www.digitalmars.com         C & C++   DMDScript  

digitalmars.D - Windows Registry Spring Cleaning

reply Andrew Edwards <ridimz_at yahoo.dot.com> writes:
In performing my part-time job (PC Service Technician) I'm often asked 
to clean such thing as malware, adware, spyware, key loggers, worms, 
trojans, etc... The simplest recourse is to Wipe-and-Reload the system, 
but no one, in their right mind, wants to inform a customer that they 
stand to lose everything on their system. So I end up spending an 
ungodly amount of time using tools such as SpywareEliminator, 
HiJackThis, PestControl, SpyWareS&D, NAV, McAfee, etc...: all of which 
require you to install the program on the customer's machine, but none 
of which is capable of identifying all offending programs or even 
eradicating the ones that are found.

At $50 per hour, there is no way on earth I can charge a customer for 
the six to ten hours I spend cleaning their system. Often time I charge 
for two hours and swallow the rest.

This said I am seriously in need of a program that traverses the 
registry and other system files (ie system.ini, win.ini, etc...) and 
remove references to all "pests" and subsequently remove said program 
from the hard disk: All without booting up the system from the internal 
drive. The thought is that I should be to load a bootable floppy or cd 
and remove all "pests" from the system prior to booting the pc to 
install the necessary security provisions.

My first question is: Is the registry (Win9x, WinME, Win2K, WinXP) 
accessible without booting from the internal hard disk?

If so can someone provide a small "D" example of how to access the 
registry, search for a given entry and remove it if it exists?

TIA
Andrew
Aug 01 2004
next sibling parent reply Stephan Wienczny <Stephan Wienczny.de> writes:
Andrew Edwards wrote:
 In performing my part-time job (PC Service Technician) I'm often asked 
 to clean such thing as malware, adware, spyware, key loggers, worms, 
 trojans, etc... The simplest recourse is to Wipe-and-Reload the system, 
 but no one, in their right mind, wants to inform a customer that they 
 stand to lose everything on their system. So I end up spending an 
 ungodly amount of time using tools such as SpywareEliminator, 
 HiJackThis, PestControl, SpyWareS&D, NAV, McAfee, etc...: all of which 
 require you to install the program on the customer's machine, but none 
 of which is capable of identifying all offending programs or even 
 eradicating the ones that are found.
 
 At $50 per hour, there is no way on earth I can charge a customer for 
 the six to ten hours I spend cleaning their system. Often time I charge 
 for two hours and swallow the rest.
 
 This said I am seriously in need of a program that traverses the 
 registry and other system files (ie system.ini, win.ini, etc...) and 
 remove references to all "pests" and subsequently remove said program 
 from the hard disk: All without booting up the system from the internal 
 drive. The thought is that I should be to load a bootable floppy or cd 
 and remove all "pests" from the system prior to booting the pc to 
 install the necessary security provisions.
 
 My first question is: Is the registry (Win9x, WinME, Win2K, WinXP) 
 accessible without booting from the internal hard disk?
 
 If so can someone provide a small "D" example of how to access the 
 registry, search for a given entry and remove it if it exists?
 
 TIA
 Andrew
Here are my thoughts about that: On Win2K and WinXP you will have to access NTFS file systems. You should use linux with captive ntfs to access it. It should be possible to access the registry form such an offline system. I've seen an bootable cd that can change xp passwords. The registry should not be a problem, if you know its binary layout.... Stephan
Aug 01 2004
parent reply Sean Kelly <sean f4.ca> writes:
Stephan Wienczny wrote:
 
 On Win2K and WinXP you will have to access NTFS file systems. You should 
 use linux with captive ntfs to access it.
 It should be possible to access the registry form such an offline 
 system. I've seen an bootable cd that can change xp passwords. The 
 registry should not be a problem, if you know its binary layout....
... and where it's stored. The registry stinks. I've never seen a tool that can actually manipulate it offline. Sean
Aug 01 2004
parent parabolis <parabolis softhome.net> writes:
Sean Kelly wrote:

 Stephan Wienczny wrote:
 
 On Win2K and WinXP you will have to access NTFS file systems. You 
 should use linux with captive ntfs to access it.
 It should be possible to access the registry form such an offline 
 system. I've seen an bootable cd that can change xp passwords. The 
 registry should not be a problem, if you know its binary layout....
.... and where it's stored. The registry stinks. I've never seen a tool that can actually manipulate it offline. Sean
http://www.cs.mun.ca/~michael/regutils/doc/regedit.html This link gives a synopsis for a tool that looks like it makes that claim it can do that.
Aug 01 2004
prev sibling next sibling parent parabolis <parabolis softhome.net> writes:
Andrew Edwards wrote:

 In performing my part-time job (PC Service Technician) I'm often asked 
 to clean such thing as malware, adware, spyware, key loggers, worms, 
 trojans, etc... The simplest recourse is to Wipe-and-Reload the system, 
 but no one, in their right mind, wants to inform a customer that they 
 stand to lose everything on their system. So I end up spending an 
 ungodly amount of time using tools such as SpywareEliminator, 
 HiJackThis, PestControl, SpyWareS&D, NAV, McAfee, etc...: all of which 
 require you to install the program on the customer's machine, but none 
 of which is capable of identifying all offending programs or even 
 eradicating the ones that are found.
 
 At $50 per hour, there is no way on earth I can charge a customer for 
 the six to ten hours I spend cleaning their system. Often time I charge 
 for two hours and swallow the rest.
 
 This said I am seriously in need of a program that traverses the 
 registry and other system files (ie system.ini, win.ini, etc...) and 
 remove references to all "pests" and subsequently remove said program 
 from the hard disk: All without booting up the system from the internal 
 drive. The thought is that I should be to load a bootable floppy or cd 
 and remove all "pests" from the system prior to booting the pc to 
 install the necessary security provisions.
 
 My first question is: Is the registry (Win9x, WinME, Win2K, WinXP) 
 accessible without booting from the internal hard disk?
 
 If so can someone provide a small "D" example of how to access the 
 registry, search for a given entry and remove it if it exists?
 
I think you may be barking up the wrong tree. (I will explain why in a moment). In my opinion your time would be better spent solving a far simpler problem. Identify the important user data like Word documents and the like and yank those from a drive before wipe+restore. You do not even need to be very judicous in pruning files not to save. It would be helpful in this process to automate discovery of the most used applications which is possible in WinXP. In prev. version you can look at the last accessed time of all the executables in Program Files. Then find the file types associated with the applications that have been used in the past few months. Find the documents these types have been registered to work with. Then copy everything of those those file types to another hard drive. Most of the D stuff that you will use you can find in the Phobos runtime library section under std.file or std.c.windows. Now for the reasons trying to track down registry entries is might be barking up the wrong tree. My opinion is that: 1) NAV and McAfee have some very smart people working for them and some of these very smart people are paid to apply their smarts full time to these problems. If they have not sufficiently solved the problem you are unlikely to do so using less resources. I am by no means suggesting you are not sufficiently smart. I am saying that you probably do not want to invest yourself in this area because you will never 'solve' the problem. Which leads us to the second reason registry searching may not be the way to go. 2) Most of the stuff you want to kill right now will be changing the way it works very soon. As you said the registry identification tools are prolific. As they become more effective and (more importantly) as people use them with greater frequency it will result in more stuff being found and eliminated. The people writing the software you want to remove will simply make it more difficult to find. Consider their position at the moment. For years now their crude methods have resulted in a quickly growing installed base. The growing installed base however quickly generates people who have to learn how to deal with the problem. However the population is limited and soon the crude software writers will see the growth of their installed base stall and possibly even shrink. The result will be they must either write slicker software or risk becoming extinct. The malware issue is very similar to the spam issue for this reason.
Aug 01 2004
prev sibling parent reply Arcane Jill <Arcane_member pathlink.com> writes:
In article <ceirjp$233v$1 digitaldaemon.com>, Andrew Edwards says...
but no one, in their right mind, wants to inform a customer that they 
stand to lose everything on their system.
If I were a customer, I would want to be told /the truth/. If the truth was that I stood to lose everything on my system, I would want to be told that. Just out of curiousity, are there any customers on this NG who would prefer to be told a lie, if it were more palatable than the truth? Jill (PS. I speak out of genuine ignorance here, not being a company or anything).
Aug 01 2004
next sibling parent reply Andrew Edwards <ridimz_at yahoo.dot.com> writes:
Arcane Jill wrote:

 In article <ceirjp$233v$1 digitaldaemon.com>, Andrew Edwards says...
 
but no one, in their right mind, wants to inform a customer that they 
stand to lose everything on their system.
If I were a customer, I would want to be told /the truth/. If the truth was that I stood to lose everything on my system, I would want to be told that. Just out of curiousity, are there any customers on this NG who would prefer to be told a lie, if it were more palatable than the truth?
I'm by no means suggesting that I _LIE_ to my customers. Rather, I am saying a vast majority of my customers would prefer a route that does not require them to sit down and re-install and re-configure the software after I've wiped+reloaded the OS. I do not want to be the one to tell them they have no other choice. Obviously this would be the easy way out for _me_ but. But I do not pride myself in taking the easy route and hang my customers out to dry. Andrew
 Jill
 
 (PS. I speak out of genuine ignorance here, not being a company or anything).
 
 
 
Aug 01 2004
parent Sean Kelly <sean f4.ca> writes:
Andrew Edwards wrote:
 
 I'm by no means suggesting that I _LIE_ to my customers. Rather, I am 
 saying a vast majority of my customers would prefer a route that does 
 not require them to sit down and re-install and re-configure the 
 software after I've wiped+reloaded the OS. I do not want to be the one 
 to tell them they have no other choice. Obviously this would be the easy 
 way out for _me_ but. But I do not pride myself in taking the easy route 
 and hang my customers out to dry.
As a point of interest, Microsoft has effectively deprecated the registry with the next version of Windows and is going back to initialization files. The registry is one instance where I think customers should be told the truth, as it's a cause for all sorts of problems everyday users just don't understand. Doesn't mean you have to say "it's not my fault if I kill your computer," but they might learn something from a bit of background. Sean
Aug 01 2004
prev sibling parent "Walter" <newshound digitalmars.com> writes:
"Arcane Jill" <Arcane_member pathlink.com> wrote in message
news:cej1bi$25qj$1 digitaldaemon.com...
 Just out of curiousity, are there any customers on this NG who would
prefer to
 be told a lie, if it were more palatable than the truth?
Sure. "Am I good looking?"
Aug 01 2004