sfcanderson
asked on
Can't open cmd.exe in Windows 2003
We've taken over a server that appears to have been infected with spyware or some viruses, which I think we've cleaned off. Symantec AV, AVG, MalwareBytes, and Windows Defender have all found infections that they said they cleaned, and we've rebooted after each one. now the server appears to be clean, but we can't open the command line.
Every time we launch cmd.exe (from the Start menu, the Run command, or the System32 folder) the window comes up and shows "tftp.exe" in the upper-left instead of the CMD.exe location. Instead of the folder location in the main window, it shows "Password_" . As soon as we enter any text the window automatically closes.
I've copied the CMD.EXE file from a different server that works as well as a Windows 2003 CD, but they all do the exact same thing. We've also installed all Windows 2003 updates.
We need to get into the command line ASAP to do some work, but have not been able to figure this out.
Any help would be appreciated.
Thanks.
Every time we launch cmd.exe (from the Start menu, the Run command, or the System32 folder) the window comes up and shows "tftp.exe" in the upper-left instead of the CMD.exe location. Instead of the folder location in the main window, it shows "Password_" . As soon as we enter any text the window automatically closes.
I've copied the CMD.EXE file from a different server that works as well as a Windows 2003 CD, but they all do the exact same thing. We've also installed all Windows 2003 updates.
We need to get into the command line ASAP to do some work, but have not been able to figure this out.
Any help would be appreciated.
Thanks.
try sfc /scannow or reinstalling the service pack
ASKER
I'll try safe mode in about an hour. This is a domain controller, so I think that means we need to do Directory Services Restore Mode?
I've already tried sfc /scannow, but it doesn't do anything. The black window for the command line will pop up for 1/2 second and then disappear.
I'm nervous about reinstalling SP2 because it's been on there for so long. Couldn't this cause a conflict with the other updates that have been installed over the years?
I've already tried sfc /scannow, but it doesn't do anything. The black window for the command line will pop up for 1/2 second and then disappear.
I'm nervous about reinstalling SP2 because it's been on there for so long. Couldn't this cause a conflict with the other updates that have been installed over the years?
This definitely was caused by the virus.
copy the following and save it to a file named cmdfix.reg and then run it on the server and it should put the correct file association back to the CMD extension.
copy all below here:
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\.CMD]
@="cmdfile"
[HKEY_CLASSES_ROOT\.CMD\Pe rsistentHa ndler]
@="{5e941d80-bf96-11cd-b57 9-08002b30 bfeb}"
[HKEY_CLASSES_ROOT\cmdfile ]
@="Windows Command Script"
"EditFlags"=hex:30,04,00,0 0
"FriendlyTypeName"=hex(2): 40,00,25,0 0,53,00,79 ,00,73,00, 74,00,65,0 0,6d,00,52 ,\
00,6f,00,6f,00,74,00,25,00 ,5c,00,53, 00,79,00,7 3,00,74,00 ,65,00,6d, 00,33,00,\
32,00,5c,00,61,00,63,00,70 ,00,70,00, 61,00,67,0 0,65,00,2e ,00,64,00, 6c,00,6c,\
00,2c,00,2d,00,36,00,30,00 ,30,00,33, 00,00,00
[HKEY_CLASSES_ROOT\cmdfile \DefaultIc on]
@=hex(2):25,00,53,00,79,00 ,73,00,74, 00,65,00,6 d,00,52,00 ,6f,00,6f, 00,74,00,2 5,\
00,5c,00,53,00,79,00,73,00 ,74,00,65, 00,6d,00,3 3,00,32,00 ,5c,00,73, 00,68,00,\
65,00,6c,00,6c,00,33,00,32 ,00,2e,00, 64,00,6c,0 0,6c,00,2c ,00,2d,00, 31,00,35,\
00,33,00,00,00
[HKEY_CLASSES_ROOT\cmdfile \shell]
[HKEY_CLASSES_ROOT\cmdfile \shell\edi t]
[HKEY_CLASSES_ROOT\cmdfile \shell\edi t\command]
@=hex(2):25,00,53,00,79,00 ,73,00,74, 00,65,00,6 d,00,52,00 ,6f,00,6f, 00,74,00,2 5,\
00,5c,00,53,00,79,00,73,00 ,74,00,65, 00,6d,00,3 3,00,32,00 ,5c,00,4e, 00,4f,00,\
54,00,45,00,50,00,41,00,44 ,00,2e,00, 45,00,58,0 0,45,00,20 ,00,25,00, 31,00,00,\
00
[HKEY_CLASSES_ROOT\cmdfile \shell\ope n]
"EditFlags"=hex:00,00,00,0 0
[HKEY_CLASSES_ROOT\cmdfile \shell\ope n\command]
@="\"%1\" %*"
[HKEY_CLASSES_ROOT\cmdfile \shell\pri nt]
[HKEY_CLASSES_ROOT\cmdfile \shell\pri nt\command ]
@=hex(2):25,00,53,00,79,00 ,73,00,74, 00,65,00,6 d,00,52,00 ,6f,00,6f, 00,74,00,2 5,\
00,5c,00,53,00,79,00,73,00 ,74,00,65, 00,6d,00,3 3,00,32,00 ,5c,00,4e, 00,4f,00,\
54,00,45,00,50,00,41,00,44 ,00,2e,00, 45,00,58,0 0,45,00,20 ,00,2f,00, 70,00,20,\
00,25,00,31,00,00,00
[HKEY_CLASSES_ROOT\cmdfile \shell\run as]
[HKEY_CLASSES_ROOT\cmdfile \shell\run as\command ]
@=hex(2):25,00,53,00,79,00 ,73,00,74, 00,65,00,6 d,00,52,00 ,6f,00,6f, 00,74,00,2 5,\
00,5c,00,53,00,79,00,73,00 ,74,00,65, 00,6d,00,3 3,00,32,00 ,5c,00,63, 00,6d,00,\
64,00,2e,00,65,00,78,00,65 ,00,20,00, 2f,00,43,0 0,20,00,22 ,00,25,00, 31,00,22,\
00,20,00,25,00,2a,00,00,00
[HKEY_CLASSES_ROOT\cmdfile \shellex]
[HKEY_CLASSES_ROOT\cmdfile \shellex\D ropHandler ]
@="{86C86720-42A0-1069-A2E 8-08002B30 309D}"
[HKEY_CLASSES_ROOT\cmdfile \shellex\P ropertyShe etHandlers ]
[HKEY_CLASSES_ROOT\cmdfile \shellex\P ropertyShe etHandlers \PifProps]
@="{86F19A00-42A0-1069-A2E 9-08002B30 309D}"
[HKEY_CLASSES_ROOT\cmdfile \shellex\P ropertyShe etHandlers \ShimLayer Property Page]
@="{513D916F-2A8E-4F51-AEA B-0CBC76FB 1AF8}"
copy the following and save it to a file named cmdfix.reg and then run it on the server and it should put the correct file association back to the CMD extension.
copy all below here:
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\.CMD]
@="cmdfile"
[HKEY_CLASSES_ROOT\.CMD\Pe
@="{5e941d80-bf96-11cd-b57
[HKEY_CLASSES_ROOT\cmdfile
@="Windows Command Script"
"EditFlags"=hex:30,04,00,0
"FriendlyTypeName"=hex(2):
00,6f,00,6f,00,74,00,25,00
32,00,5c,00,61,00,63,00,70
00,2c,00,2d,00,36,00,30,00
[HKEY_CLASSES_ROOT\cmdfile
@=hex(2):25,00,53,00,79,00
00,5c,00,53,00,79,00,73,00
65,00,6c,00,6c,00,33,00,32
00,33,00,00,00
[HKEY_CLASSES_ROOT\cmdfile
[HKEY_CLASSES_ROOT\cmdfile
[HKEY_CLASSES_ROOT\cmdfile
@=hex(2):25,00,53,00,79,00
00,5c,00,53,00,79,00,73,00
54,00,45,00,50,00,41,00,44
00
[HKEY_CLASSES_ROOT\cmdfile
"EditFlags"=hex:00,00,00,0
[HKEY_CLASSES_ROOT\cmdfile
@="\"%1\" %*"
[HKEY_CLASSES_ROOT\cmdfile
[HKEY_CLASSES_ROOT\cmdfile
@=hex(2):25,00,53,00,79,00
00,5c,00,53,00,79,00,73,00
54,00,45,00,50,00,41,00,44
00,25,00,31,00,00,00
[HKEY_CLASSES_ROOT\cmdfile
[HKEY_CLASSES_ROOT\cmdfile
@=hex(2):25,00,53,00,79,00
00,5c,00,53,00,79,00,73,00
64,00,2e,00,65,00,78,00,65
00,20,00,25,00,2a,00,00,00
[HKEY_CLASSES_ROOT\cmdfile
[HKEY_CLASSES_ROOT\cmdfile
@="{86C86720-42A0-1069-A2E
[HKEY_CLASSES_ROOT\cmdfile
[HKEY_CLASSES_ROOT\cmdfile
@="{86F19A00-42A0-1069-A2E
[HKEY_CLASSES_ROOT\cmdfile
@="{513D916F-2A8E-4F51-AEA
ASKER
sweeps, I tried running that Registry key but am having problems. When I just run the file it tells me "The specified file is not a registry script. you can only import binary registry files from within the registry editor."
So, I opened regedit and imported the file. The first time it said "Cannot import ...filename... The key selected is invalid."
After that I edited the permissions on the HKEY_CLASSES_ROOT hive to ensure I had full rights on everything and ran it again. The second time I got this message:
"Cannot import...filename...: The specified file is not a registry file. You can import only registry files."
So, I opened regedit and imported the file. The first time it said "Cannot import ...filename... The key selected is invalid."
After that I edited the permissions on the HKEY_CLASSES_ROOT hive to ensure I had full rights on everything and ran it again. The second time I got this message:
"Cannot import...filename...: The specified file is not a registry file. You can import only registry files."
attached is the registry file. I have verified the entries match 2 of our 2003 servers so there should be no issue. Please let me know if this still has import errors.
cmdfix.reg
cmdfix.reg
One thing I would mention is that if the server is having extenstion issues with cmd most likely it will have other extension issues. If the virus was this extreeme the best solution is a rebuild.
Just saying
Just saying
ASKER
Downloaded your file, which ran successfully but did not fix the problem.
We're actually trying to remove this server, but it's the only domain controller so we have to get the new one running before we can demote this one. The new server is Windows 2008, so we have to get to the command line to prep the domain before we can proceed.
We're actually trying to remove this server, but it's the only domain controller so we have to get the new one running before we can demote this one. The new server is Windows 2008, so we have to get to the command line to prep the domain before we can proceed.
I have talked with our systems engineer and he had the same idea as me. Sorry but this is beyond me without having it sitting here.
ASKER
Ugh, we restarted into safe mode but the problem is still occurring. Any more thoughts on how to get into the command prompt?
Are there any other ways to upgrade AD without using the command prompts?
Are there any other ways to upgrade AD without using the command prompts?
What is it you need to run on the bad server? Maybe I can help with that part.
ASKER
We're trying to run ADprep and forestprep to get the new Windows 2008 server in.
can you try running the following. see if command prompt fixes
Open Start >> Run and type the following command ( or just copy it )
REG add HKCU\Software\Policies\Mic rosoft\Win dows\Syste m /v DisableCMD /t REG_DWORD /d 0 /f
this should reset command prompt for logged in user...
still looking into vbscript to run adprep will let you know if I can get it to work in our test environment.
Open Start >> Run and type the following command ( or just copy it )
REG add HKCU\Software\Policies\Mic
this should reset command prompt for logged in user...
still looking into vbscript to run adprep will let you know if I can get it to work in our test environment.
ASKER
Thanks for continuing to try, but that command didn't fix it either!
If we can run the domainprep and forestprep from the Run command (or a VMScript) then we should be OK. Let me know if you find anything out, otherwise we'll try it again at the end of the day, which is the next time we have cleared for downtime.
If we can run the domainprep and forestprep from the Run command (or a VMScript) then we should be OK. Let me know if you find anything out, otherwise we'll try it again at the end of the day, which is the next time we have cleared for downtime.
I am unable to get it to work without error in VB
I will keep trying and let you know if I can get it to go.
I will keep trying and let you know if I can get it to go.
ASKER
Actually, I think we've found a solution. we use a managed services application that gives us command line access through a remote app, which seems to be working. We're going to try that in a few minutes and see if it's functonal.
Good luck! hope it works
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
Expert's solutions were excellent, but did not fix the problem.
What’s the result? If the issue doesn’t occur, you can disable third party software one by one to test.