Secure Windows XP tools, “uncoventional way”

You can easily categorize this article as an “unconventional” way to deal with malware affected computers, in order to restore their full functionality. Everybody can see all over the Internet the computer’s security related sites recommandations in the case of a virus infection :

Download and install this or that antimalware or antivirus, run a deep scan of the system, job done !

This phrase in his concentrated meaning, is already a pattern of almost all of the  recommandations, but in my opinion contains useless,  “empty”  words in most of the cases. Nowdays with the actual threats, more than ever a “set and forget” security software solution is not enough for your system total protection and only a better knowledge of how you computer system operate and what the malware really does in your computer, can give you a safer digital experience. I can not hide from you my passion to remove the computer viruses manually or with the basics tools some of them included in any Windows installation as Registry Editor, Task Manager, System Configuration Utility, Group Policies Editor(gpedit.msc), the Command Prompt or Safe Mode variant for booting.

Of course this approach has the same limitations as the tools limitations, for example a rootkit can not be revealed by Task Manager process viewer but for this kind of tasks there is little free utilities such as RootkitRevealer from sysinternals.com for example.

Another issue of this approach is not anybody wants to treat directly with the malware, many users wants to buy and install a “set and forget” security solution for malware handling, respectively removing. Well, it’s not always the case. There is uncounted users reports how their antivirus keep the computer in an endless rebooting loop because it’s not able to remove the infection. I will not repeat how dangerous is the feeling of safety when you see the green light of your antivirus software meaning the computer is fully protected and clean of malware, but I will repeat something else :

You are never safe when you are online ! And this is not paranoia, just statistics and studies.

A particular case when the malware is installed with the user contribution but without his knowledge, see clicking on different banners from porno video sites or installing fake codecs, in these cases the antivirus warnings are ignored because of lack of knowledge.

Let’s take an example, you install a computer program with a new variant (not yet in the antivirus signature database) of a trojan embedded in the installer and while installing the antivirus triggers alert of type :

“Updater.exe try to access the registry”

“Updater.exe try to add an entry in the registry to run at start-up”

“Updater.exe try to access the Internet”

All this behaviour appear as normal and unsuspicious for a setup component with the name as “updater.exe” which is supposed to be the program updater, so the unaware user will allow it to access  the registry and the Internet. This is how anybody can get infected with malware, without knowledge but by his actions will give a little “help” to the virus installation. I wrote in the past about a solution regarding these embedded trojans, see here and here.

Let’s get to the subject now, too much divagation isn’t good. Today I was in the front of an infected computer, how I knew that instantly? The Task Manager was greyed out and typing “regedit.exe” in the Run box popped up this error:

“Registry editing has been disabled by your administrator”

and when I try to access Task Manager :

“Task Manager has been disabled by your administrator”

There is a REG_DWORD registry entry responsible for disabling the Task Manager under :

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System

Name: DisableTaskMgr

Value assigned: 1 mean “true” for DisableTaskManager and in consequence will disable Task Manager;

and: 0 assign “false” to DisableTaskManager ;

Always the changes will have effect after the computer reboot or after re-login.

Seems to be pretty simple to enable a disabled Task Manager but how it is when the virus disabled also the access to the default registry editor, regedit.exe ?

There are already several solutions posted on the Internet for these issues one of them beeing for example using the Local Group Policy Editor, I will review these in quick steps because there are a plenty of such tutorials on the Internet :

- Type gpedit.msc in the RUN box and click OK;

- Browse for User configuration -> Administrative Templates -> System;

- Find in the Settings panel, a setting named “Prevent access to registry editing tools” and double click to open its window;

- Select “Disabled” or “Not configured”, click OK and reboot your system;

Note that sometimes even if you run as a computer Administrator, you don’t have the Administrative Template named System available, thus you must add it in the Group Policy Editor, right click the appropriate Administrative Templates section, click “Add/Remove Templates”, click again “Add” in the new window, browse to the location of the Administrative Templates, select system.adm from the templates available, and then click Open. The location path of these Administrative Templates is :

%SystemRoot%\SYSTEM32\GroupPolicy folder

or

%SystemRoot%\inf folder

Users can even create a Group Policy Object via Microsoft Management Console, it sounds difficult but it’s easy in fact.

-type “mmc” in the RUN box to open Microsoft Management Console,

-hit Enter

-Select File>Add/Remove Snap-in

-Click Add and select Group Policy Object Editor and click Add again in that new window

Now you have a new Group Policy Editor object you can open it and edit the Local Policy or you can save as on a location you choose for a later use, it will have .msc extension and can be opened with double click like any executable.

This method works also for Windows Vista or Windows 7.

I’ve described all these procedures because sometimes the system Administrative Template is not available, beeing deleted by the virus.

Ideally, after editing the User configuration -> Administrative Templates -> System template, you can open the registry editor, type “regedit.exe” in the RUN box, click OK and see if it works.

Another solution is to run directly the commands in the RUN box for editing the registry, the changes will be made via Console Registry Tool:

REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0

Type “Yes” in the prompt asking for permission to overwrite the registry and hit Enter, then run the second command :

REG add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0

Type again “Yes” for the overwrite registry question and hit Enter, that hopefully will enable the Registry Editor after the computer restart.

The same commands and procedure is available for enabling the Task Manager, only name of the item is modified :

REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0

and

REG add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0

If you want only to enable just Task Manager and have access to the registry editor you can edit the registry directly browsing for and editing the next value :

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System

and change the DWORD value of “DisableTaskMgr” from 1 to 0 to enable it. Effect will takes place after rebooting.

For those who are afraid to mess the registry editing them manually, there is also some little free tools that automate enabling of the Registry Editor or Task Manager :

For Registry Editor :

-Doug Knox regtools.vbs, a simple Visual Basic script, basically modify the registry with a simple click. Can be viewed in Notepad to see what registry key is modified  :

“HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools” and change the DWORD value from 1 to 0 as you saw in the above commands.

A more complete and thus recommended Visual Basic script is this :

Option Explicit
‘Declare variables
Dim WSHShell, rr, rr2, MyBox, val, val2, ttl, toggle
Dim jobfunc, itemtype
On Error Resume Next
Set WSHShell = WScript.CreateObject(“WScript.Shell”)
val = “HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools”
val2 = “HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools”
itemtype = “REG_DWORD”
jobfunc = “Registry Editing Tools are now ”
ttl = “Result”
‘reads the registry key value.
rr = WSHShell.RegRead (val)
rr2 = WSHShell.RegRead (val2)
toggle=1
If (rr=1 or rr2=1) Then toggle=0
If toggle = 1 Then
WSHShell.RegWrite val, 1, itemtype
WSHShell.RegWrite val2, 1, itemtype
Mybox = MsgBox(jobfunc & “disabled.”, 4096, ttl)
Else
WSHShell.RegDelete val
WSHShell.RegDelete val2
Mybox = MsgBox(jobfunc & “enabled.”, 4096, ttl)
End If

Copy this in a text file(Notepad), save it with extension .vbs and “whateveryouwant” name and run it(double click).

This script modify also the registry under HKLM hive, not only HKCU as in the Doug Knox script, so we will have these two items modified :

“HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools”

“HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools”

For Task Manager :

-Task Manager Fix v2.0 , a small tool coded in Visual Basic 6.0, it run with a single click this command :

REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0

To enable all Windows tools and options :

-Sergiwa Antiviral Toolkit , this is a set of tools for removing all the restrictions implemented by a virus : disabled Task Manager, disabled Registry Editor, disabled Command Prompt and much more.

Sometimes the methods described above works, sometimes not, it differ from a Windows installation to another and from a virus to another. It’s not better if we could somehow “secure” these tools, immunizing them against the viruses actions? I mean how it could be if a virus can not disable the Task manager at all ?

What I will suggest in this article, is a new approach of how to avoid the restrictions imposed by viruses, to secure the Windows tools, Registry Editor and Task Manager. This can be done by a little “hack”, specifically editing a single byte of these tools in a hex editor.

Let’s take for example the Registry Editor–regedit.exe and copy it from the default location %SystemRoot% to the Desktop, it’s better to make the changes first to a copy of the tool and then if all went ok, replace the original file with the “immunized” one. These files are not encrypted and thus can be freely viewable in a hex editor, especially the strings contained in them.

Now the hint is when you try to open regedit.exe, it first look in the registry and read the value from :

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools

If it finds the value beeing 0 the registry editor will run otherwise (if the value is 1 will not run).

There is a lot of good and free hex editors, I’ve used Free Hex Editor Neo this is how regedit.exe looks in hex view, we will search a string related to “DisableRegistryTools”, there is embedded in the executable code what registry value must be checked before to run :

registry_tools

Modifying something in that registry item value, for example replacing first letter “i” with “y” will force the registry editor to check an inexistent item namely : “DysableRegistryTools” before to run. Now the virus can modify as much as it wants the default value “DisableRegistryTools”, the regsitry Editor will always be available to run. This is the modification done :

registry_tools_mod

As you can see, in a hex editor the strings has a dot between letters. Now save the file and replace the original untouched file from Windows directory with the newly modified one. A tip : replace the file first in the %SystemRoot%/system32/dllcache folder otherwise Windows File Protection system will replace the file in seconds overwritting your modified one with the original from the cache folder. dllcache folder is hidden, you must tick “Show hidden files and folders” and untick “Hide protected operating system files” from the Folder Options. After that replace the file in %SystemRoot% (Windows) folder. Now Windows File Protection will pop-up an alert:

windows_file_protection_alert

Click “Cancel” and another alert will pop-up :

windows_file_protection_alert2

Click “Yes” to keep the modified file and that’s all, now access to the registry editor is secured against the viruses attacks.

The procedure to secure Task Manager is the same only the string you must modify inside the file is “D.i.s.a.b.l.e.T.a.s.k.M.g.r”. You know already this is the value the Task Manager executable will check in the registry before to run. The Task Manager executable, “taskmgr.exe” is located in %SystemRoot%\system32 folder. It’s absolutely necessary to not add or delete bytes from these executables, otherwise will get corrupted, just replace a letter(from the strings already mentioned) with another at your choice in an hex editor. Respecting these rules, this method to secure access to Task Manager and Registry Editor is absolutely safe and no virus will annoy you again. This procedure can be applied aswell for Windows Vista and Windows 7, only the Windows File Protection system operate slightly different and will be a subject of a future article.

Keep safe !

Posted in Thoughts. Tagged with , , .

One Response

Leave a Reply