• Andrew Edwards (26/26) Aug 01 2004 In performing my part-time job (PC Service Technician) I'm often asked
• Stephan Wienczny (8/39) Aug 01 2004 Here are my thoughts about that:
• Sean Kelly (4/10) Aug 01 2004 ... and where it's stored. The registry stinks. I've never seen a tool...
• parabolis (4/19) Aug 01 2004 http://www.cs.mun.ca/~michael/regutils/doc/regedit.html
• parabolis (44/73) Aug 01 2004 I think you may be barking up the wrong tree. (I will explain
• Arcane Jill (7/9) Aug 01 2004 If I were a customer, I would want to be told /the truth/. If the truth ...
• Andrew Edwards (9/26) Aug 01 2004 I'm by no means suggesting that I _LIE_ to my customers. Rather, I am
• Sean Kelly (9/17) Aug 01 2004 As a point of interest, Microsoft has effectively deprecated the
• Walter (4/6) Aug 01 2004 prefer to

Andrew Edwards <ridimz_at yahoo.dot.com> writes:

In performing my part-time job (PC Service Technician) I'm often asked 
to clean such thing as malware, adware, spyware, key loggers, worms, 
trojans, etc... The simplest recourse is to Wipe-and-Reload the system, 
but no one, in their right mind, wants to inform a customer that they 
stand to lose everything on their system. So I end up spending an 
ungodly amount of time using tools such as SpywareEliminator, 
HiJackThis, PestControl, SpyWareS&D, NAV, McAfee, etc...: all of which 
require you to install the program on the customer's machine, but none 
of which is capable of identifying all offending programs or even 
eradicating the ones that are found.

At $50 per hour, there is no way on earth I can charge a customer for 
the six to ten hours I spend cleaning their system. Often time I charge 
for two hours and swallow the rest.

This said I am seriously in need of a program that traverses the 
registry and other system files (ie system.ini, win.ini, etc...) and 
remove references to all "pests" and subsequently remove said program 
from the hard disk: All without booting up the system from the internal 
drive. The thought is that I should be to load a bootable floppy or cd 
and remove all "pests" from the system prior to booting the pc to 
install the necessary security provisions.

My first question is: Is the registry (Win9x, WinME, Win2K, WinXP) 
accessible without booting from the internal hard disk?

If so can someone provide a small "D" example of how to access the 
registry, search for a given entry and remove it if it exists?

TIA
Andrew

Stephan Wienczny <Stephan Wienczny.de> writes:

Andrew Edwards wrote:
 In performing my part-time job (PC Service Technician) I'm often asked 
 to clean such thing as malware, adware, spyware, key loggers, worms, 
 trojans, etc... The simplest recourse is to Wipe-and-Reload the system, 
 but no one, in their right mind, wants to inform a customer that they 
 stand to lose everything on their system. So I end up spending an 
 ungodly amount of time using tools such as SpywareEliminator, 
 HiJackThis, PestControl, SpyWareS&D, NAV, McAfee, etc...: all of which 
 require you to install the program on the customer's machine, but none 
 of which is capable of identifying all offending programs or even 
 eradicating the ones that are found.
 
 At $50 per hour, there is no way on earth I can charge a customer for 
 the six to ten hours I spend cleaning their system. Often time I charge 
 for two hours and swallow the rest.
 
 This said I am seriously in need of a program that traverses the 
 registry and other system files (ie system.ini, win.ini, etc...) and 
 remove references to all "pests" and subsequently remove said program 
 from the hard disk: All without booting up the system from the internal 
 drive. The thought is that I should be to load a bootable floppy or cd 
 and remove all "pests" from the system prior to booting the pc to 
 install the necessary security provisions.
 
 My first question is: Is the registry (Win9x, WinME, Win2K, WinXP) 
 accessible without booting from the internal hard disk?
 
 If so can someone provide a small "D" example of how to access the 
 registry, search for a given entry and remove it if it exists?
 
 TIA
 Andrew

Here are my thoughts about that:

On Win2K and WinXP you will have to access NTFS file systems. You should 
use linux with captive ntfs to access it.
It should be possible to access the registry form such an offline 
system. I've seen an bootable cd that can change xp passwords. The 
registry should not be a problem, if you know its binary layout....

Stephan

Sean Kelly <sean f4.ca> writes:

Stephan Wienczny wrote:
 
 On Win2K and WinXP you will have to access NTFS file systems. You should 
 use linux with captive ntfs to access it.
 It should be possible to access the registry form such an offline 
 system. I've seen an bootable cd that can change xp passwords. The 
 registry should not be a problem, if you know its binary layout....

... and where it's stored.  The registry stinks.  I've never seen a tool 
that can actually manipulate it offline.


Sean

parabolis <parabolis softhome.net> writes:

Sean Kelly wrote:

 Stephan Wienczny wrote:
 
 On Win2K and WinXP you will have to access NTFS file systems. You 
 should use linux with captive ntfs to access it.
 It should be possible to access the registry form such an offline 
 system. I've seen an bootable cd that can change xp passwords. The 
 registry should not be a problem, if you know its binary layout....

 
 
 .... and where it's stored.  The registry stinks.  I've never seen a 
 tool that can actually manipulate it offline.
 
 
 Sean

http://www.cs.mun.ca/~michael/regutils/doc/regedit.html

This link gives a synopsis for a tool that looks like it makes 
that claim it can do that.

parabolis <parabolis softhome.net> writes:

Andrew Edwards wrote:

 In performing my part-time job (PC Service Technician) I'm often asked 
 to clean such thing as malware, adware, spyware, key loggers, worms, 
 trojans, etc... The simplest recourse is to Wipe-and-Reload the system, 
 but no one, in their right mind, wants to inform a customer that they 
 stand to lose everything on their system. So I end up spending an 
 ungodly amount of time using tools such as SpywareEliminator, 
 HiJackThis, PestControl, SpyWareS&D, NAV, McAfee, etc...: all of which 
 require you to install the program on the customer's machine, but none 
 of which is capable of identifying all offending programs or even 
 eradicating the ones that are found.
 
 At $50 per hour, there is no way on earth I can charge a customer for 
 the six to ten hours I spend cleaning their system. Often time I charge 
 for two hours and swallow the rest.
 
 This said I am seriously in need of a program that traverses the 
 registry and other system files (ie system.ini, win.ini, etc...) and 
 remove references to all "pests" and subsequently remove said program 
 from the hard disk: All without booting up the system from the internal 
 drive. The thought is that I should be to load a bootable floppy or cd 
 and remove all "pests" from the system prior to booting the pc to 
 install the necessary security provisions.
 
 My first question is: Is the registry (Win9x, WinME, Win2K, WinXP) 
 accessible without booting from the internal hard disk?
 
 If so can someone provide a small "D" example of how to access the 
 registry, search for a given entry and remove it if it exists?
 

I think you may be barking up the wrong tree. (I will explain 
why in a moment). In my opinion your time would be better spent 
solving a far simpler problem. Identify the important user data 
like Word documents and the like and yank those from a drive 
before wipe+restore. You do not even need to be very judicous in 
pruning files not to save.

It would be helpful in this process to automate discovery of the 
most used applications which is possible in WinXP. In prev. 
version you can look at the last accessed time of all the 
executables in Program Files. Then find the file types 
associated with the applications that have been used in the past 
few months. Find the documents these types have been registered 
to work with. Then copy everything of those those file types to 
another hard drive. Most of the D stuff that you will use you 
can find in the Phobos runtime library section under std.file or 
std.c.windows.

Now for the reasons trying to track down registry entries is 
might be barking up the wrong tree. My opinion is that:

1) NAV and McAfee have some very smart people working for them 
and some of these very smart people are paid to apply their 
smarts full time to these problems. If they have not 
sufficiently solved the problem you are unlikely to do so using 
less resources. I am by no means suggesting you are not 
sufficiently smart. I am saying that you probably do not want to 
invest yourself in this area because you will never 'solve' the 
problem. Which leads us to the second reason registry searching 
may not be the way to go.

2) Most of the stuff you want to kill right now will be changing 
the way it works very soon. As you said the registry 
identification tools are prolific.  As they become more 
effective and (more importantly) as people use them with greater 
frequency it will result in more stuff being found and 
eliminated. The people writing the software you want to remove 
will simply make it more difficult to find. Consider their 
position at the moment. For years now their crude methods have 
resulted in a quickly growing installed base. The growing 
installed base however quickly generates people who have to 
learn how to deal with the problem. However the population is 
limited and soon the crude software writers will see the growth 
of their installed base stall and possibly even shrink. The 
result will be they must either write slicker software or risk 
becoming extinct. The malware issue is very similar to the spam 
issue for this reason.

Arcane Jill <Arcane_member pathlink.com> writes:

In article <ceirjp$233v$1 digitaldaemon.com>, Andrew Edwards says...
but no one, in their right mind, wants to inform a customer that they 
stand to lose everything on their system.

If I were a customer, I would want to be told /the truth/. If the truth was that
I stood to lose everything on my system, I would want to be told that.

Just out of curiousity, are there any customers on this NG who would prefer to
be told a lie, if it were more palatable than the truth?

Jill

(PS. I speak out of genuine ignorance here, not being a company or anything).

Andrew Edwards <ridimz_at yahoo.dot.com> writes:

Arcane Jill wrote:

 In article <ceirjp$233v$1 digitaldaemon.com>, Andrew Edwards says...
 
but no one, in their right mind, wants to inform a customer that they 
stand to lose everything on their system.

 
 
 If I were a customer, I would want to be told /the truth/. If the truth was
that
 I stood to lose everything on my system, I would want to be told that.
 
 Just out of curiousity, are there any customers on this NG who would prefer to
 be told a lie, if it were more palatable than the truth?

I'm by no means suggesting that I _LIE_ to my customers. Rather, I am 
saying a vast majority of my customers would prefer a route that does 
not require them to sit down and re-install and re-configure the 
software after I've wiped+reloaded the OS. I do not want to be the one 
to tell them they have no other choice. Obviously this would be the easy 
way out for _me_ but. But I do not pride myself in taking the easy route 
and hang my customers out to dry.

Andrew

 Jill
 
 (PS. I speak out of genuine ignorance here, not being a company or anything).
 
 
 

Sean Kelly <sean f4.ca> writes:

Andrew Edwards wrote:
 
 I'm by no means suggesting that I _LIE_ to my customers. Rather, I am 
 saying a vast majority of my customers would prefer a route that does 
 not require them to sit down and re-install and re-configure the 
 software after I've wiped+reloaded the OS. I do not want to be the one 
 to tell them they have no other choice. Obviously this would be the easy 
 way out for _me_ but. But I do not pride myself in taking the easy route 
 and hang my customers out to dry.

As a point of interest, Microsoft has effectively deprecated the 
registry with the next version of Windows and is going back to 
initialization files.  The registry is one instance where I think 
customers should be told the truth, as it's a cause for all sorts of 
problems everyday users just don't understand.  Doesn't mean you have to 
say "it's not my fault if I kill your computer," but they might learn 
something from a bit of background.


Sean

"Walter" <newshound digitalmars.com> writes:

"Arcane Jill" <Arcane_member pathlink.com> wrote in message
news:cej1bi$25qj$1 digitaldaemon.com...
 Just out of curiousity, are there any customers on this NG who would

prefer to
 be told a lie, if it were more palatable than the truth?

Sure. "Am I good looking?"