Verifying and fixing the Userinit value in the registry
If your PC is a victim of the Malware discussed in this article, and unable to login to your profile, then you'll need to fix the registry as discussed there. As you're unable to login, registry modification can only be done from a remote system, or via offline registry editing. This article discusses about offline registry editing.
BartPE screen
Registry Editor
Load Hive option
Select the Hive
Name the Hive
Fixing a key
Unload the hive
- Insert the BartPE CD into the drive, and boot the system from the CD. Once the file loading phase is over, the Bart PE desktop will be visible, as shown in Figure 1.
- Type Regedit.exe in the prompt, and press Enter. Select the HKEY_USERS hive
- From the File menu, choose the Load Hive option. Browse to your Windows installation drive, for example the following location:
C:\Windows\System32\Config\
- Select the file named SOFTWARE (the file without any extensions), and click Open
- Type a name for the hive that you've loaded now. (Example: MyXPHive)
- Now the SOFTWARE hive is loaded, and present under the HKEY_USERS base hive.
- In order to fix the Userinit value in the loaded hive, navigate to the following location:
HKEY_USERS \ MyXPHive \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon
- Double-click Userinit and set it's value correctly. Example: Set it's data as follows:
C:\Windows\System32\Userinit.exe,
(Include the trailing comma also. The above assumes that Windows is installed in C:\Windows, and Userinit.exe file is actually present in the System32 folder. You may want to verify that as well.)
- After entering the correct data, you MUST unload the Hive. To do so, select MyXPHive branch, and then in the File menu, choose Unload Hive. It's important to note that you'll need to select the MyXPHive branch first, before unloading it.
- Quit BartPE and restart Windows. See if you're able to logon to your profile.
Tidak ada komentar:
Posting Komentar