RemoveVirus.cmd]----
@echo off
setlocal
set ProfileRoot=D:\Profiles
set VirusKey=Software\Microsoft\Windows\CurrentVersion\Run
set VirusValue=VirusStart

for /d %%a in ("%ProfileRoot%\*") do call :process "%%a"
goto leave

:process
set RegFile=%~1\ntuser.dat
echo Processing %RegFile% ...
set Infected=TRUE
reg load HKU\TempHive "%RegFile%" >NUL 2>&1

reg query "HKU\TempHive\%VirusKey%" /v "%VirusValue%" >NUL 2>&1
if errorlevel 1 set Infected=FALSE
echo ... Infected: %Infected%
if /i %Infected%==FALSE goto :Return

:: *** Test mode: Remove the "ECHO" in front of the following line to arm the script:
echo Deleting virus key ...
ECHO reg delete "HKU\TempHive\%VirusKey%" /v "%VirusValue%"
echo ... done.

:Return
reg unload HKU\TempHive >NUL 2>&1
goto :eof

:leave
====8<----[RemoveVirus.cmd]----
0
 
LVL 4

Author Comment

by:jcurrie
ID: 12686617
Well Done! It works great.
0
 
LVL 97

Expert Comment

by:Lee W, MVP
ID: 12687001
cool -  you learn something new every day.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A brief overview to explain gateways, default gateways and static routes OR NO - you CANNOT have two default gateways on the same server, PC or other Windows-based network device. In simple terms a gateway is formed when a computer such as a serv…
Have you ever set up your wireless router at home or in the office to find that you little pop-up bubble in the bottom right-hand corner of Windows read "IP Conflict - One of more computers on the network have been assigned the following IP address"…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question