[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Registry Write Error

Posted on 2009-02-13
4
Medium Priority
?
429 Views
Last Modified: 2012-06-21
Hello,

I have a problem on a vsita home premium machine.

If I boot in safe mode I can write to the following registry key.

hkey_local_machine\system\currentcontrolset\services

If I boot in normal mode, I get an error access is denied.

I have looked for viruses, rootkits, using combofix and unhackme.

Has anyone else had this problem??

I have also tried to redo the permission on this key but to no avale.

Thanks

Kevin
0
Comment
Question by:doctick
  • 2
3 Comments
 
LVL 16

Expert Comment

by:cantoris
ID: 23641226
I think UAC is your problem.  If you temporarily turn off User Account Control then you will be able to launch regedit.exe with full admin rights and edit the key.  Or just shift right-click regedit.exe and Run As Administrator.
I suspect UAC is not active in Safe Mode.

Note also that some keys within CurrentControlSet require you to take ownership of them before you can do anything else to them.
0
 

Author Comment

by:doctick
ID: 23641457
Hello Cantoris,

Nope, I have already turned off UAC.  

I have tried taking ownership of the key as well, still does not work.

any other suggestions??
0
 
LVL 16

Accepted Solution

by:
cantoris earned 2000 total points
ID: 23641733
Run Process Explorer from
http://live.sysinternals.com/tools/procexp.exe
With it running, add in the column "Process Image - Integrity Level".
Then start regedit.exe.  Look at its entry in Process Explorer - is it running with a level of "High"?

Also, if you open regedit's properties in there and look on the security tab you can check on the list of Privileges your account currently has (when it launched it).  There should be a load listed - if there are only a few then it would appear UAC is still active.

Also, "handle -a" can show registry handles in case something else is using it:
http://technet.microsoft.com/en-gb/sysinternals/bb896655.aspx

Come to think of it, are we missing the obvious ... try stopping/disabling the service whose keys you are playing with!  If it's not listed in the Services.msc, then look in Device Manager with the hidden devices enabled option.  Look under Non-Plug and Play Devices - you can disable it in there if it was not a normal Service.
0

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is about my experience upgrading my consulting machine to Windows 10 Version 1709 (The Fall 2017 Creator Update)
Securing your business data in current era should be your biggest priority. Numerous people are unaware of the fact that insiders commit more than 60 percent of security breaches. You need to figure out the underlying cause and invoke your potential…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…

873 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question