Hmm, I've no faith that regedit will report a permissions problem as
such and not as a generic error.
I noted that you said in your first post that you also tried to
rename/delete the parent tree but you get an error when it gets to the
Run key.
Did you use the Advanced button at the level:
In order to take Ownership, and apply to the children, so that you
certainly have privileges?
Have you tried to remove the key this way:
reg delete HKLM\Software\Microsoft\Windows\CurrentVersion\Run /f
Have you tried it as SYSTEM by closing all copies of regedit and doing
this from the console session (in case you're using RDP):
at 9:00AM /interactive c:\windows\regedit.exe
to get a copy of regedit.exe running as the SYSTEM account?
Beyond that, um, no, I've never heard of a 3rd party tool that can edit
the registry file directly. If you boot from an install CD, you can
choose the first Repair option to repair the various hives, but whether
that does a check and correct to really fix a corrupt file, I don't
know.
Andrew 8)
________________________________
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf
Of Andy Schmidt
Sent: Monday, December 18, 2006 9:48 PM
To: [email protected]
Subject: Re: [Declude.JunkMail] WAY OT: Registry Repair
Yes, if it was that easy. Initially I had also figured it was
"just" a permission problem.
Eventually, I looked closer and realized that I never do get any
message that seems to imply permission problems - the message is always
that the key cannot be opened.
Even trying to acess the Permissions gives me the open error -
NO chance to perform any permission functions.
When I access the permissions of the parent key and try to reset
the child permissions (or just Child ownership) - I get an error when
indicating that it can't do so for "Run".
----- Original Message -----
From: Colbeck, Andrew <mailto:[EMAIL PROTECTED]>
To: [email protected]
Sent: Monday, December 18, 2006 06:33 PM
Subject: RE: [Declude.JunkMail] WAY OT: Registry Repair
Andy, five will get you ten that it is the permissions
that are mangled, not the key itself.
Run RegEdit.exe and right-click on the Run key, then
choose "Permissions".
Go into the "Advanced" button and choose to "Inherit
from parent..." and the permissions should get fixed up.
You should see:
Allow Users (local machine name) Read
Allow Power Users (local machine name) Special
Allow Administrators (local machine name) Full
Control
Allow SYSTEM Full
Control
Allow CREATOR OWNER Full
Control
Aside from administrative error, the only times I've
seen the permissions modified on this part of the registry is if the bad
guys are trying to retain control of a 'bot.
Andrew 8)
________________________________
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Andy Schmidt
Sent: Monday, December 18, 2006 3:01 PM
To: [email protected]
Subject: [Declude.JunkMail] WAY OT: Registry
Repair
Hi,
noticed today that
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
no longer opens (while logged on as the
workstation's admin). I can export the parent key - which will contain
everything EXCEPT the "run" key. But, then I can neither delete or
rename the "run" key. Renaming/deleting the parent will appear to work
at first - until it reaches the Run "subkey" - then it will again report
that it cannot access that key.
So - I am suspecting that the Run key is
corrupt. It can't be read, edited, deleted or renamed. I looked at some
"registry repair" tools, but they all seem to be Registry Optimizing
tools in disguise that fix logical "problems" in the registry
(registries with too much or supposedly bad information).
Does anyone know of a tool (for XP) that will
allow me to eliminate this bad key from the registry "index" somehow so
that I can just reimport the rest of the parent key?
Best Regards
Andy Schmidt
Phone: +1 201 934-3414 x20 (Business)
Fax: +1 201 934-9206
---
This E-mail came from the Declude.JunkMail
mailing list. To
unsubscribe, just send an E-mail to
[EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The
archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list.
To
unsubscribe, just send an E-mail to
[EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be
found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
