siliconman01
Global Moderator
Trojans! Chew 'em Up, Spit 'em Out...
Gender: 
Posts: 6729
|
 |
How do I remove a "Locked" Registry key?
« on: Apr 3rd, 2009, 11:02pm » |
|
It is a frequent tactic of cybercriminals' malicious software to encode modifications to the permissions of associated registry keys. This can prevent security software from being able to remove the infected registry keys from the system registry. The procedure herein provides a step-by-step procedure for manually removing "locked" registry keys.
Warning: Manually editing the system registry can be dangerous to the proper operation of your computer. An incorrect modification can render the computer non-bootable. Always backup your registry prior to manually editing it.
For the purpose of example, the following registry key is used. It is assumed that this registry key has been maliciously altered such that the infected key cannot be removed by security software such as TrojanHunter.
HKEY_CLASSES_ROOT\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}
The procedure below will change the permissions for registry key {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}, changing its permissions to your user account and providing you full control of this specific registry key. You should then be able to delete the key.
- The procedure steps described are for a Windows Vista operating system; however, the steps are very similiar for Windows XP.
- You must be signed on with a user account that has full administrative privileges.
- To open Regedit on a Vista system:
a. Go to START>RUN and type in Regedit. Regedit.exe will appear in the Start window.
b. Right click on Regedit.exe and select "Run as administrator".
- To open Regedit on a XP system:
a. Go to START>RUN and type in Regedit.exe.
b. Click on OK to open Regedit.
Removal Procedure:
1. Open Regedit.
2. Expand HKEY_CLASSES_ROOT by clicking on the + sign next to HKEY_CLASSES_ROOT.
3. Scroll down the registry keys until you find the registry key named CLSID.
4. Expand registry key CLSID by clicking on the + sign next to CLSID.
5. Scroll down the registry keys under CLSID until you find the registry key named {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}.
6. Right click on the registry key named {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} and select Permissions from the menu.
7. Click on Advanced.
8. Select the Owner tab.
9. In the "Change owner to" window, highlight the one that is your personal user account.
10. Checkmark "Replace owner on subcontainers and objects".
11. Click on Apply. Your personal user account should now be in the Current Owner box.
12. Click on OK. You should now be back to the Security tab.
13. Click on OK.
14. Again, right click on the registry key named {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} and select Permissions from the menu.
15. In the "Group or user names:" window, highlight the one that is your personal user account.
16. In the Permissions for (your user name), the Full Control and Read boxes should be checked under Allow. IF NOT, skip to step 22.
17. Click on OK to close the Permissions window.
18. Right click on the registry key named {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} and select Delete. Confirm the Delete. The registy key named {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} should disappear.
19. The registry key should now disappear and you are done with the deletion. Close Regedit.
20. Reboot your computer.
21. Rescan your computer with your security software to ensure the registry key is no longer present.
22. If your user account does not have Full Control, click on Advanced.
23. In the Permissions entries window, highlight the entry with your user account name.
24. Checkmark the box "Include inheritable permissions from this object's parent.".
25. Click on Edit
26. In the Permissions window, check mark all the boxes under Allow.
27. Check mark the box "Apply these permissions to objects and/or containers within this container only.".
28. In the Apply to: window, it should be "This key and subkeys".
29. Click on OK.
30. Click on Apply and OK.
31. Click on Apply and OK.
32. Right click on the registry key named {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} and select Delete. Confirm the Delete. the registry key named {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} should disappear.
33. The registry key should now disappear and you are done with the deletion. Close Regedit.
34. Reboot your computer.
35. Rescan your computer with your security software to ensure the registry key is no longer present.
NOTE 1: If the registry key that you are attempting to remove has one or more subkeys under it, you may have to change permissions, obtain full control, and delete each of the subkeys prior to deleting the main registry key.
NOTE 2: A freeware program to back up the system registry is program RegBak. It can be downloaded from the link below.
http://www.acelogix.com/freeware.html
|
| « Last Edit: Apr 5th, 2009, 5:59am by siliconman01 » |
 IP Logged |
______
TrojanHunter V5.3.994...No. 1 AT in my Book and on my Box(es)! Windows 7 x64 Professional on a Dell XPS 410, 8 gbyte RAM, dual WD VelociRaptors, dual 24" UltraSharp FPD monitors, Logitech 5.1 Surround Sound w/ XM satellite, Avira Premium Security Suite V10; Windows 7 x86 Professional on a Dell Vostro 220s, 4 gbyte RAM, dual WD Raptors, NIS 2011 Beta. Common: router, cable modem, PerfectDisk 11 Pro, Casper Backup V6.0, DisplayFusion, SpywareBlaster V4.3, HostsMan V3.2.73, CCleaner, TrojanHunter V5.3.994, etc.
|
|
|
Mischel Internet Security Forum
Notify of replies
Send Topic
Print
Author
Search
Members
Login
Register